VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in the Forms/rpSysAdmin script on the Zyxel Prestige 660H-61 ADSL Router running firmware 3.40(PT.0)b32 allows remote attackers to inject arbitrary web script or HTML via hex-encoded values in the a parameter. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: ZyXEL Prestige 660H-61 Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA21225 VERIFY ADVISORY: http://secunia.com/advisories/21225/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: ZyXEL Prestige 660H-61 http://secunia.com/product/11155/ DESCRIPTION: Jos\xe9 Ram\xf3n Palanco has reported a vulnerability in ZyXEL Prestige 660H-61, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "a" parameter in the rpSysAdmin script is not properly sanitised before being returned to the user. The vulnerability was reported for routers with firmware version V3.40(PT.0)b32. Other versions may also be affected. SOLUTION: Do not visit other web sites while accessing the router interface. PROVIDED AND/OR DISCOVERED BY: Jos\xe9 Ram\xf3n Palanco ORIGINAL ADVISORY: http://www.eazel.es/media/advisory004-Zyxel-Prestige-660H-61-Cross-Site-Scripting.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Internet Key Exchange (IKE) version 1 protocol, as implemented on Cisco IOS, VPN 3000 Concentrators, and PIX firewalls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of IKE Phase-1 packets that exceed the session expiration rate. NOTE: it has been argued that this is due to a design weakness of the IKE version 1 protocol, in which case other vendors and implementations would also be affected. Cisco IOS , PIX Firewall Implement IKE version 1 The protocol has a new IKE After receiving a session request, a new one again before the session expires IKE If you receive a request repeatedly, IKE A vulnerability exists that consumes excessive resources to establish a session.By legitimate users IKE SA ( Security Association ) May be disrupted. Cisco Internet Key Exchange (IKE) is prone to a denial-of-service vulnerability that affects devices implementing IKE 1. The issue is caused by resource exhaustion when handling a high rate of IKE requests. An attacker can exploit this issue through continuous attacks to deplete available resources. This will cause the device to deny future connections and to block current connections that are re-keyed. Cisco VPN 3000 Series Hubs allow secure, encrypted access to VPN networks. Cisco VPN 3000 has a problem when processing a large number of IKE session request packets. Remote attackers may use this vulnerability to perform denial of service attacks on the device. If an attacker can initiate new IKE sessions faster than they can expire in the queue, it is possible to exhaust the IKE resources on the remote VPN hub. Tests have shown that the target hub is affected if the sending rate reaches 2 packets per second, and becomes unusable if it reaches 10 packets per second. Main Mode messages are a minimum of 112 bytes, so 10 messages per second equates to approximately 9,000 bits per second. If this speed is reached, the attacker's packets will fill the hub queue, making it impossible to process valid IKE requests. Since the vulnerability occurs before the authentication stage, no valid credentials are required for the attack

The SMB Mailslot parsing functionality in PAM in multiple ISS products with XPU (24.39/1.78/epj/x.x.x.1780), including Proventia A, G, M, Server, and Desktop, BlackICE PC and Server Protection 3.6, and RealSecure 7.0, allows remote attackers to cause a denial of service (infinite loop) via a crafted SMB packet that is not properly handled by the SMB_Mailslot_Heap_Overflow decode. ISS The product includes 2006 Year 7 Monthly release XPU include "SMB_MailSlot_Heap_Overflow" Defect in decoding, certain legitimate SMB Mailslot When analyzing traffic, Protocol Analysis Module (PAM) Engine stops responding to subsequent traffic and disrupts service operation (DoS) There is a vulnerability that becomes a condition.ISS Protection product interferes with service operation (DoS) It may be in a state. The Internet Security Systems implementation of SMB/TCP Mailslot is prone to a denial-of-service vulnerability. This issue is due to a design error when dealing with certain legitimate SMB Mailslot traffic. An attacker can exploit this issue to crash the affected service, effectively denying service to legitimate users. ISS is an internationally renowned security vendor that provides a variety of firewalls and intrusion detection devices. An attacker only needs to send a single packet to trigger this vulnerability without actually establishing an SMB session. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. Successful exploitation causes the application or system to stop responding. SOLUTION: Update to a fixed version (see vendor advisory for details). ORIGINAL ADVISORY: ISS: http://xforce.iss.net/xforce/alerts/id/230 https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3630 NSFocus: http://www.nsfocus.com/english/homepage/research/0607.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . NSFOCUS Security Advisory (SA2006-07) ISS RealSecure/BlackICE MailSlot Heap Overflow Detection Remote DoS Vulnerability Release Date: 2006-07-27 CVE ID: CVE-2006-3840 http://www.nsfocus.com/english/homepage/research/0607.htm Affected systems & software =================== RealSecure Network Sensor 7.0 Proventia A Series Proventia G Series Proventia M Series RealSecure Server Sensor 7.0 Proventia Server RealSecure Desktop 7.0 Proventia Desktop BlackICE PC Protection 3.6 BlackICE Server Protection 3.6 Unaffected systems & software =================== Summary ========= NSFocus Security Team discovered a remote DoS vulnerability in ISS RealSecure/ BlackICE products lines' detection of MailSlot Heap Overflow (MS06-035). By sending a specific SMB MailSlot packet it's possible to cause DoS in ISS protection products. Description ============ There is a DoS vulnerability in ISS protection products' detection of SMB_MailSlot_Heap_Overflow (MS06-035/KB917159). By sending a specific SMB MailSlot packet it's possible to cause an infinite loop to occur in the detection code, and the ISS product or even the operating system will stop to respond. For example, for BlackICE the vulnerability might cause the inerruption of the network traffic, and an approximately 100% CPU utilization. STOP BlackICE engine will not restore normal operation. Instead OS restart is required. This vulnerability can be triggered by a single packet. The establishment of a real SMB session is not required. Workaround ============= Block ports TCP/445 and TCP/139 at the firewall. Vendor Status ============== 2006.07.24 Informed the vendor 2006.07.25 Vendor confirmed the vulnerability 2006.07.26 ISS has released a security alert and related patches. For more details about the security alert, please refer