VARIoT IoT vulnerabilities database
| VAR-201906-0001 | CVE-2009-5156 | ASMAX AR-804gu Command injection vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string. ASMAX AR-804gu Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Asmax Ar-804gu is a SOHO-class router device that provides ADSL, WiFi, and Ethernet interfaces. There is a script called script in the /cgi-bin/ directory of the Asmax Ar-804gu router web management interface. There is no restriction on the user access to the script in the LAN. If a remote attacker submits a malicious request with a system parameter, it can cause any shell command to be injected. Asmax Ar-804gu router is prone to a remote command-injection vulnerability because it fails to adequately restrict access to certain features.
Remote attackers can exploit this issue to execute arbitrary shell commands with superuser privileges, which may facilitate a complete compromise of the affected device.
Asmax Ar-804gu with firmware version 66.34.1 is affected; other versions may also be vulnerable
| VAR-200906-0059 | CVE-2009-0950 | Apple iTunes Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in Apple iTunes before 8.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an itms: URL with a long URL component after a colon. Apple iTunes is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks before copying user-supplied data to an insufficiently sized buffer.
Attackers can leverage this issue to execute arbitrary code with the privileges of the user running the affected application. Failed attacks will likely cause denial-of-service conditions. Apple iTunes is a media player program. TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow
Vulnerabilities
http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
June 2, 2009
-- CVE ID:
CVE-2009-0950
-- Affected Vendors:
Apple
-- Affected Products:
Apple iTunes
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8013. User interaction is required
to exploit this vulnerability in that the target must visit a malicious
page.
The specific flaw exists in the URL handlers associated with iTunes.
When processing URLs via the protocol handlers "itms", "itmss", "daap",
"pcast", and "itpc" an exploitable stack overflow occurs. Successful
exploitation can lead to a remote system compromise under the
credentials of the currently logged in user.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3592
-- Disclosure Timeline:
2009-04-09 - Vulnerability reported to vendor
2009-06-02 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* James King, TippingPoint DVLabs
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Apple iTunes "itms" URI Handling Buffer Overflow
SECUNIA ADVISORY ID:
SA35314
VERIFY ADVISORY:
http://secunia.com/advisories/35314/
DESCRIPTION:
A vulnerability has been reported in Apple iTunes, which can be
exploited by malicious people to compromise a user's system.
Successful exploitation may allow execution of arbitrary code.
SOLUTION:
Update to version 8.2.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Will Drewry.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3592
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0411 | No CVE | SonicWALL SSL-VPN 'cgi-bin/welcome/VirtualOffice' Remote Format String Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Multiple SonicWALL SSL-VPN devices are prone to a remote format-string vulnerability because they fail to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Attackers may exploit this issue to run arbitrary code in the context of the affected application. Failed attempts may cause denial-of-service conditions.
The following are vulnerable:
SSL-VPN 200 firmware prior to 3.0.0.9
SSL-VPN 2000 firmware prior to 3.5.0.5
SSL-VPN 4000 firmware prior to 3.5.0.5
| VAR-200905-0330 | CVE-2009-1792 | StoneTrip Ston3D StandalonePlayer and WebPlayer of system.openURL Arbitrary command execution vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument). S3DPlayer Web and Standalone are prone to a remote command-injection vulnerability because they fail to adequately sanitize user-supplied input data.
Attackers can exploit this issue to execute arbitrary commands within the context of the affected application. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
StoneTrip S3DPlayers remote command injection
1. *Advisory Information*
Title: StoneTrip S3DPlayers remote command injection
Advisory ID: CORE-2009-0401
Advisory URL: http://www.coresecurity.com/content/StoneTrip-S3DPlayers
Date published: 2009-05-28
Date of last update: 2009-05-28
Vendors contacted: StoneTrip
Release mode: User release
2. *Vulnerability Information*
Class: Command injection, Client side
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 35105
CVE Name: CVE-2009-1792
3. *Vulnerability Description*
Ston3D is a cross-platform technology developed by StoneTrip [1],
allowing applications developed with ShiVa product [2] to be run from
various media. It is a platform for 3D real time development, specially
designed to make games and other real time applications.
Ston3D players come in two flavors:
1. Ston3D StandalonePlayer [3],
2. and Ston3D WebPlayer [4], which runs like an extension or plug-in
within most popular web browsers.
These players are vulnerable to a command injection vulnerability, which
can be exploited by malicious remote attackers. The vulnerability is due
to the Ston3D scripting language. It provides the function
'system.openURL()' which does not properly sanitize the input before
using it.
