VARIoT IoT vulnerabilities database

Apple iPhone 1.1.1, with Bluetooth enabled, allows physically proximate attackers to cause a denial of service (application termination) and execute arbitrary code via crafted Service Discovery Protocol (SDP) packets, related to insufficient input validation. Apple iPhone is prone to a vulnerability that lets attackers excecute arbitrary code. This issue affects the phone's Bluetooth implementation. An attacker in Bluetooth range of the phone may be able to execute arbitrary code. Failed exploit attempts will cause denial-of-service conditions. Versions prior to iPhone 1.1.1 are vulnerable. NOTE: This issue was initially disclosed along with several other issues in BID 25834 (Apple iPhone 1.1.1 Update Multiple Security Vulnerabilities). Each issue has been assigned its own BID to better document the details. Apple iPhone is a smart phone of Apple (Apple). ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Apple iPhone Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26983 VERIFY ADVISORY: http://secunia.com/advisories/26983/ CRITICAL: Moderately critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple iPhone 1.x http://secunia.com/product/15128/ DESCRIPTION: Some vulnerabilities, security issues, and a weakness have been reported in the Apple iPhone, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or to compromise a vulnerable system. Successful exploitation requires that Bluetooth is enabled. 2) The problem is that users are not notified about changes of mail servers' identities when Mail is configured to use SSL for incoming and outgoing connections. This can be exploited e.g. to impersonate the user's mail server and obtain the user's email credentials. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 3) It is possible to cause the iPhone to call a phone number without user confirmation by enticing a user to follow a "tel:" link in a mail message. 4) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 5) An error in Safari in the handling of "tel:" links can be exploited to cause the iPhone to dial a different number than the one being displayed in the confirmation dialog. Exiting Safari during the confirmation process may result in unintentional confirmation. 6) An error in Safari can be exploited to set Javascript window properties of pages served from other websites when a malicious web site is viewed. 7) Disabling Javascript in Safari does not take effect until Safari is restarted. 8) An error in Safari allows a malicious website to bypass the same-origin policy using "frame" tags. This can be exploited to execute Javascript code in the context of another site when a user visits a malicious web page. 9) An error in Safari allows Javascript events to be associated with the wrong frame. This can be exploited to execute Javascript code in context of another site when a user visits a malicious web page. 10) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page. SOLUTION: Update to version 1.1.1 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Kevin Mahaffey and John Hering of Flexilis Mobile Security 3) Andi Baritchi, McAfee 4) Michal Zalewski, Google Inc. and Secunia Research 5) Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang 6, 8) Michal Zalewski, Google Inc. 10) Keigo Yamazaki of LAC Co., Ltd. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=306586 OTHER REFERENCES: SA23893: http://secunia.com/advisories/23893/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Mail in Apple iPhone 1.1.1, when using SSL, does not warn the user when the mail server changes or is not trusted, which might allow remote attackers to steal credentials and read email via a man-in-the-middle (MITM) attack. By using this issue, there is a possibility of a man-in-the-middle attack leaking certificate and email information.A third party may be subjected to a man-in-the-middle attack, which may leak certificate and email information. Apple iPhone Mail is prone to an information-disclosure vulnerability. Attackers may exploit this issue to access potentially sensitive information; this may aid in further attacks. Versions prior to iPhone 1.1.1 are vulnerable. NOTE: This issue was initially disclosed along with several other issues in BID 25834 (Apple iPhone 1.1.1 Update Multiple Security Vulnerabilities). Each issue has been assigned its own BID to better document the details. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Apple iPhone Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26983 VERIFY ADVISORY: http://secunia.com/advisories/26983/ CRITICAL: Moderately critical IMPACT: Hijacking, Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple iPhone 1.x http://secunia.com/product/15128/ DESCRIPTION: Some vulnerabilities, security issues, and a weakness have been reported in the Apple iPhone, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An input validation error when handling SDP (Service Discovery Protocol) packets exists in the iPhone's Bluetooth server. This can be exploited by an attacker in Bluetooth range to cause the application to crash or to execute arbitrary code by sending specially crafted SDP packets. Successful exploitation requires that Bluetooth is enabled. This can be exploited e.g. to impersonate the user's mail server and obtain the user's email credentials. Successful exploitation requires a MitM (Man-in-the-Middle) attack. 3) It is possible to cause the iPhone to call a phone number without user confirmation by enticing a user to follow a "tel:" link in a mail message. 4) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 5) An error in Safari in the handling of "tel:" links can be exploited to cause the iPhone to dial a different number than the one being displayed in the confirmation dialog. Exiting Safari during the confirmation process may result in unintentional confirmation. 6) An error in Safari can be exploited to set Javascript window properties of pages served from other websites when a malicious web site is viewed. 7) Disabling Javascript in Safari does not take effect until Safari is restarted. 