to: http://xforce.iss.net/xforce/alerts/id/230 ISS has released the following XPUs to fix this vulnerability: RealSecure Network 7.0, XPU 24.40 Proventia A Series, XPU 24.40 Proventia G Series, XPU 24.40/1.79 Proventia M Series, XPU 1.79 RealSecure Server Sensor 7.0, XPU 24.40 Proventia Server 1.0.914.1880 RealSecure Desktop 7.0 epk Proventia Desktop 8.0.812.1790/8.0.675.1790 BlackICE PC Protection 3.6 cpk BlackICE Server Protection 3.6 cpk Additional Information ======================== The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-3840 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Acknowledgment =============== Chen Qing of NSFocus Security Team found the vulnerability. DISCLAIMS ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <security@nsfocus.com> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 allows remote attackers to execute arbitrary code by changing certain properties of the window navigator object (window.navigator) that are accessed when Java starts up, which causes a crash that leads to code execution. Mozilla products fail to properly release memory. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The flaw exists when assigning specific values to the window.navigator object. A lack of checking on assignment causes user supplied data to be later used in the creation of other objects leading to eventual code execution. The Mozilla Foundation has released thirteen security advisories specifying vulnerabilities in Mozilla Firefox, SeaMonkey, and Thunderbird. Other attacks may also be possible. The issues described here will be split into individual BIDs as more information becomes available. These issues are fixed in: - Mozilla Firefox 1.5.0.5 - Mozilla Thunderbird 1.5.0.5 - Mozilla SeaMonkey 1.0.3. Mozilla Firefox is prone to a remote code-execution vulnerability because the application fails to properly sanitize user-supplied input before using it to create new JavaScript objects. This issue was previously discussed in BID 19181 (Mozilla Multiple Products Remote Vulnerabilities). =========================================================== Ubuntu Security Notice USN-327-1 July 27, 2006 firefox vulnerabilities CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.5-0ubuntu6.06 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Please note that Firefox 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also affected by these problems. Updates for these Ubuntu releases will be delayed due to upstream dropping support for this Firefox version. We strongly advise that you disable JavaScript to disable the attack vectors for most vulnerabilities if you use one of these Ubuntu versions. (CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-3812) cross-site scripting vulnerabilities were found in the XPCNativeWrapper() function and native DOM method handlers. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-3802, CVE-2006-3810) A bug was found in the script handler for automatic proxy configuration. (CVE-2006-3808) Please see http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox for technical details of these vulnerabilities. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06.diff.gz Size/MD5: 174602 7be6f5862219ac4cf44f05733f372f2b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06.dsc Size/MD5: 1109 252d6acf45b009008a6bc88166e2632f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5.orig.tar.gz Size/MD5: 44067762 749933c002e158576ec15782fc451e43 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_all.deb Size/MD5: 49190 850dd650e7f876dd539e605d9b3026c8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_all.deb Size/MD5: 50078 c1fa4a40187d9c5b58bd049edb00ce54 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 47269292 167aadc3f03b4e1b7cb9ed826e672983 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 2796768 b54592d0bd736f6ee12a90987771bc59 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 216136 79fa6c69ffb0dd6037e56d1ba538ff64 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 82358 e2e026d582a7b5352cee4453cef0fe45 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 9400544 a9d0b804a4374dc636bb79968a2bce5c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 218822 a09476caea7d8d73d6a2f534bd494493 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 161876 0e0e65348dba8167b4891b173baa8f0d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 235746 064fc1434a315f857ee92f60fd49d772 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 757458 bd6a5e28e05a04a5deca731ab29f70e4 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 43837610 a7e4a535262f8a5d5cb0ace7ed785237 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 2796700 4509dbf62e3fd2cda7168c20aa65ba4f http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 209546 50e174c1c7290fca51f9e1ee71ebb56c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 74732 25ba86caeeb1a88da4493875178a3636 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 7916536 40ebfe4330af25c2359f8b25b039ed5e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 218822 6066f59acbce1b4de2dc284b5801efc5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 146570 c1a5c5cc4371b228093d03d9ed7ad607 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 235754 0e9a1a89f63a9869b875ee6a50547c2b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 669556 d537a4771b80e5c06f18b2c5d7e5d384 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 48648192 479d29e08ff2b9cef89a6da3285c0aad http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 2796790 60b97738bfc3b8b32914487bb4aba239 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 212982 a396e119a32303afc024d513b997c84e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 77894 ef7841bb2ab8de0e0c44e59c893b1622 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 9019132 ed3927484eea5fccf84a2840640febf3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 218826 a2338c3c8064a304deb752bf32a291f8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 159112 7d5d6100727ceb894695b219cec11e43 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 235754 69085beb145222fea07d2d6c19158a2d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 768332 8dc6cc8c54185d57af14bab3bee39f9d sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 45235424 f5a07188af5802fffbd3cfdd64b109cf http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 2796756 cb13c7ea0e3b7af2f1e12db1f8dc38a2 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 210488 17f7723b697110c8f132422bc059d447 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 76340 c38ccb8b71b9c3783a1c9816ecd9cf5d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 8411310 4b3865b2df3924d094e0b18f207bf33d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 218814 a0e67d0d425cea2cd5835e2c2faa930f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 149018 73108368f0ef745188ebd1c48ea10c88 