4. *Vulnerable packages*
4.1. *Win32*
. S3DPlayer Web v1.6.0.0
. S3DPlayer StandAlone v1.6.2.4
. S3DPlayer StandAlone v1.7.0.1
4.2. *MacOS*
. S3DPlayer Web v1.6.0.0
. S3DPlayer StandAlone v1.6.2.4
4.3. *Linux*
. S3DPlayer StandAlone v1.6.2.4
NOTE: Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
By the time this advisory was published, the vendor:
1. had not released patched versions of its products,
2. had not answered the requests made by Core Security for 3 weeks
(see Section 9).
Please contact StoneTrip for a fix.
6. *Vendor Information, Solutions and Workarounds*
The vendor did not provide this information. A possible mitigation
action would be to enable MIME type filtering in your IDS/proxies and
block S3DPlayer traffic:
/-----------
application/x-ston3d-stk
- -----------/
As a workaround, vulnerable users can also avoid this flaw by disabling
the Ston3D Plugin in their web browsers:
6.1. *Mozilla Firefox*
1. Go to the *Tools* menu, and select *Options...*
2. Click on the *Main* tab
3. Click on the *Manage Add-ons...*
4. Disable *Ston3D Plugin*
6.2. *Safari*
1. Go to the *Safari* menu within Safari, and select *Preferences*
2. Click on the *Security * tab
3. Deselect *Enable plug-ins*
6.3. *Internet Explorer*
Set the kill bit for control 7508D2BB-F085-45BF-8261-167C6DF4D477 (as
explained in http://support.microsoft.com/kb/240797).
Please contact StoneTrip for further information, patches and workarounds.
7. *Credits*
This vulnerability was discovered and researched by Diego Juarez from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
Ston3D is a cross-platform technology allowing applications developed
with ShiVa product [2] to be run from various media, such as a website,
CD/DVD or interactive equipment. This technology provides a scripting
interface [5] based on the Lua programming language, within this
interface the function 'system.openURL' is defined as follows:
/-----------
Prototype
system.openURL(sURL, sTarget) --Call this function to open an URL.
- -----------/
In the current implementation, the call 'system.openURL(sURL, sTarget)'
with the parameter 'sURL' set as 'file://path/command' will ultimately
execute the equivalent of calling
/-----------
system("open path/command");
- -----------/
By using platform specific delimiter characters this could allow
arbitrary code execution in the context of the player.
Find below the relevant code snippets from various platforms.
8.1. *Windows*
/-----------
.text:1000D64D test esi, esi
.text:1000D64F mov eax, esi
.text:1000D651 jnz short loc_1000D658
.text:1000D653
.text:1000D653 loc_1000D653: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1CB
.text:1000D653 mov eax, offset Name
.text:1000D658
.text:1000D658 loc_1000D658: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1D1
.text:1000D658 push 1
.text:1000D65A push offset Name ; lpDirectory
.text:1000D65F push ecx ; lpParameters
.text:1000D660 push eax ; lpFile
.text:1000D661 push offset Operation ; "open"
.text:1000D666 push 0 ; hwnd
.text:1000D668 call ds:ShellExecuteA
.text:1000D66E
.text:1000D66E loc_1000D66E: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1B0
.text:1000D66E test edi, edi
.text:1000D670 jbe short loc_1000D67F
.text:1000D672 test esi, esi
.text:1000D674 jz short loc_1000D67F
.text:1000D676 add esi, 0FFFFFFFCh
.text:1000D679 push esi ; Memory
.text:1000D67A call ebp ; __imp_free
- -----------/
8.2. *Linux*
/-----------
.text:08371334 mov [esp+5Ch+var_58], offset aOpen ; "open "
.text:0837133C lea eax, [esp+5Ch+var_34]
.text:08371340 mov [esp+5Ch+command], eax
.text:08371343 call sub_8109FC0
.text:08371348 lea eax, [esp+5Ch+var_1C]
.text:0837134C mov [esp+5Ch+var_58], eax
.text:08371350 lea eax, [esp+5Ch+var_34]
.text:08371354 mov [esp+5Ch+command], eax
.text:08371357 call sub_8108F10
.text:0837135C lea eax, [esp+5Ch+var_34]
.text:08371360 mov [esp+5Ch+command], eax
.text:08371363 call sub_80DF660
.text:08371368 mov [esp+5Ch+command], eax
.text:0837136B call _system
.text:08371370 lea eax, [esp+5Ch+var_34]
.text:08371374 mov [esp+5Ch+command], eax
