VARIoT IoT vulnerabilities database

UDF in Apple Mac OS X before 10.5.6 allows user-assisted attackers to cause a denial of service (system crash) via a malformed UDF volume in a crafted ISO file. Attackers can exploit this issue to cause the computer to shut down, denying service to legitimate users. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-008. The security update addresses a total of 10 new vulnerabilities that affect the Apple Type Services, BOM, kernel, Libsystem, Managed Client, natd, and Podcast Producer components of Mac OS X. The advisory also contains security updates for 10 previously reported issues. This BID is being retired. Dealing with deformities UDF There was an input validation error when labeling, a malicious ISO file may cause the system to shut down unexpectedly. 1) An infinite loop when processing certain embedded fonts in PDF files within the Apple Type Services server can be exploited to cause a DoS (Denial of Service) by e.g. tricking a user into opening a malicious PDF file. 2) A signedness error when handling certain CPIO archive headers exists within BOM. This can be exploited to execute arbitrary code by e.g. downloading or viewing a specially crafted CPIO archive. 3) An error within the processing of color spaces within CoreGraphics can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into viewing a specially crafted image. Successful exploitation may allow the execution of arbitrary code. 4) Some security issues and vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions, manipulate certain data, conduct cross-site scripting attacks, or disclose sensitive information. For more information: SA32270 5) Multiple integer overflows exist within the "i386_set_ldt()" and "i386_get_ldt()" system calls, which can be exploited by malicious, local users to execute arbitrary code with system privileges. Note: This does not affect PowerPC systems. 6) An infinite loop when handling exceptions in an application linked to libraries on an NFS share can be exploited to cause a system shutdown. 7) An integer overflow error exists in the "inet_net_pton()" API of Libsystem. This can potentially be exploited to e.g. compromise an application using the vulnerable function. 8) An unspecified error when processing certain input within the "strptime()" API of Libsystem can be exploited to cause a memory corruption and potentially execute arbitrary code by e.g. passing a specially crafted date string to an application using the vulnerable function. 9) The "Managed Client" functionality does not always apply the managed screen saver settings correctly, potentially resulting in e.g. the screen saver lock not working as intended. 10) An infinite loop when processing certain TCP packets exists in natd, which can be exploited to cause a DoS by sending specially crafted TCP packets to a vulnerable system. Successful exploitation requires that Internet Sharing is enabled. 11) An unspecified error within the Podcast Producer server can be exploited to bypass the authentication mechanism and access administrative functions. 12) An unspecified error within the handling of malformed UDF volumes can be exploited to cause a system shutdown by e.g. opening a specially crafted ISO file. Additionally, this update enhances the CoreTypes "Download Validation" capability to detect and warn about more potentially dangerous file types. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Michael Samarin and Mikko Vihonen, Futurice Ltd 2, 3, 8) Reported by the vendor. 5) The vendor credits Richard Vaneeden, IOActive, Inc 6) The vendor credits Ben Loer, Princeton University 9) The vendor credits John Barnes of ESRI and Trevor Lalish-Menagh of Tamman Technologies, Inc 10) The vendor credits Alex Rosenberg of Ohmantics and Gary Teter of Paizo Publishing 12) The vendor credits Mauro Notarianni of PCAX Solutions ORIGINAL ADVISORY: http://support.apple.com/kb/HT3338 OTHER REFERENCES: SA32270: http://secunia.com/advisories/32270/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-350A Feedback VU#901332" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History December 15, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSUbT5nIHljM+H4irAQLfMggAvH7VNoR3th5dBLhuq/f43ka1G5cecyAK g4gucF6+frxTfsVz2FGbawFdD/sAxAb/CnASFIkbuHItPwI526uy8MjXOmi/kYm2 ESZgD8U0OBtb2mqQRfhURz9sF97yVFhvHAZS3VOOCH85d1R6dr4ncxIWMGn2cgon Cjlll1WTx2BuMZO/AFn2UM7OooV9VVXtMht9D48X7i9bCWoU2W0mFSCHr+bJPE3d fI8v9+kyCQnjB3R9J+eGxmFClXl9PeMxOvsjPh/bQ8PpmAYMCH1Qp7vaSjjqSlVE ljRuyK8e6TIirse/RoK0YOwqBWudpgyJZvsV89ft9v55+a0l+2UlJw== =yvkk -----END PGP SIGNATURE-----