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 235746 695a6122710fb30201daaa239ba6d48d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 681612 896721beb3cdcea12bab98223c0796c2 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-208A Mozilla Products Contain Multiple Vulnerabilities Original release date: July 27, 2006 Last revised: -- Source: US-CERT Systems Affected * Mozilla SeaMonkey * Mozilla Firefox * Mozilla Thunderbird Any products based on Mozilla components, specifically Gecko, may also be affected. I. (CVE-2006-3805) VU#655892 - Mozilla JavaScript engine contains multiple integer overflows The Mozilla JavaScript engine contains multiple integer overflows. (CVE-2006-3811) II. III. Disable JavaScript and Java These vulnerabilities can be mitigated by disabling JavaScript and Java in all affected products. Instructions for disabling Java in Firefox can be found in the "Securing Your Web Browser" document. Appendix A. Please send email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Jul 27, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0 SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX 5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA 9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA== =HwuK -----END PGP SIGNATURE----- . Background ========== The Mozilla SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as "Mozilla Application Suite". The goal is to produce a cross-platform stand-alone browser application. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/mozilla-firefox < 1.5.0.5 >= 1.5.0.5 2 www-client/mozilla-firefox-bin < 1.5.0.5 >= 1.5.0.5 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. * Developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. * "shutdown" reports that cross-site scripting (XSS) attacks could be performed using the construct XPCNativeWrapper(window).Function(...), which created a function that appeared to belong to the window in question even after it had been navigated to the target site. * "shutdown" reports that scripts granting the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context. * "moz_bug_r_a4" reports that A malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. * "moz_bug_r_a4" discovered that Named JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behavior) and that this constructor can be redefined by script (also ECMA-specified behavior). * Igor Bukanov and shutdown found additional places where an untimely garbage collection could delete a temporary object that was in active use. * Georgi Guninski found potential integer overflow issues with long strings in the toSource() methods of the Object, Array and String objects as well as string function arguments. * H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. * A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page. This leads to use of a deleted timer object. * An anonymous researcher for TippingPoint and the Zero Day Initiative showed that when used in a web page Java would reference properties of the window.navigator object as it started up. * Thilo Girmann discovered that in certain circumstances a JavaScript reference to a frame or window was not properly cleared when the referenced content went away. Impact ====== A user can be enticed to open specially crafted URLs, visit webpages containing malicious JavaScript or execute a specially crafted script. Workaround ========== There is no known workaround at this time. Resolution ========== All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.5" Users of the binary package should upgrade as well: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.5" References ========== [ 1 ] CVE-2006-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113 [ 2 ] CVE-2006-3677 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677 [ 3 ] CVE-2006-3801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801 [ 4 ] CVE-2006-3802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3802 [ 5 ] CVE-2006-3803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803 [ 6 ] CVE-2006-3805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805 [ 7 ] CVE-2006-3806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806 [ 8 ] CVE-2006-3807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807 [ 9 ] CVE-2006-3808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3808 [ 10 ] CVE-2006-3809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3809 [ 11 ] CVE-2006-3810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3810 [ 12 ] CVE-2006-3811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811 [ 13 ] CVE-2006-3812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3812 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200608-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. For more information, see vulnerabilities #1, #3, #4, #5, #6, #7, #9, #10, and #11: SA19783 Successful exploitation of these vulnerabilities requires that JavaScript is enabled in mails (not default setting). A boundary error has also been reported in the handling of VCard attachments. This can be exploited to cause a heap-based buffer overflow via a malicious VCard with a specially crafted base64 field that causes a crash and may allow execution of arbitrary code. SOLUTION: Update to version 1.5.0.5. PROVIDED AND/OR DISCOVERED BY: Daniel Veditz, Mozilla. ORIGINAL ADVISORY: http://www.mozilla.org/security/announce/2006/mfsa2006-49.html OTHER REFERENCES: SA19783: http://secunia.com/advisories/19873/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Previous updates to Firefox were patch fixes to Firefox 1.0.6 that brought it in sync with 1.0.8 in terms of security fixes. In this update, Mozilla Firefox 1.5.0.6 is being provided which corrects a number of vulnerabilities that were previously unpatched, as well as providing new and enhanced features. The following CVE names have been corrected with this update: CVE-2006-2613, CVE-2006-2894, CVE-2006-2775, CVE-2006-2776, CVE-2006-2777, CVE-2006-2778, CVE-2006-2779, CVE-2006-2780, CVE-2006-2782, CVE-2006-2783, CVE-2006-2784, CVE-2006-2785, CVE-2006-2786, CVE-2006-2787, CVE-2006-2788, CVE-2006-3677, CVE-2006-3803, CVE-2006-3804, CVE-2006-3806, CVE-2006-3807, CVE-2006-3113, CVE-2006-3801, CVE-2006-3802, CVE-2006-3805, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3812 http://www.mozilla.org/security/announce/2006/mfsa2006-31.html http://www.mozilla.org/security/announce/2006/mfsa2006-32.html http://www.mozilla.org/security/announce/2006/mfsa2006-33.html http://www.mozilla.org/security/announce/2006/mfsa2006-34.html http://www.mozilla.org/security/announce/2006/mfsa2006-35.html http://www.mozilla.org/security/announce/2006/mfsa2006-36.html http://www.mozilla.org/security/announce/2006/mfsa2006-37.html http://www.mozilla.org/security/announce/2006/mfsa2006-38.html http://www.mozilla.org/security/announce/2006/mfsa2006-39.html http://www.mozilla.org/security/announce/2006/mfsa2006-41.html http://www.mozilla.org/security/announce/2006/mfsa2006-42.html http://www.mozilla.org/security/announce/2006/mfsa2006-43.html http://www.mozilla.org/security/announce/2006/mfsa2006-44.html http://www.mozilla.org/security/announce/2006/mfsa2006-45.html http://www.mozilla.org/security/announce/2006/mfsa2006-46.html http://www.mozilla.org/security/announce/2006/mfsa2006-47.html http://www.mozilla.org/security/announce/2006/mfsa2006-48.html http://www.mozilla.org/security/announce/2006/mfsa2006-50.html http://www.mozilla.org/security/announce/2006/mfsa2006-51.html http://www.mozilla.org/security/announce/2006/mfsa2006-52.html http://www.mozilla.org/security/announce/2006/mfsa2006-53.html http://www.mozilla.org/security/announce/2006/mfsa2006-54.html http://www.mozilla.org/security/announce/2006/mfsa2006-55.html http://www.mozilla.org/security/announce/2006/mfsa2006-56.