.text:08371377 call sub_80D92F0
.text:0837137C jmp short loc_8371398
- -----------/
8.3. *MacOSX (x86)*
/-----------
__text:0005995B lea eax, (aOpen - 597ECh)[ebx] ; "open "
__text:00059961 lea esi, [esp+5Ch+var_44]
__text:00059965 mov [esp+5Ch+var_58], eax
__text:00059969 mov [esp+5Ch+var_5C], esi
__text:0005996C call __ZN7Pandora10EngineCore6StringC1EPKc ;
Pandora::EngineCore::String::String(char const*)
__text:00059971 mov [esp+5Ch+var_58], edi
__text:00059975 mov [esp+5Ch+var_5C], esi
__text:00059978 call __ZN7Pandora10EngineCore6StringpLERKS1_
__text:0005997D mov edx, [esp+5Ch+var_44]
__text:00059981 test edx, edx
__text:00059983 jz loc_59A5F
__text:00059989 mov eax, [esp+5Ch+var_40]
__text:0005998D test eax, eax
__text:0005998F jz loc_59A5F
__text:00059995
__text:00059995 loc_59995: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const&,Pandora::EngineCore::String const&)+295
__text:00059995 mov [esp+5Ch+var_5C], eax
__text:00059998 call _system
__text:0005999D mov eax, [esp+5Ch+var_44]
__text:000599A1 test eax, eax
__text:000599A3 jnz loc_59AB2
__text:000599A9 nop dword ptr [eax+00000000h]
- -----------/
8.4. *MacOSX (PPC)*
/-----------
__text:00053D6C addi %r30, %sp, 0x90+var_38
__text:00053D70 addis %r4, %r31, 0x3F
__text:00053D74 addi %r4, %r4, -0x29DC
__text:00053D78 mr %r3, %r30
__text:00053D7C bl __ZN7Pandora10EngineCore6StringC1EPKc #
Pandora::EngineCore::String::String(char const*)
__text:00053D80 mr %r3, %r30
__text:00053D84 mr %r4, %r29
__text:00053D88 bl __ZN7Pandora10EngineCore6StringpLERKS1_
__text:00053D8C lwz %r0, 0x90+var_38(%sp)
__text:00053D90 cmpwi cr7, %r0, 0
__text:00053D94 beq cr7, loc_53DA4
__text:00053D98 lwz %r3, 0x90+var_34(%sp)
__text:00053D9C cmpwi cr7, %r3, 0
__text:00053DA0 bc 5, 4*cr7+eq, loc_53DAC
__text:00053DA4
__text:00053DA4 loc_53DA4: # CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const&,Pandora::EngineCore::String const&)+394
__text:00053DA4 addis %rtoc, %r31, 0x3F
__text:00053DA8 addi %r3, %rtoc, -0x5620
__text:00053DAC
__text:00053DAC loc_53DAC: # CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const&,Pandora::EngineCore::String const&)+3A0
__text:00053DAC bl _system
__text:00053DB0 lwz %r0, 0x90+var_38(%sp)
__text:00053DB4 cmpwi cr7, %r0, 0
__text:00053DB8 beq cr7, loc_53E24
__text:00053DBC b loc_53DF8
- -----------/
9. *Report Timeline*
. 2009-04-20:
Core Security Technologies notifies the StoneTrip team of
the vulnerability and announces its initial plan to publish the content
on May 18th, 2009. 2009-04-21:
The vendor asks Core for a technical description of the
vulnerability. 2009-04-23:
Technical details sent to StoneTrip team by Core. 2009-04-24:
In addition to the technical details, a Proof of Concept
was sent to StoneTrip team. 2009-04-28:
Core asks the vendor to confirm the reception of the
technical report. 2009-04-28:
StoneTrip team notifies that the technical report has been
received and that a vulnerability report will be sent to Core soon. 2009-05-07:
Core requests a status update for this vulnerability and
notifies its plan to publish the advisory on May 18th, 2009. No reply
received. 2009-05-15:
Core requests an answer to the previous mail. No reply
received. 2009-05-18:
Core Advisories Team does not release the advisory as
originally planned. Core re-schedules the advisory publication date to
26th May 2009. 2009-05-20:
Core notifies StoneTrip that the advisory publication date
was missed and that the last status requests were not replied. Core also
notifies the vendor of the final release date (26th May 2009). 2009-05-28:
After trying to contact the StoneTrip team several times
without success, the advisory CORE-2009-0401 is published as 'User
Release'.
10. *References*
[1] http://www.stonetrip.com.
[2] ShiVa, a platform for 3D real time development with focus in game
development
http://www.stonetrip.com/shiva/shiva-3d-game-engine.html.
[3] http://www.stonetrip.com/ston3d-players/ston3d-standalone.html.
[4] http://www.stonetrip.com/ston3d-players/ston3d-webplayer.html.