8) An error in Safari allows a malicious website to bypass the same-origin policy using "frame" tags. This can be exploited to execute Javascript code in the context of another site when a user visits a malicious web page. 9) An error in Safari allows Javascript events to be associated with the wrong frame. This can be exploited to execute Javascript code in context of another site when a user visits a malicious web page. 10) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page. SOLUTION: Update to version 1.1.1 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Kevin Mahaffey and John Hering of Flexilis Mobile Security 3) Andi Baritchi, McAfee 4) Michal Zalewski, Google Inc. and Secunia Research 5) Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang 6, 8) Michal Zalewski, Google Inc. 10) Keigo Yamazaki of LAC Co., Ltd. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=306586 OTHER REFERENCES: SA23893: http://secunia.com/advisories/23893/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to inject arbitrary web script or HTML via frame tags. Apple iPhone Mobile Safari Browser is prone to a vulnerability that lets attackers bypass the same-origin policy. Attackers can exploit this issue to execute arbitrary JavaScript in the context of another domain. Versions prior to iPhone 1.1.1 are vulnerable. NOTE: This issue was initially disclosed along with several other issues in BID 25834 (Apple iPhone 1.1.1 Update Multiple Security Vulnerabilities). Each issue has been assigned its own BID to better document the details. Apple iPhone is a smart phone of Apple (Apple). ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27643 VERIFY ADVISORY: http://secunia.com/advisories/27643/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. For more information: SA26027 2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled. 3) An error in BIND can be exploited by malicious people to poison the DNS cache. For more information: SA26152 4) An error in bzip2 can be exploited to cause a DoS (Denial of Service). For more information: SA15447 This also fixes a race condition when setting file permissions. 5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands. 6) An unspecified error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate. 7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server. 8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy. Successful exploitation allows execution of arbitrary code. 9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text. 10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA26676 11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges. Successful exploitation requires permission to execute a setuid binary. 12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path. 13) An integer overflow error in the "i386_set_ldt" system call can be exploited by malicious, local users to execute arbitrary code with escalated privileges. 14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. 15) An integer overflow exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request. 16) The default configuration of tftpd allows clients to access any path on the system. 17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses. 18) An integer overflow exists in the handling of ASP messages with AppleTalk. This can be exploited by malicious, local users to cause a heap-based buffer overflow and to execute arbitrary code with system privileges by sending a maliciously crafted ASP message on an AppleTalk socket. 19) A double-free error in the handling of certain IPV6 packets can potentially be exploited to execute arbitrary code with system privileges. 20) A boundary error exists when adding a new AppleTalk zone. This can be exploited to cause a stack-based buffer overflow by sending a maliciously crafted ioctl request to an AppleTalk socket and allows execution of arbitrary code with system privileges. 21) An arithmetic error exists in AppleTalk when handling memory allocations. This can be exploited by malicious, local users to cause a heap-based buffer overflow and execute arbitrary code with system privileges by sending a maliciously crafted AppleTalk message. 22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP. 23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system. 24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name. 25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. 26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog. 27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page. 28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file. 29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page. 30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page. 31) An error in Safari allows malicious websites to set Javascript window properties of websites served from a different domain. This can be exploited to get or set the window status and location of pages served from other websites by enticing a user to visit a specially crafted web page. 32) An error in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page. 33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. 34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari. 36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. 37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. SOLUTION: Update to Mac OS X 10.4.11 or apply Security Update 2007-008. Security Update 2007-008 (10.3.9 Client): http://www.apple.com/support/downloads/securityupdate20070081039client.html Security Update 2007-008 (10.3.9 Server): http://www.apple.com/support/downloads/securityupdate20070081039server.html Mac OS X 10.4.11 Combo Update (PPC): http://www.apple.com/support/downloads/macosx10411comboupdateppc.html Mac OS X 10.4.11 Update (Intel): http://www.apple.com/support/downloads/macosx10411updateintel.html Mac OS X 10.4.11 Combo Update (Intel): http://www.apple.com/support/downloads/macosx10411comboupdateintel.html Mac OS X 10.4.11 Update (PPC): http://www.apple.com/support/downloads/macosx10411updateppc.html Mac OS X Server 10.4.11 Update (Universal): http://www.apple.com/support/downloads/macosx10411updateppc.html Mac OS X Server 10.4.11 Combo Update (Universal): http://www.apple.com/support/downloads/macosxserver10411comboupdateuniversal.html Mac OS X Server 10.4.11 Update (PPC): http://www.apple.com/support/downloads/macosxserver10411updateppc.html Mac OS X Server 10.4.11 Combo Update (PPC): http://www.apple.com/support/downloads/macosxserver10411comboupdateppc.