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 76ef1a2e7338c08e485ab2c19a1ce691 2006.0/RPMS/devhelp-0.10-7.1.20060mdk.i586.rpm d44f02b82df9f404f899ad8bc4bdd6a2 2006.0/RPMS/epiphany-1.8.5-4.1.20060mdk.i586.rpm 29efc065aeb4a53a105b2c27be816758 2006.0/RPMS/epiphany-devel-1.8.5-4.1.20060mdk.i586.rpm caad34c0d4c16a50ec4b05820e6d01db 2006.0/RPMS/galeon-2.0.1-1.1.20060mdk.i586.rpm d0e75938f4e129936351f015bd90a37a 2006.0/RPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.noarch.rpm 652044ff7d9c3170df845011ec696393 2006.0/RPMS/libdevhelp-1_0-0.10-7.1.20060mdk.i586.rpm bf6dcf87f409d06b42234dbca387b922 2006.0/RPMS/libdevhelp-1_0-devel-0.10-7.1.20060mdk.i586.rpm e9aaff3090a4459b57367f4903b0458a 2006.0/RPMS/libnspr4-1.5.0.6-1.4.20060mdk.i586.rpm fa99cbc159722cc0ff9e5710f24ca599 2006.0/RPMS/libnspr4-devel-1.5.0.6-1.4.20060mdk.i586.rpm d4d45b797ca2f2347c0409d9f956ff25 2006.0/RPMS/libnspr4-static-devel-1.5.0.6-1.4.20060mdk.i586.rpm 8d33e72703090a911f7fd171ad9dd719 2006.0/RPMS/libnss3-1.5.0.6-1.4.20060mdk.i586.rpm 23afd287c042c5492c210255554a6893 2006.0/RPMS/libnss3-devel-1.5.0.6-1.4.20060mdk.i586.rpm 4a188f54230b943ea9c8930eb2e0cfe1 2006.0/RPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.i586.rpm 5bec4690547fd733ca97cb2933ebe427 2006.0/RPMS/mozilla-firefox-br-1.5.0.6-0.1.20060mdk.i586.rpm 55836595e5cba3828a9a5a27e5aa1825 2006.0/RPMS/mozilla-firefox-ca-1.5.0.6-0.1.20060mdk.i586.rpm 0faf5ee7022ee0b70915d2c845865cae 2006.0/RPMS/mozilla-firefox-cs-1.5.0.6-0.1.20060mdk.i586.rpm 312a89317692b3bd86060a1995365d86 2006.0/RPMS/mozilla-firefox-da-1.5.0.6-0.1.20060mdk.i586.rpm 38215dccbee8a169bcbac2af2897c2f7 2006.0/RPMS/mozilla-firefox-de-1.5.0.6-0.1.20060mdk.i586.rpm aaba2fa72f8de960a3a757b3010027d3 2006.0/RPMS/mozilla-firefox-devel-1.5.0.6-1.4.20060mdk.i586.rpm d8d59a55974f6fa20d99fb30f126638f 2006.0/RPMS/mozilla-firefox-el-1.5.0.6-0.1.20060mdk.i586.rpm 946e6a76c71dbbee3340f1a96ae25a1d 2006.0/RPMS/mozilla-firefox-es-1.5.0.6-0.1.20060mdk.i586.rpm 9a14c31a41c2bac3942caa3d1fb5daee 2006.0/RPMS/mozilla-firefox-fi-1.5.0.6-0.1.20060mdk.i586.rpm b5074c27d1cb719bf9f8fabe8aebf628 2006.0/RPMS/mozilla-firefox-fr-1.5.0.6-0.1.20060mdk.i586.rpm 7a225cdfdf0c17c0f4a72ad27907fc07 2006.0/RPMS/mozilla-firefox-ga-1.5.0.6-0.1.20060mdk.i586.rpm 06526a054d108d3c9b5f66313151ecc2 2006.0/RPMS/mozilla-firefox-he-1.5.0.6-0.1.20060mdk.i586.rpm 8f721bd3914c31e04359def6272db929 2006.0/RPMS/mozilla-firefox-hu-1.5.0.6-0.1.20060mdk.i586.rpm a704ed726e6db4ba59592563cd2c48b0 2006.0/RPMS/mozilla-firefox-it-1.5.0.6-0.1.20060mdk.i586.rpm 0ef6729b05e013a364e847e4a1b7b3e3 2006.0/RPMS/mozilla-firefox-ja-1.5.0.6-0.1.20060mdk.i586.rpm 570b19872de676414b399ff970024b78 2006.0/RPMS/mozilla-firefox-ko-1.5.0.6-0.1.20060mdk.i586.rpm dee38f0bbe3870d3bd8ad02ea968c57a 2006.0/RPMS/mozilla-firefox-nb-1.5.0.6-0.1.20060mdk.i586.rpm 92916e155ec38b5078234728593d72a2 2006.0/RPMS/mozilla-firefox-nl-1.5.0.6-0.1.20060mdk.i586.rpm c808f2f32fc9e514ffb097eeeb226a96 2006.0/RPMS/mozilla-firefox-pl-1.5.0.6-0.1.20060mdk.i586.rpm 6dda5771d062eae75f8f04b7dab8d6cc 2006.0/RPMS/mozilla-firefox-pt_BR-1.5.0.6-0.1.20060mdk.i586.rpm c4ac8441170504cc5ec05cf5c8e6e9f9 2006.0/RPMS/mozilla-firefox-ro-1.5.0.6-0.1.20060mdk.i586.rpm 2765008afd4c0ba1d702eda9627a7690 2006.0/RPMS/mozilla-firefox-ru-1.5.0.6-0.1.20060mdk.i586.rpm 15b600977b07651f1c3568f4d7f1f9ac 2006.0/RPMS/mozilla-firefox-sk-1.5.0.6-0.1.20060mdk.i586.rpm 6f1fae6befe608fc841fcc71e15852c0 2006.0/RPMS/mozilla-firefox-sl-1.5.0.6-0.1.20060mdk.i586.rpm 81f412da40ea14bcc23d420d7a5724f9 2006.0/RPMS/mozilla-firefox-sv-1.5.0.6-0.1.20060mdk.i586.rpm 76e0ece3c0b6f507340871a168a57e36 2006.0/RPMS/mozilla-firefox-tr-1.5.0.6-0.1.20060mdk.i586.rpm 6ded58e85ed113718cfb3484ae420bb9 2006.0/RPMS/mozilla-firefox-zh_CN-1.5.0.6-0.1.20060mdk.i586.rpm c76f6648e88de4a63991eac66c3fba04 2006.0/RPMS/mozilla-firefox-zh_TW-1.5.0.6-0.1.20060mdk.i586.rpm 1c7ab93275bcdcf30ed9ec2ddb4893df 2006.0/RPMS/yelp-2.10.0-6.1.20060mdk.i586.rpm 60279919aa5f17c2ecd9f64db87cb952 2006.0/SRPMS/devhelp-0.10-7.1.20060mdk.src.rpm c446c046409b6697a863868fe5c64222 2006.0/SRPMS/epiphany-1.8.5-4.1.20060mdk.src.rpm e726300336f737c8952f664bf1866d6f 2006.0/SRPMS/galeon-2.0.1-1.1.20060mdk.src.rpm e9e30596eceb0bc9a03f7880cd7d14ea 2006.0/SRPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.src.rpm 4168c73cba97276fa4868b4ac2c7eb19 2006.0/SRPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.src.rpm 6a7df29f5af703d10d7ea1fee160ac00 2006.0/SRPMS/mozilla-firefox-br-1.5.0.6-0.1.20060mdk.src.rpm e56e14c28051ec4332cbde8dbee7bb6a 2006.0/SRPMS/mozilla-firefox-ca-1.5.0.6-0.1.20060mdk.src.rpm 1a144c86fd8db39e2801117296e15d2b 2006.0/SRPMS/mozilla-firefox-cs-1.5.0.6-0.1.20060mdk.src.rpm f4889d2ee6e07c0141b57ab9aaccae64 2006.0/SRPMS/mozilla-firefox-da-1.5.0.6-0.1.20060mdk.src.rpm dee0f7bc91c797e880fff19e1cb05a63 2006.0/SRPMS/mozilla-firefox-de-1.5.0.6-0.1.20060mdk.src.rpm 45724f6ceed66701392bd131feaf1f6d 2006.0/SRPMS/mozilla-firefox-el-1.5.0.6-0.1.20060mdk.src.rpm cc680cac7fea3f7f8a48a5daf86db088 2006.0/SRPMS/mozilla-firefox-es-1.5.0.6-0.1.20060mdk.src.rpm 69b04335c21313262af4253863109cc8 2006.0/SRPMS/mozilla-firefox-fi-1.5.0.6-0.1.20060mdk.src.rpm 2aab89244a535afcbc25271df5d6b33f 2006.0/SRPMS/mozilla-firefox-fr-1.5.0.6-0.1.20060mdk.src.rpm f1c7f71d5484c5047b1b38fc16888ae3 2006.0/SRPMS/mozilla-firefox-ga-1.5.0.6-0.1.20060mdk.src.rpm 3963e3c3a2c38c41d9d3bc5250b124a6 2006.0/SRPMS/mozilla-firefox-he-1.5.0.6-0.1.20060mdk.src.rpm bb54aed17a126a9e8568d49866db99ea 2006.0/SRPMS/mozilla-firefox-hu-1.5.0.6-0.1.20060mdk.src.rpm 2a1b11f2c8944bc1fc0d313d54a903cf 2006.0/SRPMS/mozilla-firefox-it-1.5.0.6-0.1.20060mdk.src.rpm 783c5b3c0fb9916e07f220110155476d 2006.0/SRPMS/mozilla-firefox-ja-1.5.0.6-0.1.20060mdk.src.rpm 895e315731fa0b453045cc39da4f5358 2006.0/SRPMS/mozilla-firefox-ko-1.5.0.6-0.1.20060mdk.src.rpm daa0a127d2a1a3641d4e97bfb95f1647 2006.0/SRPMS/mozilla-firefox-nb-1.5.0.6-0.1.20060mdk.src.rpm 0c778b0738b11dfd5d68be48fa6316ed 2006.0/SRPMS/mozilla-firefox-nl-1.5.0.6-0.1.20060mdk.src.rpm 7025d0118cf29e39117bd87c586e84a3 2006.0/SRPMS/mozilla-firefox-pl-1.5.0.6-0.1.20060mdk.src.rpm 5d8b8e869f588c0f5751e9ce7addba45 2006.0/SRPMS/mozilla-firefox-pt_BR-1.5.0.6-0.1.20060mdk.src.rpm c5148674a8c7dd1f88c5729293f899ba 2006.0/SRPMS/mozilla-firefox-ro-1.5.0.6-0.1.20060mdk.src.rpm 91d490c075473e2443e383201b961cb8 2006.0/SRPMS/mozilla-firefox-ru-1.5.0.6-0.1.20060mdk.src.rpm 622ae4619d151bb1634113e50b30fbac 2006.0/SRPMS/mozilla-firefox-sk-1.5.0.6-0.1.20060mdk.src.rpm e6d64c14929d299e2fb52e334ae6641a 2006.0/SRPMS/mozilla-firefox-sl-1.5.0.6-0.1.20060mdk.src.rpm 20f64c6dfd6aa1450cba5002d42f53d8 2006.0/SRPMS/mozilla-firefox-sv-1.5.0.6-0.1.20060mdk.src.rpm b93a6b548bb1cf0f8cc46dec133e81a3 2006.0/SRPMS/mozilla-firefox-tr-1.5.0.6-0.1.20060mdk.src.rpm f5603b65b3d10fa5083934e08d2d4560 2006.0/SRPMS/mozilla-firefox-zh_CN-1.5.0.6-0.1.20060mdk.src.rpm c0e978ea92b4a8f3aa75dad5ab7588b9 2006.0/SRPMS/mozilla-firefox-zh_TW-1.5.0.6-0.1.20060mdk.src.rpm 93cb0acaeddb095d13b37aeb0ab4dd49 2006.0/SRPMS/yelp-2.10.0-6.