[5] http://stdn.stonetrip.com.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKHuAiyNibggitWa0RAgJTAJsEXfUBmIjxmY7X4hplONY/Z0DOJgCfUKxJ
F9s8R8PuYBiIhvLANh3XmhE=
=kU8D
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Ston3D "system.openURL()" Command Injection Vulnerability
SECUNIA ADVISORY ID:
SA35256
VERIFY ADVISORY:
http://secunia.com/advisories/35256/
DESCRIPTION:
A vulnerability has been reported in Ston3D, which can be exploited
by malicious people to compromise a user's system.
The vulnerability is caused due to an error in the implementation of
the "system.openURL()" script function.
The vulnerability is reported in the following products and
versions:
* Ston3D Web Player version 1.6.0.0
* Ston3D StandAlone Player versions 1.6.2.4 and 1.7.0.1
SOLUTION:
Do not browse untrusted websites or follow untrusted links.
Do not open untrusted Ston3D files.
Reportedly an update will be available for Ston3D Web Player later
this month.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0261 | CVE-2009-1472 | ATEN KH1516i IP KVM Switch Java Vulnerability in a client program that gains access to the machine connected to the switch |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Java client program for the ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 has a hardcoded AES encryption key, which makes it easier for man-in-the-middle attackers to (1) execute arbitrary Java code, or (2) gain access to machines connected to the switch, by hijacking a session. Multiple ATEN IP KVM switches are prone to multiple remote vulnerabilities and a weakness:
- A security weakness may allow attackers to decrypt HTTP traffic.
- A remote code-execution vulnerability is present.
- A security vulnerability may allow attackers to gain access to the session key.
- A security vulnerability may allow attackers to gain access to mouse events.
- A security vulnerability may allow attackers to gain access to the session ID. Other attacks are also possible. IP KVM is a series of switch equipment developed by Taiwan Acer Technology Co., Ltd. The Java client executes arbitrary code. The Java client program connects to the kvm switch on port 9002 and then downloads and runs the new Java class. This connection is encrypted using AES, but the encryption key is hardcoded in the client program. An attacker acting as a man-in-the-middle can inject other Java classes, resulting in arbitrary Java code execution on the client machine
| VAR-200905-0262 | CVE-2009-1473 | ATEN KH1516i IP KVM Switch Windows Vulnerability in a client program that could allow man-in-the-middle attacks |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The (1) Windows and (2) Java client programs for the ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 do not properly use RSA cryptography for a symmetric session-key negotiation, which makes it easier for remote attackers to (a) decrypt network traffic, or (b) conduct man-in-the-middle attacks, by repeating unspecified "client-side calculations.". RSA Vulnerability exists in decrypting network traffic or performing man-in-the-middle attacks due to improper use of cryptography.By a third party " Client-side calculation " Can be used to decrypt network traffic or perform man-in-the-middle attacks. Multiple ATEN IP KVM switches are prone to multiple remote vulnerabilities and a weakness:
- A security weakness may allow attackers to decrypt HTTP traffic.
- A remote code-execution vulnerability is present.
- A security vulnerability may allow attackers to gain access to the session key.
- A security vulnerability may allow attackers to gain access to mouse events.
- A security vulnerability may allow attackers to gain access to the session ID.
Attackers can exploit these issues to execute Java code, compromise and gain unauthorized access to the affected device connected to the KVM, gain access to the session key, and gain access to the session ID. Other attacks are also possible. IP KVM is a series of switch equipment developed by Taiwan Acer Technology Co., Ltd. This key agreement uses RSA in an insecure way, an attacker who can monitor the communication between the client and the switch can repeat the client's calculations and obtain the session key, and then use this key to decrypt the communication and reconstruct keystrokes, or Perform man-in-the-middle attacks to gain access to machines connected to the switch. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
ATEN KH1516i / KN9116 Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA35241
VERIFY ADVISORY:
http://secunia.com/advisories/35241/
DESCRIPTION:
Some vulnerabilities have been reported in ATEN KH1516i and KN9116,
which can be exploited by malicious people to disclose sensitive
information, manipulate certain data, and potentially compromise a
user's system.
1) An error exists in the key exchange process when negotiating a
symmetric session key via RSA. This can be exploited extract the
session key by intercepting traffic and e.g. potentially execute
arbitrary code on connected machines via MitM (Man-in-the-Middle)
attacks.
2) Mouse events are transferred between a client and the KVM switch
via an unencrypted data channel. This can be exploited to inject e.g.
arbitrary mouse clicks via MitM (Man-in-the-Middle) attacks.
3) The web interface session cookie does not contain the "Secure"
attribute. This can be exploited to obtain the cookie and potentially
gain access to connected machines by redirecting the user's browser to
a HTTP connection.
The vulnerabilities are reported in KH1516i and KN9116. Other
products may also be affected.
SOLUTION:
Use the products in trusted networks only.