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Mark Tull, University of Hertfordshire and Joel Vink, Zetera Corporation. 5) The vendor credits Dr Bob Lopez PhD. 6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C. 9) Will Dormann, CERT/CC 11) An anonymous person, reported via iDefense Labs. 12) The vendor credits Johan Henselmans and Jesper Skov. 13) The vendor credits RISE Security. 14) The vendor credits Ilja van Sprundel. 15) The vendor credits Tobias Klein, www.trapkit.de 16) The vendor credits James P. Javery, Stratus Data Systems 17) The vendor credits Arnaud Ebalard, EADS Innovation Works. 18, 21) Sean Larsson, iDefense Labs 19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications. 20) An anonymous person, reported via iDefense Labs. 22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. 25) The vendor credits Michael Roitzsch, Technical University Dresden. 26) The vendor credits Faisal N. Jawdat 27) The vendor credits lixlpixel. 28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH. 29) The vendor credits Ryan Grisso, NetSuite. 30) The vendor credits David Bloom. 31, 32) The vendor credits Michal Zalewski, Google Inc. 33) The vendor credits Keigo Yamazaki of LAC Co. 36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS 37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307041 US-CERT VU#498105: http://www.kb.cert.org/vuls/id/498105 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628 OTHER REFERENCES: SA15447: http://secunia.com/advisories/15447/ SA23893: http://secunia.com/advisories/23893/ SA26027: http://secunia.com/advisories/26027/ SA26152: http://secunia.com/advisories/26152/ SA26676: http://secunia.com/advisories/26676/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. Further details are available in the related vulnerability notes. II. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 15, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9 OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F 4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2 LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ== =AgEr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. 2) The problem is that users are not notified about changes of mail servers' identities when Mail is configured to use SSL for incoming and outgoing connections. This can be exploited e.g. to impersonate the user's mail server and obtain the user's email credentials. 3) It is possible to cause the iPhone to call a phone number without user confirmation by enticing a user to follow a "tel:" link in a mail message. Exiting Safari during the confirmation process may result in unintentional confirmation. 7) Disabling Javascript in Safari does not take effect until Safari is restarted. SOLUTION: Update to version 1.1.1 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Kevin Mahaffey and John Hering of Flexilis Mobile Security 3) Andi Baritchi, McAfee 4) Michal Zalewski, Google Inc. and Secunia Research 5) Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang 6, 8) Michal Zalewski, Google Inc

Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and in Mac OS X 10.4 through 10.4.10, allows remote attackers to set Javascript window properties for web pages that are in a different domain, which can be leveraged to conduct cross-site scripting (XSS) attacks. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple iPhone Mobile Safari Browser is prone to a vulnerability that allows attackers to bypass the same-origin policy. Attackers can exploit this issue to execute arbitrary JavaScript in the context of another domain. Versions prior to iPhone 1.1.1 are vulnerable. NOTE: This issue was initially disclosed along with several other issues in BID 25834 (Apple iPhone 1.1.1 Update Multiple Security Vulnerabilities). Each issue has been assigned its own BID to better document the details. Apple iPhone is a smart phone of Apple (Apple). ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27643 VERIFY ADVISORY: http://secunia.com/advisories/27643/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. For more information: SA26027 2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled. 3) An error in BIND can be exploited by malicious people to poison the DNS cache. For more information: SA26152 4) An error in bzip2 can be exploited to cause a DoS (Denial of Service). For more information: SA15447 This also fixes a race condition when setting file permissions. 5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands. 6) An unspecified error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate. 7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server. 8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy. Successful exploitation allows execution of arbitrary code. 9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text. 10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA26676 11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges. Successful exploitation requires permission to execute a setuid binary. 12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path. 13) An integer overflow error in the "i386_set_ldt" system call can be exploited by malicious, local users to execute arbitrary code with escalated privileges. 14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. 15) An integer overflow exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request. 16) The default configuration of tftpd allows clients to access any path on the system. 17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses. 18) An integer overflow exists in the handling of ASP messages with AppleTalk. This can be exploited by malicious, local users to cause a heap-based buffer overflow and to execute arbitrary code with system privileges by sending a maliciously crafted ASP message on an AppleTalk socket. 