The strptime API in Libsystem in Apple Mac OS X before 10.5.6 allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a crafted date string, related to improper memory allocation. Successfully exploiting this issue allows remote attackers to trigger denial-of-service conditions or to execute arbitrary code in the context of applications that use the API. This issue affects Mac OS X 10.4.11, 10.5 through 10.5.5, Server 10.4.11, and Server 10.5 through 10.5.5. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-008. The security update addresses a total of 10 new vulnerabilities that affect the Apple Type Services, BOM, kernel, Libsystem, Managed Client, natd, and Podcast Producer components of Mac OS X. The advisory also contains security updates for 10 previously reported issues. This BID is being retired. The following individual records have been created to better document the issues: 32870 Apple Podcast Producer Authentication-Bypass Vulnerability 32872 Apple Mac OS X UDF ISO File Handling Denial of Service Vulnerability 32873 Apple Mac OS X NFS Mounted Executable Exception Remote Denial of Service Vulnerability 32874 Apple Mac OS X 'natd' Remote Denial of Service Vulnerability 32875 Apple Mac OS X Type Services PDF File Remote Denial of Service Vulnerability 32876 Apple Mac OS X BOM CPIO Header Stack Buffer Overflow Vulnerability 32877 Apple Mac OS X 'inet_net_pton' API Integer Overflow Vulnerability 32879 Apple Mac OS X 'i386_set_ldt' and '1386_get_ldt' Multiple Integer Overflow Vulnerabilities 32880 Apple Mac OS X Managed Client Screen Saver Lock Bypass Vulnerability 32881 Apple Mac OS X 'strptime' API Memory Corruption Vulnerability. 1) An infinite loop when processing certain embedded fonts in PDF files within the Apple Type Services server can be exploited to cause a DoS (Denial of Service) by e.g. tricking a user into opening a malicious PDF file. 2) A signedness error when handling certain CPIO archive headers exists within BOM. This can be exploited to execute arbitrary code by e.g. downloading or viewing a specially crafted CPIO archive. 3) An error within the processing of color spaces within CoreGraphics can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into viewing a specially crafted image. Successful exploitation may allow the execution of arbitrary code. 4) Some security issues and vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions, manipulate certain data, conduct cross-site scripting attacks, or disclose sensitive information. For more information: SA32270 5) Multiple integer overflows exist within the "i386_set_ldt()" and "i386_get_ldt()" system calls, which can be exploited by malicious, local users to execute arbitrary code with system privileges. Note: This does not affect PowerPC systems. 6) An infinite loop when handling exceptions in an application linked to libraries on an NFS share can be exploited to cause a system shutdown. 7) An integer overflow error exists in the "inet_net_pton()" API of Libsystem. This can potentially be exploited to e.g. compromise an application using the vulnerable function. passing a specially crafted date string to an application using the vulnerable function. 9) The "Managed Client" functionality does not always apply the managed screen saver settings correctly, potentially resulting in e.g. the screen saver lock not working as intended. 10) An infinite loop when processing certain TCP packets exists in natd, which can be exploited to cause a DoS by sending specially crafted TCP packets to a vulnerable system. Successful exploitation requires that Internet Sharing is enabled. 11) An unspecified error within the Podcast Producer server can be exploited to bypass the authentication mechanism and access administrative functions. 12) An unspecified error within the handling of malformed UDF volumes can be exploited to cause a system shutdown by e.g. opening a specially crafted ISO file. Additionally, this update enhances the CoreTypes "Download Validation" capability to detect and warn about more potentially dangerous file types. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Michael Samarin and Mikko Vihonen, Futurice Ltd 2, 3, 8) Reported by the vendor. 5) The vendor credits Richard Vaneeden, IOActive, Inc 6) The vendor credits Ben Loer, Princeton University 9) The vendor credits John Barnes of ESRI and Trevor Lalish-Menagh of Tamman Technologies, Inc 10) The vendor credits Alex Rosenberg of Ohmantics and Gary Teter of Paizo Publishing 12) The vendor credits Mauro Notarianni of PCAX Solutions ORIGINAL ADVISORY: http://support.apple.com/kb/HT3338 OTHER REFERENCES: SA32270: http://secunia.com/advisories/32270/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-350A Feedback VU#901332" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History December 15, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSUbT5nIHljM+H4irAQLfMggAvH7VNoR3th5dBLhuq/f43ka1G5cecyAK g4gucF6+frxTfsVz2FGbawFdD/sAxAb/CnASFIkbuHItPwI526uy8MjXOmi/kYm2 ESZgD8U0OBtb2mqQRfhURz9sF97yVFhvHAZS3VOOCH85d1R6dr4ncxIWMGn2cgon Cjlll1WTx2BuMZO/AFn2UM7OooV9VVXtMht9D48X7i9bCWoU2W0mFSCHr+bJPE3d fI8v9+kyCQnjB3R9J+eGxmFClXl9PeMxOvsjPh/bQ8PpmAYMCH1Qp7vaSjjqSlVE ljRuyK8e6TIirse/RoK0YOwqBWudpgyJZvsV89ft9v55+a0l+2UlJw== =yvkk -----END PGP SIGNATURE-----

Managed Client in Apple Mac OS X before 10.5.6 sometimes misidentifies a system when installing per-host configuration settings, which allows context-dependent attackers to have an unspecified impact by leveraging unintended settings, as demonstrated by the screen saver lock setting. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-008. The security update addresses a total of 10 new vulnerabilities that affect the Apple Type Services, BOM, kernel, Libsystem, Managed Client, natd, and Podcast Producer components of Mac OS X. The advisory also contains security updates for 10 previously reported issues. This BID is being retired. The following individual records have been created to better document the issues: 32870 Apple Podcast Producer Authentication-Bypass Vulnerability 32872 Apple Mac OS X UDF ISO File Handling Denial of Service Vulnerability 32873 Apple Mac OS X NFS Mounted Executable Exception Remote Denial of Service Vulnerability 32874 Apple Mac OS X 'natd' Remote Denial of Service Vulnerability 32875 Apple Mac OS X Type Services PDF File Remote Denial of Service Vulnerability 32876 Apple Mac OS X BOM CPIO Header Stack Buffer Overflow Vulnerability 32877 Apple Mac OS X 'inet_net_pton' API Integer Overflow Vulnerability 32879 Apple Mac OS X 'i386_set_ldt' and '1386_get_ldt' Multiple Integer Overflow Vulnerabilities 32880 Apple Mac OS X Managed Client Screen Saver Lock Bypass Vulnerability 32881 Apple Mac OS X 'strptime' API Memory Corruption Vulnerability. An attacker with physical access to affected computers may take advantage of this issue to bypass expected security measures. This may allow the attacker to obtain sensitive information or may aid in further attacks. This issue affects Mac OS X 10.5 through 10.5.5 and Server 10.5 through 10.5.5. On misidentified systems, the per-host settings were not applied. 1) An infinite loop when processing certain embedded fonts in PDF files within the Apple Type Services server can be exploited to cause a DoS (Denial of Service) by e.g. tricking a user into opening a malicious PDF file. 2) A signedness error when handling certain CPIO archive headers exists within BOM. This can be exploited to execute arbitrary code by e.g. downloading or viewing a specially crafted CPIO archive. 3) An error within the processing of color spaces within CoreGraphics can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into viewing a specially crafted image. Successful exploitation may allow the execution of arbitrary code. 4) Some security issues and vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions, manipulate certain data, conduct cross-site scripting attacks, or disclose sensitive information. For more information: SA32270 5) Multiple integer overflows exist within the "i386_set_ldt()" and "i386_get_ldt()" system calls, which can be exploited by malicious, local users to execute arbitrary code with system privileges. Note: This does not affect PowerPC systems. 6) An infinite loop when handling exceptions in an application linked to libraries on an NFS share can be exploited to cause a system shutdown. 