PROVIDED AND/OR DISCOVERED BY:
Jakob Lell from the TU Berlin computer security working group
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0263 | CVE-2009-1474 | ATEN KH1516i IP KVM Cookie acquisition vulnerability in Switch |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
The ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 do not (1) encrypt mouse events, which makes it easier for man-in-the-middle attackers to perform mouse operations on machines connected to the switch by injecting network traffic; and do not (2) set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. Multiple ATEN IP KVM switches are prone to multiple remote vulnerabilities and a weakness:
- A security weakness may allow attackers to decrypt HTTP traffic.
- A remote code-execution vulnerability is present.
- A security vulnerability may allow attackers to gain access to the session key.
- A security vulnerability may allow attackers to gain access to mouse events.
- A security vulnerability may allow attackers to gain access to the session ID.
Attackers can exploit these issues to execute Java code, compromise and gain unauthorized access to the affected device connected to the KVM, gain access to the session key, and gain access to the session ID. Other attacks are also possible. IP KVM is a series of switch equipment developed by Taiwan Acer Technology Co., Ltd. Insecure session ID cookie When a user connects to the device via HTTP on port 80, the device redirects the user to log in on port 443 (https) and obtains a session ID cookie. When the user returns to HTTP for various reasons, the attacker can sniff the session ID and use this to download the Windows/Java client program containing authentication data, and obtain Access to computers connected to the KVM switch. Since the first HTTP connection is not protected, a man-in-the-middle attacker can also inject some dynamic content so that the browser automatically reloads the HTTP site after login. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
ATEN KH1516i / KN9116 Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA35241
VERIFY ADVISORY:
http://secunia.com/advisories/35241/
DESCRIPTION:
Some vulnerabilities have been reported in ATEN KH1516i and KN9116,
which can be exploited by malicious people to disclose sensitive
information, manipulate certain data, and potentially compromise a
user's system.
1) An error exists in the key exchange process when negotiating a
symmetric session key via RSA. This can be exploited extract the
session key by intercepting traffic and e.g. potentially execute
arbitrary code on connected machines via MitM (Man-in-the-Middle)
attacks.
2) Mouse events are transferred between a client and the KVM switch
via an unencrypted data channel. This can be exploited to inject e.g.
arbitrary mouse clicks via MitM (Man-in-the-Middle) attacks.
3) The web interface session cookie does not contain the "Secure"
attribute. This can be exploited to obtain the cookie and potentially
gain access to connected machines by redirecting the user's browser to
a HTTP connection.
The vulnerabilities are reported in KH1516i and KN9116. Other
products may also be affected.
SOLUTION:
Use the products in trusted networks only.
PROVIDED AND/OR DISCOVERED BY:
Jakob Lell from the TU Berlin computer security working group
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0265 | CVE-2009-1477 | ATEN KH1516i IP KVM On the switch https Web In the interface https Session decryption vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The https web interfaces on the ATEN KH1516i IP KVM switch with firmware 1.0.063, the KN9116 IP KVM switch with firmware 1.1.104, and the PN9108 power-control unit have a hardcoded SSL private key, which makes it easier for remote attackers to decrypt https sessions by extracting this key from their own switch and then sniffing network traffic to a switch owned by a different customer.
- A remote code-execution vulnerability is present.
- A security vulnerability may allow attackers to gain access to the session key.
- A security vulnerability may allow attackers to gain access to mouse events.
- A security vulnerability may allow attackers to gain access to the session ID.
Attackers can exploit these issues to execute Java code, compromise and gain unauthorized access to the affected device connected to the KVM, gain access to the session key, and gain access to the session ID. Other attacks are also possible. IP KVM is a series of switch equipment developed by Taiwan Acer Technology Co., Ltd. All devices use the same SSL key KH1516i, KN9116, and PN9108 model devices use the same SSL key for the HTTPS web interface
| VAR-200906-0064 | CVE-2009-0955 | Apple QuickTime Vulnerable to arbitrary code execution for handling image description atoms |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted image description atoms in an Apple video file, related to a "sign extension issue.". Apple QuickTime is prone to a vulnerability that occurs because the bit width of a number is increased without changing its sign in certain image description atoms.
Successful exploits will allow the attacker to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player. Versions of QuickTime prior to 7.6.2 have multiple security vulnerabilities that allow users to cause a denial of service or completely compromise a user's system through malformed media files. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple QuickTime PICT Parsing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA35091
VERIFY ADVISORY:
http://secunia.com/advisories/35091/
DESCRIPTION:
A vulnerability has been reported in Apple QuickTime, which can be
exploited by malicious people to compromise a user's system
The vulnerability is caused due to an error in the processing of
"0x77" tags within PICT images, which can be exploited to cause a
heap-based buffer overflow when the user opens a specially crafted
PICT image or visits a malicious web site.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200906-0063 | CVE-2009-0954 | Apple QuickTime In CRGN Buffer overflow vulnerability in atom type processing |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a movie file containing crafted Clipping Region (CRGN) atom types. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of QuickTime Player. The application trusts the contents of the atom to contain a terminator during a copy operation. The application will copy user-supplied data into a heap-buffer until it identifies this terminator. This will allow one to overwrite heap-control structures which can be leveraged to achieve code execution from the context of the application. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability.