19) A double-free error in the handling of certain IPV6 packets can potentially be exploited to execute arbitrary code with system privileges. 20) A boundary error exists when adding a new AppleTalk zone. This can be exploited to cause a stack-based buffer overflow by sending a maliciously crafted ioctl request to an AppleTalk socket and allows execution of arbitrary code with system privileges. 21) An arithmetic error exists in AppleTalk when handling memory allocations. This can be exploited by malicious, local users to cause a heap-based buffer overflow and execute arbitrary code with system privileges by sending a maliciously crafted AppleTalk message. 22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP. 23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system. 24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name. 25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. 26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog. 27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page. 28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file. 29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page. 30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page. This can be exploited to get or set the window status and location of pages served from other websites by enticing a user to visit a specially crafted web page. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page. 33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. 34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari. 36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. 37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. SOLUTION: Update to Mac OS X 10.4.11 or apply Security Update 2007-008. Security Update 2007-008 (10.3.9 Client): http://www.apple.com/support/downloads/securityupdate20070081039client.html Security Update 2007-008 (10.3.9 Server): http://www.apple.com/support/downloads/securityupdate20070081039server.html Mac OS X 10.4.11 Combo Update (PPC): http://www.apple.com/support/downloads/macosx10411comboupdateppc.html Mac OS X 10.4.11 Update (Intel): http://www.apple.com/support/downloads/macosx10411updateintel.html Mac OS X 10.4.11 Combo Update (Intel): http://www.apple.com/support/downloads/macosx10411comboupdateintel.html Mac OS X 10.4.11 Update (PPC): http://www.apple.com/support/downloads/macosx10411updateppc.html Mac OS X Server 10.4.11 Update (Universal): http://www.apple.com/support/downloads/macosx10411updateppc.html Mac OS X Server 10.4.11 Combo Update (Universal): http://www.apple.com/support/downloads/macosxserver10411comboupdateuniversal.html Mac OS X Server 10.4.11 Update (PPC): http://www.apple.com/support/downloads/macosxserver10411updateppc.html Mac OS X Server 10.4.11 Combo Update (PPC): http://www.apple.com/support/downloads/macosxserver10411comboupdateppc.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Mark Tull, University of Hertfordshire and Joel Vink, Zetera Corporation. 5) The vendor credits Dr Bob Lopez PhD. 6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C. 9) Will Dormann, CERT/CC 11) An anonymous person, reported via iDefense Labs. 12) The vendor credits Johan Henselmans and Jesper Skov. 13) The vendor credits RISE Security. 14) The vendor credits Ilja van Sprundel. 15) The vendor credits Tobias Klein, www.trapkit.de 16) The vendor credits James P. Javery, Stratus Data Systems 17) The vendor credits Arnaud Ebalard, EADS Innovation Works. 18, 21) Sean Larsson, iDefense Labs 19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications. 20) An anonymous person, reported via iDefense Labs. 22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. 25) The vendor credits Michael Roitzsch, Technical University Dresden. 26) The vendor credits Faisal N. Jawdat 27) The vendor credits lixlpixel. 28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH. 29) The vendor credits Ryan Grisso, NetSuite. 30) The vendor credits David Bloom. 31, 32) The vendor credits Michal Zalewski, Google Inc. 33) The vendor credits Keigo Yamazaki of LAC Co. 36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS 37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307041 US-CERT VU#498105: http://www.kb.cert.org/vuls/id/498105 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628 OTHER REFERENCES: SA15447: http://secunia.com/advisories/15447/ SA23893: http://secunia.com/advisories/23893/ SA26027: http://secunia.com/advisories/26027/ SA26152: http://secunia.com/advisories/26152/ SA26676: http://secunia.com/advisories/26676/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. Further details are available in the related vulnerability notes. II. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 15, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9 OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F 4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2 LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ== =AgEr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. 2) The problem is that users are not notified about changes of mail servers' identities when Mail is configured to use SSL for incoming and outgoing connections. This can be exploited e.g. to impersonate the user's mail server and obtain the user's email credentials. 3) It is possible to cause the iPhone to call a phone number without user confirmation by enticing a user to follow a "tel:" link in a mail message. Exiting Safari during the confirmation process may result in unintentional confirmation. 7) Disabling Javascript in Safari does not take effect until Safari is restarted. SOLUTION: Update to version 1.1.1 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Kevin Mahaffey and John Hering of Flexilis Mobile Security 3) Andi Baritchi, McAfee 4) Michal Zalewski, Google Inc. and Secunia Research 5) Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang 6, 8) Michal Zalewski, Google Inc

Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to obtain sensitive information via a crafted web page that identifies the URL of the parent window, even when the parent window is in a different domain. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple iPhone is prone to an information-disclosure vulnerability. This issue affects the phone's Mobile Safari application. Attackers may exploit this issue to access potentially sensitive information; other attacks are also possible. NOTE: This issue was initially disclosed along with several other issues in BID 25834 (Apple iPhone 1.1.1 Update Multiple Security Vulnerabilities). Each issue has been assigned its own BID to better document the details. Versions prior to iPhone 1.1.1 are vulnerable. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27643 VERIFY ADVISORY: http://secunia.com/advisories/27643/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. For more information: SA26027 2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled. 3) An error in BIND can be exploited by malicious people to poison the DNS cache. For more information: SA26152 4) An error in bzip2 can be exploited to cause a DoS (Denial of Service). For more information: SA15447 This also fixes a race condition when setting file permissions. 5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands. 6) An unspecified error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate. 7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server. 8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy. Successful exploitation allows execution of arbitrary code. 9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text. 10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA26676 11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges. Successful exploitation requires permission to execute a setuid binary. 12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path. 13) An integer overflow error in the "i386_set_ldt" system call can be exploited by malicious, local users to execute arbitrary code with escalated privileges. 14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. 15) An integer overflow exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request. 16) The default configuration of tftpd allows clients to access any path on the system. 17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses. 18) An integer overflow exists in the handling of ASP messages with AppleTalk. This can be exploited by malicious, local users to cause a heap-based buffer overflow and to execute arbitrary code with system privileges by sending a maliciously crafted ASP message on an AppleTalk socket. 19) A double-free error in the handling of certain IPV6 packets can potentially be exploited to execute arbitrary code with system privileges. 20) A boundary error exists when adding a new AppleTalk zone. This can be exploited to cause a stack-based buffer overflow by sending a maliciously crafted ioctl request to an AppleTalk socket and allows execution of arbitrary code with system privileges. 21) An arithmetic error exists in AppleTalk when handling memory allocations. This can be exploited by malicious, local users to cause a heap-based buffer overflow and execute arbitrary code with system privileges by sending a maliciously crafted AppleTalk message. 22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP. 23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system. 24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name. 25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. 26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog. 27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page. 28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file. 29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page. 30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page. 31) An error in Safari allows malicious websites to set Javascript window properties of websites served from a different domain. 32) An error in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page. 33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. 34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari. 36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. 37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. SOLUTION: Update to Mac OS X 10.4.11 or apply Security Update 2007-008. Security Update 2007-008 (10.3.9 Client): http://www.apple.com/support/downloads/securityupdate20070081039client.html Security Update 2007-008 (10.3.9 Server): http://www.apple.com/support/downloads/securityupdate20070081039server.html Mac OS X 10.4.11 Combo Update (PPC): http://www.apple.com/support/downloads/macosx10411comboupdateppc.html Mac OS X 10.4.11 Update (Intel): http://www.apple.com/support/downloads/macosx10411updateintel.html Mac OS X 10.4.11 Combo Update (Intel): http://www.apple.com/support/downloads/macosx10411comboupdateintel.html Mac OS X 10.4.11 Update (PPC): http://www.apple.com/support/downloads/macosx10411updateppc.html Mac OS X Server 10.4.11 Update (Universal): http://www.apple.com/support/downloads/macosx10411updateppc.html Mac OS X Server 10.4.11 Combo Update (Universal): http://www.apple.com/support/downloads/macosxserver10411comboupdateuniversal.html Mac OS X Server 10.4.11 Update (PPC): http://www.apple.com/support/downloads/macosxserver10411updateppc.html Mac OS X Server 10.4.11 Combo Update (PPC): http://www.apple.com/support/downloads/macosxserver10411comboupdateppc.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Mark Tull, University of Hertfordshire and Joel Vink, Zetera Corporation. 5) The vendor credits Dr Bob Lopez PhD. 6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C. 9) Will Dormann, CERT/CC 11) An anonymous person, reported via iDefense Labs. 12) The vendor credits Johan Henselmans and Jesper Skov. 13) The vendor credits RISE Security. 14) The vendor credits Ilja van Sprundel. 15) The vendor credits Tobias Klein, www.trapkit.de 16) The vendor credits James P. Javery, Stratus Data Systems 17) The vendor credits Arnaud Ebalard, EADS Innovation Works. 18, 21) Sean Larsson, iDefense Labs 19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications. 20) An anonymous person, reported via iDefense Labs. 22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. 25) The vendor credits Michael Roitzsch, Technical University Dresden. 26) The vendor credits Faisal N. Jawdat 27) The vendor credits lixlpixel. 