7) An integer overflow error exists in the "inet_net_pton()" API of Libsystem. This can potentially be exploited to e.g. compromise an application using the vulnerable function. 8) An unspecified error when processing certain input within the "strptime()" API of Libsystem can be exploited to cause a memory corruption and potentially execute arbitrary code by e.g. passing a specially crafted date string to an application using the vulnerable function. 9) The "Managed Client" functionality does not always apply the managed screen saver settings correctly, potentially resulting in e.g. the screen saver lock not working as intended. 10) An infinite loop when processing certain TCP packets exists in natd, which can be exploited to cause a DoS by sending specially crafted TCP packets to a vulnerable system. Successful exploitation requires that Internet Sharing is enabled. 11) An unspecified error within the Podcast Producer server can be exploited to bypass the authentication mechanism and access administrative functions. 12) An unspecified error within the handling of malformed UDF volumes can be exploited to cause a system shutdown by e.g. opening a specially crafted ISO file. Additionally, this update enhances the CoreTypes "Download Validation" capability to detect and warn about more potentially dangerous file types. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Michael Samarin and Mikko Vihonen, Futurice Ltd 2, 3, 8) Reported by the vendor. 5) The vendor credits Richard Vaneeden, IOActive, Inc 6) The vendor credits Ben Loer, Princeton University 9) The vendor credits John Barnes of ESRI and Trevor Lalish-Menagh of Tamman Technologies, Inc 10) The vendor credits Alex Rosenberg of Ohmantics and Gary Teter of Paizo Publishing 12) The vendor credits Mauro Notarianni of PCAX Solutions ORIGINAL ADVISORY: http://support.apple.com/kb/HT3338 OTHER REFERENCES: SA32270: http://secunia.com/advisories/32270/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-350A Feedback VU#901332" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History December 15, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSUbT5nIHljM+H4irAQLfMggAvH7VNoR3th5dBLhuq/f43ka1G5cecyAK g4gucF6+frxTfsVz2FGbawFdD/sAxAb/CnASFIkbuHItPwI526uy8MjXOmi/kYm2 ESZgD8U0OBtb2mqQRfhURz9sF97yVFhvHAZS3VOOCH85d1R6dr4ncxIWMGn2cgon Cjlll1WTx2BuMZO/AFn2UM7OooV9VVXtMht9D48X7i9bCWoU2W0mFSCHr+bJPE3d fI8v9+kyCQnjB3R9J+eGxmFClXl9PeMxOvsjPh/bQ8PpmAYMCH1Qp7vaSjjqSlVE ljRuyK8e6TIirse/RoK0YOwqBWudpgyJZvsV89ft9v55+a0l+2UlJw== =yvkk -----END PGP SIGNATURE-----

Apple Type Services (ATS) in Apple Mac OS X 10.5 before 10.5.6 allows remote attackers to cause a denial of service (infinite loop) via a crafted embedded font in a PDF file. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-008. The advisory also contains security updates for 10 previously reported issues. This BID is being retired. Successful exploits will allow attackers to cause the application to fall into an infinite loop, denying service to legitimate users. Viewing or downloading PDF files containing specially-designed fonts may result in denial of service. tricking a user into opening a malicious PDF file. 2) A signedness error when handling certain CPIO archive headers exists within BOM. This can be exploited to execute arbitrary code by e.g. downloading or viewing a specially crafted CPIO archive. 3) An error within the processing of color spaces within CoreGraphics can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into viewing a specially crafted image. Successful exploitation may allow the execution of arbitrary code. 4) Some security issues and vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions, manipulate certain data, conduct cross-site scripting attacks, or disclose sensitive information. For more information: SA32270 5) Multiple integer overflows exist within the "i386_set_ldt()" and "i386_get_ldt()" system calls, which can be exploited by malicious, local users to execute arbitrary code with system privileges. Note: This does not affect PowerPC systems. 7) An integer overflow error exists in the "inet_net_pton()" API of Libsystem. This can potentially be exploited to e.g. compromise an application using the vulnerable function. 