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: d52f4955f15f99137dd9a0b2f360c8b2 x86_64/2006.0/RPMS/devhelp-0.10-7.1.20060mdk.x86_64.rpm 369457b4a09c07ba18ee5bb18fb2ffa1 x86_64/2006.0/RPMS/epiphany-1.8.5-4.1.20060mdk.x86_64.rpm 76735684f3ff493770e374a90fd359c7 x86_64/2006.0/RPMS/epiphany-devel-1.8.5-4.1.20060mdk.x86_64.rpm 5da75ab6624f8c8f0c212ce2299d645f x86_64/2006.0/RPMS/galeon-2.0.1-1.1.20060mdk.x86_64.rpm 945059b9456c9ff2ccd40ff4a6d8ae70 x86_64/2006.0/RPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.noarch.rpm 193f97760bb46e16051ba7b6b968f340 x86_64/2006.0/RPMS/lib64devhelp-1_0-0.10-7.1.20060mdk.x86_64.rpm 1b67733b0450cd6572c9879c0eb38640 x86_64/2006.0/RPMS/lib64devhelp-1_0-devel-0.10-7.1.20060mdk.x86_64.rpm 115fcbc6c99bf063cd1768d2b08e9d89 x86_64/2006.0/RPMS/lib64nspr4-1.5.0.6-1.4.20060mdk.x86_64.rpm 686404fa32e2625f23b19e11c548bbe5 x86_64/2006.0/RPMS/lib64nspr4-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm f0886b330d3f5af566af6cf5572ca671 x86_64/2006.0/RPMS/lib64nspr4-static-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm 10e9abdcb3f952c4db35c85fe58ad8ad x86_64/2006.0/RPMS/lib64nss3-1.5.0.6-1.4.20060mdk.x86_64.rpm 202bab2742f162d1cbd6d36720e6f7fb x86_64/2006.0/RPMS/lib64nss3-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm e9aaff3090a4459b57367f4903b0458a x86_64/2006.0/RPMS/libnspr4-1.5.0.6-1.4.20060mdk.i586.rpm fa99cbc159722cc0ff9e5710f24ca599 x86_64/2006.0/RPMS/libnspr4-devel-1.5.0.6-1.4.20060mdk.i586.rpm d4d45b797ca2f2347c0409d9f956ff25 x86_64/2006.0/RPMS/libnspr4-static-devel-1.5.0.6-1.4.20060mdk.i586.rpm 8d33e72703090a911f7fd171ad9dd719 x86_64/2006.0/RPMS/libnss3-1.5.0.6-1.4.20060mdk.i586.rpm 23afd287c042c5492c210255554a6893 x86_64/2006.0/RPMS/libnss3-devel-1.5.0.6-1.4.20060mdk.i586.rpm 74811077c91dde3bc8c8bae45e5862a7 x86_64/2006.0/RPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.x86_64.rpm 75711988a67bf3f36fc08823561bb2b7 x86_64/2006.0/RPMS/mozilla-firefox-br-1.5.0.6-0.1.20060mdk.x86_64.rpm 5bd9ad43769390549ab3c4549c971db7 x86_64/2006.0/RPMS/mozilla-firefox-ca-1.5.0.6-0.1.20060mdk.x86_64.rpm dfdd808e2ec0866c15db5f1ea6a5b5bd x86_64/2006.0/RPMS/mozilla-firefox-cs-1.5.0.6-0.1.20060mdk.x86_64.rpm 1fad19f458ce0aa50e86710ed3b7fe04 x86_64/2006.0/RPMS/mozilla-firefox-da-1.5.0.6-0.1.20060mdk.x86_64.rpm 743e8d4f009ab2d2fc2e8c131244fb57 x86_64/2006.0/RPMS/mozilla-firefox-de-1.5.0.6-0.1.20060mdk.x86_64.rpm 476ee9a87f650a0ef3523a9619f9f611 x86_64/2006.0/RPMS/mozilla-firefox-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm be48721cbc6e5634b50ce5b6cfe4a951 x86_64/2006.0/RPMS/mozilla-firefox-el-1.5.0.6-0.1.20060mdk.x86_64.rpm e56ce18466e20db3189e035329c606ce x86_64/2006.0/RPMS/mozilla-firefox-es-1.5.0.6-0.1.20060mdk.x86_64.rpm 489e5940c9ac9573842888ff07436e4c x86_64/2006.0/RPMS/mozilla-firefox-fi-1.5.0.6-0.1.20060mdk.x86_64.rpm 73d2eb2fc6ec99a1d3eeb94d9ddff36e x86_64/2006.0/RPMS/mozilla-firefox-fr-1.5.0.6-0.1.20060mdk.x86_64.rpm acbd3cd5f82b47a6c6cb03ebd6ca25ae x86_64/2006.0/RPMS/mozilla-firefox-ga-1.5.0.6-0.1.20060mdk.x86_64.rpm 362807f9da1130dd8da606b9ded06311 x86_64/2006.0/RPMS/mozilla-firefox-he-1.5.0.6-0.1.20060mdk.x86_64.rpm e48c991fa555d22d1f382baa83dfcae9 x86_64/2006.0/RPMS/mozilla-firefox-hu-1.5.0.6-0.1.20060mdk.x86_64.rpm 0d954f47de6d2cc58e36cd2c9ddae09c x86_64/2006.0/RPMS/mozilla-firefox-it-1.5.0.6-0.1.20060mdk.x86_64.rpm 8f615598d04985a0d60a3469ea3044ed x86_64/2006.0/RPMS/mozilla-firefox-ja-1.5.0.6-0.1.20060mdk.x86_64.rpm f4810510feb31e6195358c5ddd87252f x86_64/2006.0/RPMS/mozilla-firefox-ko-1.5.0.6-0.1.20060mdk.x86_64.rpm 537d53b7805ac84009f2ff99e3282b91 x86_64/2006.0/RPMS/mozilla-firefox-nb-1.5.0.6-0.1.20060mdk.x86_64.rpm afbc9ee04902213758bbf262b732de21 x86_64/2006.0/RPMS/mozilla-firefox-nl-1.5.0.6-0.1.20060mdk.x86_64.rpm dcef8c7676529394e5fbd4168f8e2cd6 x86_64/2006.0/RPMS/mozilla-firefox-pl-1.5.0.6-0.1.20060mdk.x86_64.rpm f4ee0e7ecba430fd3ce5e8ebeda9b5c1 x86_64/2006.0/RPMS/mozilla-firefox-pt_BR-1.5.0.6-0.1.20060mdk.x86_64.rpm 778261355184ca73cbf1aab1ce56644d x86_64/2006.0/RPMS/mozilla-firefox-ro-1.5.0.6-0.1.20060mdk.x86_64.rpm 10ca4e7f4cf10c380849ced0bf83e08b x86_64/2006.0/RPMS/mozilla-firefox-ru-1.5.0.6-0.1.20060mdk.x86_64.rpm 427cabc08ec66e1a45bc27e5625f49bb x86_64/2006.0/RPMS/mozilla-firefox-sk-1.5.0.6-0.1.20060mdk.x86_64.rpm de4e61d4fce7cd286bb4a3778cb8499f x86_64/2006.0/RPMS/mozilla-firefox-sl-1.5.0.6-0.1.20060mdk.x86_64.rpm 86e9af4c42b59e32d4e5ac0a8d1afe30 x86_64/2006.0/RPMS/mozilla-firefox-sv-1.5.0.6-0.1.20060mdk.x86_64.rpm 126b1e0826330986fbf485eabade949d x86_64/2006.0/RPMS/mozilla-firefox-tr-1.5.0.6-0.1.20060mdk.x86_64.rpm d2e6da2db277b7f5dabed3e95d4b818b x86_64/2006.0/RPMS/mozilla-firefox-zh_CN-1.5.0.6-0.1.20060mdk.x86_64.rpm a83edee07d2465cf55024ed1b7aa779f x86_64/2006.0/RPMS/mozilla-firefox-zh_TW-1.5.0.6-0.1.20060mdk.x86_64.rpm 9e33e2a0c3d4a92a0b420c417fcd3469 x86_64/2006.0/RPMS/yelp-2.10.0-6.1.20060mdk.x86_64.rpm 60279919aa5f17c2ecd9f64db87cb952 x86_64/2006.0/SRPMS/devhelp-0.10-7.1.20060mdk.src.rpm c446c046409b6697a863868fe5c64222 x86_64/2006.0/SRPMS/epiphany-1.8.5-4.1.20060mdk.src.rpm e726300336f737c8952f664bf1866d6f x86_64/2006.0/SRPMS/galeon-2.0.1-1.1.20060mdk.src.rpm e9e30596eceb0bc9a03f7880cd7d14ea x86_64/2006.0/SRPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.src.rpm 4168c73cba97276fa4868b4ac2c7eb19 x86_64/2006.0/SRPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.src.rpm 6a7df29f5af703d10d7ea1fee160ac00 x86_64/2006.0/SRPMS/mozilla-firefox-br-1.5.0.6-0.1.20060mdk.src.rpm e56e14c28051ec4332cbde8dbee7bb6a x86_64/2006.0/SRPMS/mozilla-firefox-ca-1.5.0.6-0.1.20060mdk.src.rpm 1a144c86fd8db39e2801117296e15d2b x86_64/2006.0/SRPMS/mozilla-firefox-cs-1.5.0.6-0.1.20060mdk.src.rpm f4889d2ee6e07c0141b57ab9aaccae64 x86_64/2006.0/SRPMS/mozilla-firefox-da-1.5.0.6-0.1.20060mdk.src.rpm dee0f7bc91c797e880fff19e1cb05a63 x86_64/2006.0/SRPMS/mozilla-firefox-de-1.5.0.6-0.1.20060mdk.src.rpm 45724f6ceed66701392bd131feaf1f6d