28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH. 29) The vendor credits Ryan Grisso, NetSuite. 30) The vendor credits David Bloom. 31, 32) The vendor credits Michal Zalewski, Google Inc. 33) The vendor credits Keigo Yamazaki of LAC Co. 36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS 37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307041 US-CERT VU#498105: http://www.kb.cert.org/vuls/id/498105 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628 OTHER REFERENCES: SA15447: http://secunia.com/advisories/15447/ SA23893: http://secunia.com/advisories/23893/ SA26027: http://secunia.com/advisories/26027/ SA26152: http://secunia.com/advisories/26152/ SA26676: http://secunia.com/advisories/26676/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. Further details are available in the related vulnerability notes. II. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 15, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9 OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F 4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2 LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ== =AgEr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. 2) The problem is that users are not notified about changes of mail servers' identities when Mail is configured to use SSL for incoming and outgoing connections. This can be exploited e.g. to impersonate the user's mail server and obtain the user's email credentials. 3) It is possible to cause the iPhone to call a phone number without user confirmation by enticing a user to follow a "tel:" link in a mail message. Exiting Safari during the confirmation process may result in unintentional confirmation. 7) Disabling Javascript in Safari does not take effect until Safari is restarted. SOLUTION: Update to version 1.1.1 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Kevin Mahaffey and John Hering of Flexilis Mobile Security 3) Andi Baritchi, McAfee 4) Michal Zalewski, Google Inc. and Secunia Research 5) Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang 6, 8) Michal Zalewski, Google Inc

Cisco Catalyst 6500 and Cisco 7600 series devices use 127/8 IP addresses for Ethernet Out-of-Band Channel (EOBC) internal communication, which might allow remote attackers to send packets to an interface for which network exposure was unintended. Attackers may leverage this issue to access a device from an unauthorized remote location; this may aid in further attacks. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco Catalyst 6500 / Cisco 7600 Series Devices Accessible Loopback Address Weakness SECUNIA ADVISORY ID: SA26988 VERIFY ADVISORY: http://secunia.com/advisories/26988/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Cisco 7600 Series 12.x http://secunia.com/product/15865/ Cisco Catalyst 6500 Series 12.x http://secunia.com/product/15864/ DESCRIPTION: A weakness has been reported in Cisco Catalyst 6500 and Cisco 7600 series devices, which can be exploited by malicious people to bypass certain security restrictions. The problem is that packets destined for the 127.0.0.0/8 network may be received and processed by e.g. the Supervisor module or Multilayer Switch Feature Card (MSFC). This can be exploited to e.g. bypass existing access control lists. Successful exploitation requires that systems are running Hybrid Mode (Catalyst OS (CatOS) software on the Supervisor Engine and IOS Software on the MSFC) or Native Mode (IOS Software on both the Supervisor Engine and the MSFC). The weakness is reported in all software versions on Cisco Catalyst 6500 and Cisco 7600 series prior to 12.2(33)SXH. SOLUTION: Update to 12.2(33)SXH. PROVIDED AND/OR DISCOVERED BY: The vendor credits Lee E. Rian. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20070926-lb.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in the EasyMailMessagePrinter ActiveX control in emprint.DLL 6.0.1.0 in the Quiksoft EasyMail MessagePrinter Object allows remote attackers to execute arbitrary code via a long string in the first argument to the SetFont method

Outpost Firewall Pro 4.0.1025.7828 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteFile, (3) NtLoadDriver, (4) NtOpenProcess, (5) NtOpenSection, (6) NtOpenThread, and (7) NtUnloadDriver kernel SSDT hooks, a partial regression of CVE-2006-7160. This vulnerability CVE-2006-7160 Vulnerability caused by some regressions.By local users SSDT Service operation disruption through the following ( crash ) There is a possibility that it becomes a state and authority is acquired. (1) NtCreateKey kernel (2) NtDeleteFile kernel (3) NtLoadDriver kernel (4) NtOpenProcess kernel (5) NtOpenSection kernel (6) NtOpenThread kernel (7) NtUnloadDriver kernel. Outpost Firewall is prone to a denial-of-service vulnerability

Heap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitch IMail Server 8.01 through 8.11 allows remote attackers to execute arbitrary code via a set of four different e-mail messages with a long boundary parameter in a certain malformed Content-Type header line, the string "MIME" by itself on a line in the header, and a long Content-Transfer-Encoding header line. Ipswitch IMail Server is prone to a buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. Attackers may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions between Ipswitch IMail Server 8.01 and 8.11 are vulnerable to this issue; other versions may also be affected. NOTE: This issue may be related to previously disclosed vulnerabilities in IMail, but due to a lack of information we cannot confirm this. We will update this BID as more information emerges. IPSwitch IMail is a Windows-based mail service program. There is a buffer overflow vulnerability in IPSwitch IMail's iaspam.dll, which may be exploited by remote attackers to control the server. Relevant details: loc_1001ada5 ==> Pay attention to the difference in loading base address during dynamic debugging. mov eax, [ebp+var_54] mov ecx, [eax+10c8h] push ecx ; char * mov edx, [ebp+var_54] mov eax, [edx+10d0h] push eax ; char * call _strcpy add esp, 8 jmp loc_1001a6f0 Here, the two buffers of strcpy, the pointers of src and dst are read directly from the heap without any check before, so send a malicious email to the server (SMD file), and then control the two buffers at the subsequent offset address, you can copy any string to any memory