A remote attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista and Windows XP SP3. Versions of QuickTime prior to 7.6.2 have multiple security vulnerabilities that allow users to cause a denial of service or completely compromise a user's system through malformed media files. ZDI-09-028: Apple QuickTime CRGN Atom Parsing Heap Buffer Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-028
June 2, 2009
-- CVE ID:
CVE-2009-0954
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6698.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3591
-- Disclosure Timeline:
2008-12-17 - Vulnerability reported to vendor
2009-06-02 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple QuickTime PICT Parsing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA35091
VERIFY ADVISORY:
http://secunia.com/advisories/35091/
DESCRIPTION:
A vulnerability has been reported in Apple QuickTime, which can be
exploited by malicious people to compromise a user's system
The vulnerability is caused due to an error in the processing of
"0x77" tags within PICT images, which can be exploited to cause a
heap-based buffer overflow when the user opens a specially crafted
PICT image or visits a malicious web site.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200906-0061 | CVE-2009-0952 | Apple QuickTime In compression PSD Vulnerability to execute arbitrary code related to image processing |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted compressed PSD image. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists when the application parses a malformed .PSD image. While decoding the columns, rows and channels in the image header, the application trusts a different length for copying than used for allocating it. This results in a heap overflow and can lead to code execution under the context of the current user. Apple QuickTime is prone to a buffer-overflow vulnerability.
A remote attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted image. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X. Versions of QuickTime prior to 7.6.2 have multiple security vulnerabilities that allow users to cause a denial of service or completely compromise a user's system through malformed media files. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple QuickTime PICT Parsing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA35091
VERIFY ADVISORY:
http://secunia.com/advisories/35091/
DESCRIPTION:
A vulnerability has been reported in Apple QuickTime, which can be
exploited by malicious people to compromise a user's system
The vulnerability is caused due to an error in the processing of
"0x77" tags within PICT images, which can be exploited to cause a
heap-based buffer overflow when the user opens a specially crafted
PICT image or visits a malicious web site.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-09-026: Apple QuickTime Packed-bit Decoding Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-026
June 2, 2009
-- CVE ID:
CVE-2009-0952
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8047.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3591
-- Disclosure Timeline:
2009-04-15 - Vulnerability reported to vendor
2009-06-02 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
| VAR-200906-0062 | CVE-2009-0953 | Apple QuickTime In PICT Vulnerability to execute arbitrary code related to image processing |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the parsing of PICT files in QuickTime.qts. While processing data for opcode 0x8201 QuickTime trusts a value contained in the file and makes an allocation accordingly. The process then enters a loop whose terminating condition is controlled. The previously allocated heap buffer can be overflowed leading to arbitrary code execution under the context of the user running QuickTime. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability.
A remote attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X. Versions of QuickTime prior to 7.6.2 have multiple security vulnerabilities that allow users to cause a denial of service or completely compromise a user's system through malformed media files. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-09-027: Apple Quicktime PICT Opcode 0x8201 Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-027
June 2, 2009
-- CVE ID:
CVE-2009-0953
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6664.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3591
-- Disclosure Timeline:
2008-12-17 - Vulnerability reported to vendor
2009-06-02 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Sebastian Apelt (sebastian.apelt@siberas.de)
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
| VAR-200906-0060 | CVE-2009-0951 | Apple QuickTime In FLC Vulnerability in arbitrary code execution related to processing of compressed files |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FLC compression file. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of QuickTime Player. User interaction is required to exploit this vulnerability in that the target must either open a malicious file, or visit a malicious web page.The specific flaw exists during decompression of a delta-encoded chunk. The algorithm to decompress the frame trusts a line specifier when calculating where to write decompressed data. This results in a relative write using attacker supplied values which can lead to remove code execution under the context of the current user. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability.
A remote attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X. Versions of QuickTime prior to 7.6.2 have multiple security vulnerabilities that allow users to cause a denial of service or completely compromise a user's system through malformed media files. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple QuickTime PICT Parsing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA35091
VERIFY ADVISORY:
http://secunia.com/advisories/35091/
DESCRIPTION:
A vulnerability has been reported in Apple QuickTime, which can be
exploited by malicious people to compromise a user's system
The vulnerability is caused due to an error in the processing of
"0x77" tags within PICT images, which can be exploited to cause a
heap-based buffer overflow when the user opens a specially crafted
PICT image or visits a malicious web site.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-09-025: Apple Quicktime Picture Viewer FLC Delta-Encoded Frame
Decompression Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-025
June 2, 2009
-- CVE ID:
CVE-2009-0951
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6570.