x86_64/2006.0/SRPMS/mozilla-firefox-el-1.5.0.6-0.1.20060mdk.src.rpm cc680cac7fea3f7f8a48a5daf86db088 x86_64/2006.0/SRPMS/mozilla-firefox-es-1.5.0.6-0.1.20060mdk.src.rpm 69b04335c21313262af4253863109cc8 x86_64/2006.0/SRPMS/mozilla-firefox-fi-1.5.0.6-0.1.20060mdk.src.rpm 2aab89244a535afcbc25271df5d6b33f x86_64/2006.0/SRPMS/mozilla-firefox-fr-1.5.0.6-0.1.20060mdk.src.rpm f1c7f71d5484c5047b1b38fc16888ae3 x86_64/2006.0/SRPMS/mozilla-firefox-ga-1.5.0.6-0.1.20060mdk.src.rpm 3963e3c3a2c38c41d9d3bc5250b124a6 x86_64/2006.0/SRPMS/mozilla-firefox-he-1.5.0.6-0.1.20060mdk.src.rpm bb54aed17a126a9e8568d49866db99ea x86_64/2006.0/SRPMS/mozilla-firefox-hu-1.5.0.6-0.1.20060mdk.src.rpm 2a1b11f2c8944bc1fc0d313d54a903cf x86_64/2006.0/SRPMS/mozilla-firefox-it-1.5.0.6-0.1.20060mdk.src.rpm 783c5b3c0fb9916e07f220110155476d x86_64/2006.0/SRPMS/mozilla-firefox-ja-1.5.0.6-0.1.20060mdk.src.rpm 895e315731fa0b453045cc39da4f5358 x86_64/2006.0/SRPMS/mozilla-firefox-ko-1.5.0.6-0.1.20060mdk.src.rpm daa0a127d2a1a3641d4e97bfb95f1647 x86_64/2006.0/SRPMS/mozilla-firefox-nb-1.5.0.6-0.1.20060mdk.src.rpm 0c778b0738b11dfd5d68be48fa6316ed x86_64/2006.0/SRPMS/mozilla-firefox-nl-1.5.0.6-0.1.20060mdk.src.rpm 7025d0118cf29e39117bd87c586e84a3 x86_64/2006.0/SRPMS/mozilla-firefox-pl-1.5.0.6-0.1.20060mdk.src.rpm 5d8b8e869f588c0f5751e9ce7addba45 x86_64/2006.0/SRPMS/mozilla-firefox-pt_BR-1.5.0.6-0.1.20060mdk.src.rpm c5148674a8c7dd1f88c5729293f899ba x86_64/2006.0/SRPMS/mozilla-firefox-ro-1.5.0.6-0.1.20060mdk.src.rpm 91d490c075473e2443e383201b961cb8 x86_64/2006.0/SRPMS/mozilla-firefox-ru-1.5.0.6-0.1.20060mdk.src.rpm 622ae4619d151bb1634113e50b30fbac x86_64/2006.0/SRPMS/mozilla-firefox-sk-1.5.0.6-0.1.20060mdk.src.rpm e6d64c14929d299e2fb52e334ae6641a x86_64/2006.0/SRPMS/mozilla-firefox-sl-1.5.0.6-0.1.20060mdk.src.rpm 20f64c6dfd6aa1450cba5002d42f53d8 x86_64/2006.0/SRPMS/mozilla-firefox-sv-1.5.0.6-0.1.20060mdk.src.rpm b93a6b548bb1cf0f8cc46dec133e81a3 x86_64/2006.0/SRPMS/mozilla-firefox-tr-1.5.0.6-0.1.20060mdk.src.rpm f5603b65b3d10fa5083934e08d2d4560 x86_64/2006.0/SRPMS/mozilla-firefox-zh_CN-1.5.0.6-0.1.20060mdk.src.rpm c0e978ea92b4a8f3aa75dad5ab7588b9 x86_64/2006.0/SRPMS/mozilla-firefox-zh_TW-1.5.0.6-0.1.20060mdk.src.rpm 93cb0acaeddb095d13b37aeb0ab4dd49 x86_64/2006.0/SRPMS/yelp-2.10.0-6.1.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE41l0mqjQ0CJFipgRAu1DAJ90MqoteYoIfAj0Gqim5fxrvOw7BACg0xq5 L8QZWCg0xY3ZRacFzNTgusw= =gl6u -----END PGP SIGNATURE----- . ZDI-06-025: Mozilla Firefox Javascript navigator Object Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-025.html July 26, 2006 -- CVE ID: CVE-2006-3677 -- Affected Vendor: Mozilla -- Affected Products: Firefox 1.5.0 - 1.5.0.4 SeaMonkey 1.0 - 1.0.2 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 26, 2006 by Digital Vaccine protection filter ID 4326. More information is detailed in MFSA2006-45: http://www.mozilla.org/security/announce/2006/mfsa2006-45.html -- Disclosure Timeline: 2006.06.16 - Vulnerability reported to vendor 2006.07.25 - Vulnerability information provided to ZDI security partners 2006.07.26 - Digital Vaccine released to TippingPoint customers 2006.07.26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product

Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe). Used in the following products eIQnetworks Enterprise Security Analyzer (ESA) Is Syslog daemon (syslogserver.exe) A stack-based buffer overflow vulnerability exists due to a flaw in handling. During the processing of long arguments to the LICMGR_ADDLICENSE command a classic stack based buffer overflow occurs. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port. eIQnetworks Enterprise Security Analyzer (ESA) is an enterprise-level security management platform. The following commands are known to be affected by this vulnerability:  DELTAINTERVAL  LOGFOLDER  DELETELOGS  FWASERVER  SYSLOGPUBLICIP  GETFWAIMPORTLOG  GETFWADELTA  DELETERDEPDEVICE  COMPRESSRAWLOGFILE  GETSYSLOGFIREWALLS  ADDPOLICY  EDITPOLICY. OEM vendors' versions prior to 4.6 are also vulnerable. Authentication is not required to exploit these vulnerabilities. Upon connecting to this port the user is immediately prompted for a password. A custom string comparison loop is used to validate the supplied password against the hard-coded value "eiq2esa?", where the question mark represents any alpha-numeric character. Issuing the command "HELP" reveals a number of documented commands: --------------------------------------------------------- Usage: QUERYMONITOR: to fetch events for a particular monitor QUERYMONITOR&<user>&<monid>&timer QUERYEVENTCOUNT or QEC: to get latest event counts RESETEVENTCOUNT or REC: to reset event counts REC&[ALL] or REC&dev1,dev2, STATUS: Display the running status of all the threads TRACE: TRACE&ip or hostname&. TRACE&OFF& will turn off the trace FLUSH: reset monitors as though the hour has changed ALRT-OFF and ALRT-ON: toggle the life of alerts-thread. RECV-OFF and RECV-ON: toggle the life of event-collection thread. EM-OFF and EM-ON toggle event manager DMON-OFF and DMON-ON toggle device event monitoring HMON-OFF and HMON-ON toggle host event monitoring NFMON-OFF and NFMON-ON toggle netflow event monitoring HPMON-OFF and HPMON-ON toggle host perf monitoring X or EXIT: to close the session --------------------------------------------------------- Supplying a long string to the TRACE command results in an overflow of the global variable at 0x004B1788. A neighboring global variable, 116 bytes after the overflowed variable, contains a file output stream pointer that is written to every 30 seconds by a garbage collection thread. The log message can be influenced and therefore this is a valid exploit vector, albeit complicated. A trivial exploit vector exists within the parsing of the actual command at the following equivalent API call: sscanf(socket_data, "%[^&]&%[^&]&", 60_byte_stack_var, global_var); Because no explicit check is made for the exact command "TRACE", an attacker can abuse this call to sscanf by passing a long suffix to the TRACE command that is free of the field terminating character, '&'. This vector is trivial to exploit. The service will accept up to approximately 16K of data from unauthenticated clients which is later parsed, in a similar fashion to above, in search of the delimiting character '&'. Various trivial vectors of exploitation exist, for example, through the QUERYMONITOR command. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.31 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple stack-based buffer overflows in Tumbleweed Email Firewall (EMF) allow remote attackers to execute arbitrary code via an email attachment with an LHA archive that contains a (1) file or (2) directory with a long LHA extended header, (3) an LHA archive in which the "temporary pathname" field for decompressed output is greater than 2 bytes, or (4) an LHA archive with a long filename. Tumbleweed MailGate Email Firewall is prone to multiple buffer-overflow vulnerabilities in its LHA processing routines. A successful attack can allow a remote attacker to corrupt process memory by triggering various overflow conditions in the LHA processing engine. This may lead to arbitrary code execution in the context of the MMSDecompose (a process of the EMF Decomposer component), resulting in a full compromise. These vulnerabilities reportedly affect all versions of the Tumbleweed MailGate Email Firewall. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Tumbleweed Email Firewall LHA File Parsing Vulnerabilities SECUNIA ADVISORY ID: SA21194 VERIFY ADVISORY: http://secunia.com/advisories/21194/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: MailGate Email Firewall 6.x http://secunia.com/product/11136/ Tumbleweed Messaging Management System (MMS) 5.x http://secunia.com/product/3588/ DESCRIPTION: Ryan Smith has reported three vulnerabilities in Tumbleweed Email Firewall, which can be exploited by malicious people to compromise a vulnerable system. 1) A boundary error within the processing of LHA extended-header filenames can be exploited to cause a stack-based buffer overflow. 2) A boundary error within the processing of LHA extended-header directory names can be exploited to cause a stack-based buffer overflow. Successful exploitation of the vulnerabilities allows execution of arbitrary code when an e-mail with a specially crafted attachment is processed. SOLUTION: According to the researcher, the vendor will not be releasing a patch. Instead, the vendor has reportedly suggested a workaround (contact the vendor for more information). PROVIDED AND/OR DISCOVERED BY: Ryan Smith ORIGINAL ADVISORY: http://www.hustlelabs.com/advisories/04072006_tweed.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in Check Point Firewall-1 R55W before HFA03 allows remote attackers to read arbitrary files via an encoded .. (dot dot) in the URL on TCP port 18264. Checkpoint FireWall-1 is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. Information obtained may aid in further attacks. R55W HFA2 and prior versions are vulnerable to this issue. Check Point Firewall-1 is a high-performance firewall. This vulnerability can be exploited via basic HEX-encoded directory traversal strings. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Check Point VPN/Firewall Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA21200 VERIFY ADVISORY: http://secunia.com/advisories/21200/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information WHERE: >From remote SOFTWARE: Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI) http://secunia.com/product/2542/ DESCRIPTION: Pete Foster has reported a vulnerability in Check Point VPN-1/Firewall-1, which can be exploited by malicious people to disclose certain sensitive information. An input validation error in the hard coded web server (port 18264/TCP) can be exploited to disclose the contents of certain files via directory traversal attacks. SOLUTION: The vulnerability has reportedly been fixed in version R55W HFA03. PROVIDED AND/OR DISCOVERED BY: Pete Foster ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2006-07/0419.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Siemens SpeedStream Wireless Router is a wireless router device. Siemens SpeedStream Wireless Router incorrectly processes malformed packets, and remote attackers can use the vulnerability to conduct denial of service attacks on devices. Sending special packets to the built-in web service program of the Siemens SpeedStream wireless router can cause the router's management interface to stop responding, resulting in a denial of service attack.

Siemens SpeedStream 2624 allows remote attackers to cause a denial of service (device hang) by sending a crafted packet to the web administrative interface. Siemens SpeedStream Wireless Routers are prone to a remote denial-of-service vulnerability. This may permit an attacker to crash affected devices, denying further network services to legitimate users. Firmware version 2624 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Siemens SpeedStream 2624 Denial of Service Vulnerability SECUNIA ADVISORY ID: SA21195 VERIFY ADVISORY: http://secunia.com/advisories/21195/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Siemens Speedstream 2624 http://secunia.com/product/10741/ DESCRIPTION: Jaime Blasco has reported a vulnerability in Siemens Speedstream 2624, which can be exploited by malicious people to cause a DoS (Denial of Service). Successful exploitation causes the network device to stop responding. SOLUTION: Restrict access to affected devices. PROVIDED AND/OR DISCOVERED BY: Jaime Blasco ORIGINAL ADVISORY: http://www.digitalarmaments.com/2006310665340982.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The IPv4 implementation in Sun Solaris 10 before 20060721 allows local users to select routes that differ from the routing table, possibly facilitating firewall bypass or unauthorized network communication. Sun's Internet Protocol implementation is prone to a routing-table-bypass vulnerability. This vulnerability occurs because the kernel fails to secure that network traffic is routed only to addresses configured in the system's routing table. A successful exploit may allow an attacker to bypass the system's routing-table configuration to redirect traffic to unauthorized addresses. This may allow an attacker to access unauthorized hosts and services by bypassing firewalls. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The vulnerability is caused due to an error in the IP implementation, which makes it possible to bypass the routing table and send packets to/through an on-link router other than the defined one. The vulnerability affects Solaris 10 with patches 118833-06 through 118833-17 (SPARC) or patches 118855-04 through 118855-14 (x86). SOLUTION: Apply patches. -- SPARC Platform -- Solaris 10: http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-118833-18-1 -- x86 Platform -- Solaris 10: http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-118855-15-1 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102509-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in Room.php in Francisco Charrua Photo-Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. Photo-Gallery is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. Photo-Gallery version 1.0 is vulnerable to this issue; other versions may also be affected

D-Link router devices have stack overflow issues that can cause denial of service attacks or execute arbitrary instructions with process privileges. The problem lies in the router's UPNP function, and its M-SEARCH has vulnerabilities. By sending an M-SEARCH request with over-length parameters (more than 800 bytes), a stack overflow can be caused. This vulnerability can be executed without affecting network connectivity and without any attack signatures.