8) An unspecified error when processing certain input within the "strptime()" API of Libsystem can be exploited to cause a memory corruption and potentially execute arbitrary code by e.g. passing a specially crafted date string to an application using the vulnerable function. 9) The "Managed Client" functionality does not always apply the managed screen saver settings correctly, potentially resulting in e.g. the screen saver lock not working as intended. 10) An infinite loop when processing certain TCP packets exists in natd, which can be exploited to cause a DoS by sending specially crafted TCP packets to a vulnerable system. Successful exploitation requires that Internet Sharing is enabled. 11) An unspecified error within the Podcast Producer server can be exploited to bypass the authentication mechanism and access administrative functions. 12) An unspecified error within the handling of malformed UDF volumes can be exploited to cause a system shutdown by e.g. opening a specially crafted ISO file. Additionally, this update enhances the CoreTypes "Download Validation" capability to detect and warn about more potentially dangerous file types. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Michael Samarin and Mikko Vihonen, Futurice Ltd 2, 3, 8) Reported by the vendor. 5) The vendor credits Richard Vaneeden, IOActive, Inc 6) The vendor credits Ben Loer, Princeton University 9) The vendor credits John Barnes of ESRI and Trevor Lalish-Menagh of Tamman Technologies, Inc 10) The vendor credits Alex Rosenberg of Ohmantics and Gary Teter of Paizo Publishing 12) The vendor credits Mauro Notarianni of PCAX Solutions ORIGINAL ADVISORY: http://support.apple.com/kb/HT3338 OTHER REFERENCES: SA32270: http://secunia.com/advisories/32270/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-350A Feedback VU#901332" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History December 15, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSUbT5nIHljM+H4irAQLfMggAvH7VNoR3th5dBLhuq/f43ka1G5cecyAK g4gucF6+frxTfsVz2FGbawFdD/sAxAb/CnASFIkbuHItPwI526uy8MjXOmi/kYm2 ESZgD8U0OBtb2mqQRfhURz9sF97yVFhvHAZS3VOOCH85d1R6dr4ncxIWMGn2cgon Cjlll1WTx2BuMZO/AFn2UM7OooV9VVXtMht9D48X7i9bCWoU2W0mFSCHr+bJPE3d fI8v9+kyCQnjB3R9J+eGxmFClXl9PeMxOvsjPh/bQ8PpmAYMCH1Qp7vaSjjqSlVE ljRuyK8e6TIirse/RoK0YOwqBWudpgyJZvsV89ft9v55+a0l+2UlJw== =yvkk -----END PGP SIGNATURE-----

Secure Computing Secure Web Gateway (aka Webwasher), when Internet Explorer 6 or 7 is used, allows remote attackers to bypass detection of malware in an HTML document by placing an MZ header (aka "EXE info") at the beginning, and modifying the filename to have (1) no extension, (2) a .txt extension, or (3) a .jpg extension, as demonstrated by a document containing a CVE-2006-5745 exploit. This vulnerability CVE-2006-5745 Can be reproduced with documents included in the exploit.First by a third party MZ By arranging the header and changing the file name to the following name, HTML May prevent detection of malware in the document. (1) No extension (2) .txt extension (3) .jpg extension. Webwasher) allows remote attackers by placing an MZ header (i.e. An example of exploiting this vulnerability is a document that contains an exploit for CVE-2006-5745

Fortinet Antivirus 3.113.0.0, when Internet Explorer 6 or 7 is used, allows remote attackers to bypass detection of malware in an HTML document by placing an MZ header (aka "EXE info") at the beginning, and modifying the filename to have (1) no extension, (2) a .txt extension, or (3) a .jpg extension, as demonstrated by a document containing a CVE-2006-5745 exploit. (1) No extension (2) .txt extension (3) .jpg extension. Fortiguard Antivirus is prone to a security bypass vulnerability. Fortinet Antivirus is an anti-virus software