The specific flaw exists during decompression of a delta-encoded chunk.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3591
-- Disclosure Timeline:
2008-10-28 - Vulnerability reported to vendor
2009-06-02 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
| VAR-200906-0053 | CVE-2009-0956 | Apple QuickTime Vulnerable to arbitrary code execution related to user data atom handling |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.6.2 does not properly initialize memory before use in handling movie files, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a movie containing a user data atom of size zero. Apple QuickTime is prone to a remote code-execution vulnerability.
A remote attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file.
Successful exploits will allow the attacker to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X. Versions of QuickTime prior to 7.6.2 have multiple security vulnerabilities that allow users to cause a denial of service or completely compromise a user's system through malformed media files. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple QuickTime PICT Parsing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA35091
VERIFY ADVISORY:
http://secunia.com/advisories/35091/
DESCRIPTION:
A vulnerability has been reported in Apple QuickTime, which can be
exploited by malicious people to compromise a user's system
The vulnerability is caused due to an error in the processing of
"0x77" tags within PICT images, which can be exploited to cause a
heap-based buffer overflow when the user opens a specially crafted
PICT image or visits a malicious web site.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200906-0034 | CVE-2009-0185 | Apple QuickTime In MS ADPCM Buffer overflow vulnerability in processing of encoded audio data |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted MS ADPCM encoded audio data in an AVI movie file. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability.
A remote attacker can exploit this issue by enticing an unsuspecting user to open a specially AVI crafted file.
Successful exploits will allow the attacker to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X. Versions of QuickTime prior to 7.6.2 have multiple security vulnerabilities that allow users to cause a denial of service or completely compromise a user's system through malformed media files. ======================================================================
Secunia Research 02/06/2009
- Apple QuickTime MS ADPCM Encoding Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Apple QuickTime version 7.6
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
======================================================================
3) Vendor's Description of Software
"Whether you are creating content for delivery on cell phones,
broadcast or the Internet, or a software developer looking to take
your application to the next level, QuickTime provides the most
comprehensive platform in the industry."
Product Link:
http://www.apple.com/quicktime/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Apple QuickTime,
which can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused by an error in the processing of MS ADPCM
encoded audio data.
======================================================================
5) Solution
Update to version 7.6.2.
======================================================================
6) Time Table
04/02/2009 - Vendor notified.
05/02/2009 - Vendor response.
25/05/2009 - Status update requested.
26/05/2009 - Vendor provides status update.
02/06/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0185 for the vulnerability.
Apple:
http://support.apple.com/kb/HT3591
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-6/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple QuickTime PICT Parsing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA35091
VERIFY ADVISORY:
http://secunia.com/advisories/35091/
DESCRIPTION:
A vulnerability has been reported in Apple QuickTime, which can be
exploited by malicious people to compromise a user's system
The vulnerability is caused due to an error in the processing of
"0x77" tags within PICT images, which can be exploited to cause a
heap-based buffer overflow when the user opens a specially crafted
PICT image or visits a malicious web site.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200906-0054 | CVE-2009-0957 | Apple QuickTime In JP2 Image Processing Buffer Overflow Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 image. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists during the parsing of malformed Jpen2000 image files. A field is read directly from the file and used to allocate memory for a structure. If the value read is smaller then the expected structure size then a memory corruption will occur which can be leveraged by an attacker to execute arbitrary code under the context of the current user. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability.
A remote attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X. Versions of QuickTime prior to 7.6.2 have multiple security vulnerabilities that allow users to cause a denial of service or completely compromise a user's system through malformed media files. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple QuickTime PICT Parsing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA35091
VERIFY ADVISORY:
http://secunia.com/advisories/35091/
DESCRIPTION:
A vulnerability has been reported in Apple QuickTime, which can be
exploited by malicious people to compromise a user's system
The vulnerability is caused due to an error in the processing of
"0x77" tags within PICT images, which can be exploited to cause a
heap-based buffer overflow when the user opens a specially crafted
PICT image or visits a malicious web site.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-09-029: Apple QuickTime Jpeg2000 Marker Size Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-029
June 2, 2009
-- CVE ID:
CVE-2009-0957
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8153.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3591
-- Disclosure Timeline:
2009-04-28 - Vulnerability reported to vendor
2009-06-02 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
| VAR-200906-0033 | CVE-2009-0188 | Apple iTunes In Sorenson 3 Vulnerability in executing arbitrary code related to processing of video files |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie composed of a Sorenson 3 video file. Apple QuickTime is prone to a memory-corruption vulnerability.