Stack-based buffer overflow in the Universal Plug and Play (UPnP) service in D-Link DI-524, DI-604 Broadband Router, DI-624, D-Link DI-784, WBR-1310 Wireless G Router, WBR-2310 RangeBooster G Router, and EBR-2310 Ethernet Broadband Router allows remote attackers to execute arbitrary code via a long M-SEARCH request to UDP port 1900. A buffer overflow vulnerability in the software that operates certain models of D-Link routers could allow a remote attacker to execute arbitrary code on the affected device. D-Link is an internationally renowned provider of network equipment and solutions, and its products include a variety of router equipment.  If an attacker can send an M-SEARCH request with an excessively long parameter (about 800 bytes) to the LAN interface of the vulnerable D-Link device, it will trigger a stack overflow and cause reliable execution of arbitrary instructions. The attack does not affect network connectivity and shows no signs. In some cases, a soft restart of the device may be required, resulting in a temporary loss of connectivity. D-Link wired and wireless routers are prone to a buffer-overflow vulnerability because these devices fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment

filtnt.sys in Outpost Firewall Pro before 3.51.759.6511 (462) allows local users to cause a denial of service (crash) via long arguments to mshta.exe. Outpost Firewall is prone to a local denial-of-service vulnerability. An attacker can exploit this issue to crash the application, effectively denying service. Outpost Firewall Pro version 3.5.631 is affected by this issue; other versions may also be vulnerable. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The vulnerability is caused due to an unspecified error in the Virtual Firewall driver (filtnt.sys) and can be exploited to crash the system by e.g. passing an overly long string as command line argument to mshta.exe. The vulnerability has been reported in version 3.5.631. Other versions may also be affected. SOLUTION: Update to version 3.51.759.6511 (462) or later. PROVIDED AND/OR DISCOVERED BY: Bipin Gautam ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Agnitum Outpost Firewall Pro 3.51.759.6511 (462), as used in (1) Lavasoft Personal Firewall 1.0.543.5722 (433) and (2) Novell BorderManager Novell Client Firewall 2.0, does not properly restrict user activities in application windows that run in a LocalSystem context, which allows local users to gain privileges and execute commands (a) via the "open folder" option when no instance of explorer.exe is running, possibly related to the ShellExecute API function; or (b) by overwriting a batch file through the "Save Configuration As" option. NOTE: this might be a vulnerability in Microsoft Windows and explorer.exe instead of the firewall. Lavasoft Personal Firewall will allow local attackers to gain elevated privileges, which may lead to a complete compromise. Version 1.0.543.5722 (433) is reported vulnerable. Other versions may be affected as well. Reports indicate that this issue may be related to BID 19024. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The vulnerability is caused due to the application windows running with SYSTEM privileges and the application not checking if explorer.exe is running. This can be exploited to launch explorer.exe with SYSTEM privileges by terminating it and then using the "open folder" option in e.g. the "Shared Components" window. SOLUTION: Enable password protection. PROVIDED AND/OR DISCOVERED BY: Ben Goulding ORIGINAL ADVISORY: http://www.ben.goulding.com.au/secad.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Norton Personal Firewall 2006 9.1.0.33 allows local users to cause a denial of service (crash) via certain RegSaveKey, RegRestoreKey and RegDeleteKey operations on the (1) HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc and (2) HKLM\SYSTEM\CurrentControlSet\Services\SymEvent registry keys. Microsoft Windows is prone to a denial-of-service vulnerability. This issue occurs when a program calls certain API calls for manipulating Windows registry keys. This may crash the affected computer. NOTE: This BID has been revised (July 3, 2007); the issue was originally thought to be a vulnerability in Symantec Norton Personal Firewall, but further investigation reveals a problem in an underlying OS API. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Norton Firewall does not properly check calls to the standard Windows API functions RegSaveKey, RegRestoreKey, and RegDeleteKey. In the registry key HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc or HKLM\SYSTEM\CurrentControlSet\Services\SymEvent, combined calls to the above functions will trigger errors in the implementation of the Norton driver, resulting in a system crash

kpf4ss.exe in Sunbelt Kerio Personal Firewall 4.3.x before 4.3.268 does not properly hook the CreateRemoteThread API function, which allows local users to cause a denial of service (crash) and bypass protection mechanisms by calling CreateRemoteThread. Sunbelt Kerio Personal Firewall is prone to a denial-of-service vulnerability. This issue can occur when a program calls the 'CreateRemoteThread' Windows API call. Exploitation of this vulnerability could cause the firewall application to crash. This could expose the computer to further attacks. The individual who discovered this vulnerability claims to have tested it on Sunbelt Kerio Personal Firewall versions 4.3.246 and 4.2.3.912. They were unable to reproduce the vulnerability on version 4.2.3.912, which is an older release. The vulnerable functionality may have been introduced at some point after the 4.2.3.912 release, but this has not been confirmed

The device driver for Intel-based gigabit network adapters in Cisco Intrusion Prevention System (IPS) 5.1(1) through 5.1(p1), as installed on various Cisco Intrusion Prevention System 42xx appliances, allows remote attackers to cause a denial of service (kernel panic and possibly network outage) via a crafted IP packet. Cisco Intrusion Prevention System is prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash an affected device, effectively denying service. This issue is documented in Cisco bug ID CSCsd36590. This issue affects 42xx IPS appliances running affected versions of the IPS software. There is a denial of service vulnerability in the Cisco IPS client device driver. An IPS device configured to use the automatic pass-through function will also fail to forward packets. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. This can be exploited to cause a DoS via a specially crafted packet received on an Intel-based gigabit network adapter configured as a sensing interface. Successful exploitation causes the network device to stop processing packets and become inaccessible both remotely and via the console. SOLUTION: Update to version 5.1(2). http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060712-ips.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in FlexWATCH Network Camera 3.0 and earlier allows remote attackers to bypass access restrictions for (1) admin/aindex.asp or (2) admin/aindex.html via a .. (dot dot) and encoded / (%2f) sequence in the URL. FlexWatch is prone to an authorization-bypass vulnerability. This issue is due to a failure in the application to properly verify user-supplied input. An attacker can exploit this issue to bypass the authorization mechanism. This allows the attacker to gain unauthorized access to the surveillance system. Versions 3.0 and prior are affected. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. 1) Input passed via the URL isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. SOLUTION: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: Jaime Blasco ORIGINAL ADVISORY: Digital Armaments: http://www.digitalarmaments.com/2006300687985463.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Premium Anti-Spam in Ipswitch IMail Secure Server 2006 and Collaboration Suite 2006 Premium, when using a certain .dat file in the StarEngine /data directory from 20060630 or earlier, does not properly receive and implement bullet signature updates, which allows context-dependent attackers to use the server for spam transmission. Attackers use the server to transmit spam