Cross-site scripting (XSS) vulnerability in the Web administration interface in Barracuda Spam Firewall before firmware 3.5.10.016 allows remote attackers to inject arbitrary web script or HTML via the username field in a login attempt, which is not properly handled when the Monitor Web Syslog screen is open. Barracuda Spam Firewall is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. This issue affects Barracuda Spam Firewall firmware 3.4.10.102; other versions may also be affected

Cross-site request forgery (CSRF) vulnerability in admin.php in Francisco Burzi PHP-Nuke allows remote attackers to add administrative accounts via an AddAuthor action with modified add_name and add_radminsuper parameters. PHP-Nuke is prone to a cross-site request forgery vulnerability. A remote attacker can use the AddAuthor operation to modify the add_name and add_radminsuper parameters to increase the administrator account

Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/ddns in the web management panel for the WBR3404TX broadband router with firmware R1.94p0vTIG allow remote attackers to inject arbitrary web script or HTML via the (1) DD or (2) DU parameter. The LevelOne WBR3404TX Broadband Router is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input. These issues occurs in the web management panel. Exploiting these vulnerabilities may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected site. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks. LevelOne WBR3404TX firmware version R1.94p0vTIG is vulnerable; other versions may also be affected

Online Armor Personal Firewall 2.0.1.215 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via unspecified kernel SSDT hooks for Windows Native API functions including (1) NtAllocateVirtualMemory, (2) NtConnectPort, (3) NtCreateFile, (4) NtCreateKey, (5) NtCreatePort, (6) NtDeleteFile, (7) NtDeleteValueKey, (8) NtLoadKey, (9) NtOpenFile, (10) NtOpenProcess, (11) NtOpenThread, (12) NtResumeThread, (13) NtSetContextThread, (14) NtSetValueKey, (15) NtSuspendProcess, (16) NtSuspendThread, and (17) NtTerminateThread. (1) NtAllocateVirtualMemory (2) NtConnectPort (3) NtCreateFile (4) NtCreateKey (5) NtCreatePort (6) NtDeleteFile (7) NtDeleteValueKey (8) NtLoadKey (9) NtOpenFile (10) NtOpenProcess (11) NtOpenThread (12) NtResumeThread (13) NtSetContextThread (14) NtSetValueKey (15) NtSuspendProcess (16) NtSuspendThread (17) NtTerminateThread. Online Armor Personal Firewall 2.0.1.215不能正确确认System Service Descriptor Table (SSDT)函数操作者的特定参数，本地用户可以借助包括(1) NtAllocateVirtualMemory, (2) NtConnectPort, (3) NtCreateFile, (4) NtCreateKey, (5) NtCreatePort, (6) NtDeleteFile, (7) NtDeleteValueKey, (8) NtLoadKey, (9) NtOpenFile, (10) NtOpenProcess, (11) NtOpenThread, (12) NtResumeThread, (13) NtSetContextThread, (14) NtSetValueKey, (15) NtSuspendProcess, (16) NtSuspendThread,和(17) NtTerminateThread.在内的Windows Native API函数的未明核心SSDT陷阱造成拒绝服务(崩溃)并可能获得特权. Exploiting these vulnerabilities allows local attackers to crash affected computers, denying service to legitimate users. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed. cause denial of service (crash) and possible privilege gain

Privatefirewall 5.0.14.2 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via kernel SSDT hooks for (1) NtOpenProcess and (2) NtOpenThread. Privatefirewall is prone to multiple local vulnerabilities. Exploiting these vulnerabilities allows local attackers to crash affected computers, denying service to legitimate users. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed. Privatefirewall 5.0.14.2 is vulnerable; other versions may also be affected

The AXIS 207W camera stores a WEP or WPA key in cleartext in the configuration file, which might allow local users to obtain sensitive information. AXIS The camera is in clear text in the configuration file. 207W Network Camera is prone to a information disclosure vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 207W camera allow remote attackers to inject arbitrary web script or HTML via the camNo parameter to incl/image_incl.shtml, and other unspecified vectors. 207W Network Camera is prone to a cross-site scripting vulnerability. AXIS 207W is a network camera that provides wireless IEEE802.11g and Ethernet interfaces. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: AXIS 207W Network Camera Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26831 VERIFY ADVISORY: http://secunia.com/advisories/26831/ CRITICAL: Less critical IMPACT: Cross Site Scripting, DoS WHERE: >From remote OPERATING SYSTEM: Axis Network Camera http://secunia.com/product/908/ DESCRIPTION: Seth Fogie has reported some vulnerabilities in the AXIS 207W Network Camera, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks, or by malicious users to cause a DoS (Denial of Service). 1) Input passed to the "camNo" parameter in incl/image_incl.shtml is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) The web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. reboot the camera, add a new administrator, or to install a backdoor by enticing a logged-in administrator to visit a malicious site. 3) An unspecified vulnerability exists within the axis-cgi/buffer/command.cgi script. This can be exploited to reboot the vulnerable system by issuing multiple HTTP requests (more than 129) for the affected script with the "do" parameter set to "start" and with an arbitrary value for the "buffername" parameter. Successful exploitation of this vulnerability requires valid user credentials. SOLUTION: Filter traffic to affected devices and do not visit untrusted web sites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Seth Fogie, Airscanner Mobile Security ORIGINAL ADVISORY: http://airscanner.com/security/07080701_axis.htm OTHER REFERENCES: http://www.informit.com/articles/article.aspx?p=1016102 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The AXIS 207W camera uses a base64-encoded cleartext username and password for authentication, which allows remote attackers to obtain sensitive information by sniffing the wireless network or by leveraging unspecified other vectors. AXIS 207W cameras use base64-encoded plaintext to authenticate usernames and passwords

Multiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter.". (1) adLog.cgi (2) post.cgi (3) ad.cgi. The AirDefense M520 is prone to multiple remote denial-of-service vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. A successful attack will cause the device's HTTPD service to crash. Given the nature of these issues, remote code execution may also be possible, but this has not been confirmed. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: AirDefense Airsensor M520 HTTPS Request Handling Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA26869 VERIFY ADVISORY: http://secunia.com/advisories/26869/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: AirDefense Firmware 4.x http://secunia.com/product/15763/ DESCRIPTION: Alex Hernandez has reported some vulnerabilities in AirDefense Airsensor M520, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to unspecified errors in adLog.cgi, post.cgi, and ad.cgi and can be exploited to crash the HTTPS service via a specially crafted HTTPS request. The vulnerabilities are reported in AirDefense firmware versions 4.3.1.1 and 4.4.1.4, model M520. Other versions may also be affected. SOLUTION: Update to the latest firmware version. PROVIDED AND/OR DISCOVERED BY: Alex Hernandez, Sybsecurity ORIGINAL ADVISORY: http://www.sybsecurity.com/advisors/SYBSEC-ADV01-Airsensor_M520_HTTPD_Remote_Preauth_Denial_Of_Service_and_Buffer_Overflow_PoC ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

axis-cgi/buffer/command.cgi on the AXIS 207W camera allows remote authenticated users to cause a denial of service (reboot) via many requests with unique buffer names in the buffername parameter in a start action. Axis Communications 207W Network Camera is prone to multiple vulnerabilities in the web interface. Three issues were reported: a cross-site scripting vulnerability, a cross-site request-forgery vulnerability, and a denial-of-service vulnerability. Exploiting these issues may allow an attacker to compromise the device or to prevent other users from using the device. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: AXIS 207W Network Camera Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26831 VERIFY ADVISORY: http://secunia.com/advisories/26831/ CRITICAL: Less critical IMPACT: Cross Site Scripting, DoS WHERE: >From remote OPERATING SYSTEM: Axis Network Camera http://secunia.com/product/908/ DESCRIPTION: Seth Fogie has reported some vulnerabilities in the AXIS 207W Network Camera, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks, or by malicious users to cause a DoS (Denial of Service). 1) Input passed to the "camNo" parameter in incl/image_incl.shtml is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) The web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. reboot the camera, add a new administrator, or to install a backdoor by enticing a logged-in administrator to visit a malicious site. 3) An unspecified vulnerability exists within the axis-cgi/buffer/command.cgi script. This can be exploited to reboot the vulnerable system by issuing multiple HTTP requests (more than 129) for the affected script with the "do" parameter set to "start" and with an arbitrary value for the "buffername" parameter. Successful exploitation of this vulnerability requires valid user credentials. SOLUTION: Filter traffic to affected devices and do not visit untrusted web sites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Seth Fogie, Airscanner Mobile Security ORIGINAL ADVISORY: http://airscanner.com/security/07080701_axis.htm OTHER REFERENCES: http://www.informit.com/articles/article.aspx?p=1016102 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 207W camera allow remote attackers to perform certain actions as administrators via (1) axis-cgi/admin/restart.cgi, (2) the user and sgrp parameters to axis-cgi/admin/pwdgrp.cgi in an add action, or (3) the server parameter to admin/restartMessage.shtml. Axis Communications 207W Network Camera is prone to multiple vulnerabilities in the web interface. Three issues were reported: a cross-site scripting vulnerability, a cross-site request-forgery vulnerability, and a denial-of-service vulnerability. Exploiting these issues may allow an attacker to compromise the device or to prevent other users from using the device. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: AXIS 207W Network Camera Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26831 VERIFY ADVISORY: http://secunia.com/advisories/26831/ CRITICAL: Less critical IMPACT: Cross Site Scripting, DoS WHERE: >From remote OPERATING SYSTEM: Axis Network Camera http://secunia.com/product/908/ DESCRIPTION: Seth Fogie has reported some vulnerabilities in the AXIS 207W Network Camera, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks, or by malicious users to cause a DoS (Denial of Service). 1) Input passed to the "camNo" parameter in incl/image_incl.shtml is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) The web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. reboot the camera, add a new administrator, or to install a backdoor by enticing a logged-in administrator to visit a malicious site. 3) An unspecified vulnerability exists within the axis-cgi/buffer/command.cgi script. This can be exploited to reboot the vulnerable system by issuing multiple HTTP requests (more than 129) for the affected script with the "do" parameter set to "start" and with an arbitrary value for the "buffername" parameter. Successful exploitation of this vulnerability requires valid user credentials. SOLUTION: Filter traffic to affected devices and do not visit untrusted web sites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Seth Fogie, Airscanner Mobile Security ORIGINAL ADVISORY: http://airscanner.com/security/07080701_axis.htm OTHER REFERENCES: http://www.informit.com/articles/article.aspx?p=1016102 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------