A remote attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file.
Successful exploits will allow the attacker to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP3, and Mac OS X. ----------------------------------------------------------------------
Are you missing:
SECUNIA ADVISORY ID:
Critical:
Impact:
Where:
within the advisory below?
This is now part of the Secunia commercial solutions.
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple QuickTime PICT Parsing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA35091
VERIFY ADVISORY:
http://secunia.com/advisories/35091/
DESCRIPTION:
A vulnerability has been reported in Apple QuickTime, which can be
exploited by malicious people to compromise a user's system
The vulnerability is caused due to an error in the processing of
"0x77" tags within PICT images, which can be exploited to cause a
heap-based buffer overflow when the user opens a specially crafted
PICT image or visits a malicious web site.
This is related to vulnerability #30 in:
SA35074
SOLUTION:
Do not browse untrusted web sites. Do not open files from untrusted
sources.
PROVIDED AND/OR DISCOVERED BY:
Damian Put and Sebastian Apelt, reported via ZDI.
ORIGINAL ADVISORY:
http://www.zerodayinitiative.com/advisories/ZDI-09-021/
OTHER REFERENCES:
SA35074:
http://secunia.com/advisories/35074/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ======================================================================
Secunia Research 02/06/2009
- QuickTime Sorenson Video 3 Content Parsing Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Apple QuickTime 7.60
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"When you hop aboard QuickTime 7 Player, you\x92re assured of a truly
rich multimedia experience.".
Product Link:
http://www.apple.com/quicktime/player/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in QuickTime, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused by an error in the parsing of Sorenson
Video 3 content.
======================================================================
5) Solution
Update to version 7.6.2.
======================================================================
6) Time Table
26/02/2009 - Vendor notified.
02/03/200X - Vendor response.
25/05/2009 - Status update requested.
26/05/2009 - Vendor provides status update.
02/06/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0188 for the vulnerability.
Apple:
http://support.apple.com/kb/HT3591
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-10/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-200907-0452 | No CVE | Cosminexus Processing Kit for XML and Hitachi Developer's Kit for Java Possible Unauthorized Access through Vulnerability in Encoding Process |
CVSS V2: 10.0 CVSS V3: - Severity: High |
Cosminexus Processing Kit for XML and Hitachi Developer's Kit for Java have a vulnerability where UTF-8 output is not properly judged due to deficiency in encoding processing, which may lead to unauthorized access.Unauthorized access may be done exploiting a deficiency in encoding processing. Multiple products from Hitachi are prone to multiple code-execution vulnerabilities.
Successfully exploiting these issues would allow the attacker to execute arbitrary code in the context of the currently logged-in user or cause denial-of-service conditions.
An attacker can exploit this issue to gain read access to arbitrary memory locations. Information obtained may aid in other attacks.
NOTE: This BID is being retired because it is a duplicate of the issue discussed in BID 35589. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Hitachi Products ZIP and UTF-8 Processing Vulnerabilities
SECUNIA ADVISORY ID:
SA35413
VERIFY ADVISORY:
http://secunia.com/advisories/35413/
DESCRIPTION:
Some vulnerabilities have been reported in multiple Hitachi products,
which can be exploited by malicious people to potentially compromise a
vulnerable system.
1) An unspecified error in the processing of ZIP files can be
exploited to potentially execute arbitrary code.
2) An unspecified error in the processing of UTF-8 data can be
exploited to potentially execute arbitrary code.
Please see the vendor's advisory for a full list of affected
products.
SOLUTION:
Update to a fixed version. See vendor advisory for details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Hitachi:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS09-007/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS09-008/index.html
JVN:
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-001544.html
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-001545.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200905-0318 | CVE-2009-1745 | Armorlogic Profense Web Application Firewall Vulnerabilities that gain access |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x before 2.4.4, has a default root password hash, and permits password-based root logins over SSH, which makes it easier for remote attackers to obtain access. Profense Web Application Firewall is prone to a remote security vulnerability
| VAR-200905-0167 | CVE-2009-1593 | Armorlogic Profense Web Application Firewall Cross-site scripting attacks (XSS) Vulnerability to be executed |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x before 2.4.4, does not properly implement the "negative model," which allows remote attackers to conduct cross-site scripting (XSS) attacks via a modified end tag of a SCRIPT element. Profense Web Application Firewall is prone to multiple security-bypass vulnerabilities.
An attacker can exploit these issues to bypass certain security restrictions and perform various web-application attacks.
Versions *prior to* the following are vulnerable:
Profense 2.4.4
Profense 2.2.22. 0A (encoded newline) bypasses XSS protection mechanisms and executes arbitrary code within the user's browser session