The Neostrada Livebox ADSL Router allows remote attackers to cause a denial of service (network outage) via multiple HTTP requests for the /- URI. Neostrada Livebox ADSL Router is prone to a denial-of-service vulnerability because it fails to adequately handle malformed HTTP requests. Successful exploits will deny service to legitimate users. Given the nature of this issue, remote code execution may be possible, but this has not been confirmed. Neostrada Livebox ADSL Router is a household ADSL access router provided by Polish telecom operators. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Livebox TP Router HTTP Processing Denial of Service SECUNIA ADVISORY ID: SA33026 VERIFY ADVISORY: http://secunia.com/advisories/33026/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Livebox TP Router http://secunia.com/advisories/product/17862/ DESCRIPTION: 0in has reported a vulnerability in Livebox TP Router, which can be exploited by malicious people to cause a DoS (Denial of Service). SOLUTION: Restrict HTTP access to trusted users only. PROVIDED AND/OR DISCOVERED BY: 0in ORIGINAL ADVISORY: http://milw0rm.com/exploits/7387 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Asus SmartLogon 1.0.0005 allows physically proximate attackers to bypass "security functions" by presenting an image with a modified viewpoint that matches the posture of a stored image of the authorized notebook user. Face-recognition applications for multiple laptops are prone to an authentication-bypass vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected device. This issue affects the following applications: Lenovo Veriface III Asus SmartLogon 1.0.0005 Toshiba Face Recognition 2.0.2.32

Lenovo Veriface III allows physically proximate attackers to login to a Windows account by presenting a "plain image" of the authorized user. Face-recognition applications for multiple laptops are prone to an authentication-bypass vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected device. This issue affects the following applications: Lenovo Veriface III Asus SmartLogon 1.0.0005 Toshiba Face Recognition 2.0.2.32. Lenovo Veriface III is a face recognition authentication system. Lenovo Veriface III has a permission bypass vulnerability

The Cisco Linksys WVC54GC wireless video camera before firmware 1.25 sends cleartext configuration data in response to a Setup Wizard remote-management command, which allows remote attackers to obtain sensitive information such as passwords by sniffing the network. The Linksys WVC54GC NetCamPlayerWeb11gv2 ActiveX control contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Exploiting this issue can allow a remote attacker to harvest sensitive information. Firmware for the Linksys WVC54GC Wireless-G Internet Video Camera prior to version 1.25 is affected. BUGTRAQ ID: 32666 CVE(CAN) ID: CVE-2008-4390 Linksys WVC54GC is a wireless network camera that supports 802.11g protocol. The Linksys WVC54GC camera uses 916/UDP remote management commands. 0 Linksys WVC54GC 1.19 Linksys ------- At present, the manufacturer has released an upgrade patch to fix this security problem, please go to the manufacturer's homepage to download: <a href=http://www.linksys.com/servlet/Satellite ?blobcol=urldata&blobheadername1=Content-Type&blobheadername2=Content-Disposition&blobheadervalue1=text%2Fplain&blobheadervalue2=inline%3B+filename%3DWVC54GC-V1 target=_blank>http://www.linksys.com/servlet/ Satellite?blobcol=urldata&blobheadername1=Content-Type&blobheadername2=Content-Disposition&blobheadervalue1=text%2Fplain&. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Linksys WVC54GCA Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34767 VERIFY ADVISORY: http://secunia.com/advisories/34767/ DESCRIPTION: pagvac has reported some vulnerabilities in Linksys WVC54GCA, which can be exploited by malicious people to disclose sensitive information or conduct cross-site scripting attacks, and by malicious users to bypass certain security restrictions. 1) The device sends e.g. login credentials in plain text after receiving a specially crafted UDP packet. This is related to vulnerability #1 in: SA33032 2) Input passed to the "next_file" parameter in img/main.cgi is not properly verified before being used to read files. This can be exploited to read the .htpasswd file from the current directory and disclose the administrator's password. Successful exploitation of this vulnerability requires valid user credentials. 3) Input passed to the "next_file" parameter in img/main.cgi, main.cgi, and adm/file.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in firmware versions 1.00R22 and 1.00R24. Other versions may also be affected. SOLUTION: Use the product in trusted networks only. Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-1/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-2/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-4/ OTHER REFERENCES: SA33032: http://secunia.com/advisories/33032/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 1) A security issue is caused due to the device sending certain information (e.g. This can be exploited to gain access to sensitive information by sending a specially crafted packet to a vulnerable device. 2) A vulnerability is caused due to a boundary error in the "SetSource()" method of the NetCamPlayerWeb11gv2 ActiveX control (NetCamPlayerWeb11gv2.ocx). This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious website. SOLUTION: Update to version 1.25. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Greg Linares, eEye

img/main.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote authenticated users to read arbitrary files in img/ via a filename in the next_file parameter, as demonstrated by reading .htpasswd to obtain the admin password, a different vulnerability than CVE-2004-2507. The Linksys WVC54GC NetCamPlayerWeb11gv2 ActiveX control contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The Linksys WVC54GC wireless video camera insecurely sends initial configuration information over the network, which can allow a remote, unauthenticated attacker to intercept video streams, access wireless network authentication credentials, modify the device firmware, or cause a denial-of-service to the video camera. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera is prone to an information-disclosure vulnerability. Exploiting this issue can allow a remote attacker to harvest sensitive information such as the administrator's password, which can lead to a complete compromise of the device. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera firmware 1.00R22 and 1.00R24 are affected; other versions may also be vulnerable. The Linksys WVC54GCA management console does not properly filter the next_file parameter submitted by the main.cgi program, and remote attackers can retrieve the contents of the current directory by submitting malicious requests. If the contents of .htpasswd are retrieved, the user can perform arbitrary operations by logging into the console without authorization. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Linksys WVC54GCA Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34767 VERIFY ADVISORY: http://secunia.com/advisories/34767/ DESCRIPTION: pagvac has reported some vulnerabilities in Linksys WVC54GCA, which can be exploited by malicious people to disclose sensitive information or conduct cross-site scripting attacks, and by malicious users to bypass certain security restrictions. 1) The device sends e.g. login credentials in plain text after receiving a specially crafted UDP packet. This can be exploited to read the .htpasswd file from the current directory and disclose the administrator's password. Successful exploitation of this vulnerability requires valid user credentials. 3) Input passed to the "next_file" parameter in img/main.cgi, main.cgi, and adm/file.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in firmware versions 1.00R22 and 1.00R24. Other versions may also be affected. SOLUTION: Use the product in trusted networks only. Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-1/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-2/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-4/ OTHER REFERENCES: SA33032: http://secunia.com/advisories/33032/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 1) A security issue is caused due to the device sending certain information (e.g. This can be exploited to gain access to sensitive information by sending a specially crafted packet to a vulnerable device. 2) A vulnerability is caused due to a boundary error in the "SetSource()" method of the NetCamPlayerWeb11gv2 ActiveX control (NetCamPlayerWeb11gv2.ocx). This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious website. SOLUTION: Update to version 1.25. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Greg Linares, eEye

Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allow remote attackers to inject arbitrary web script or HTML via the next_file parameter to (1) main.cgi, (2) img/main.cgi, or (3) adm/file.cgi; or (4) the this_file parameter to adm/file.cgi. The Linksys WVC54GC NetCamPlayerWeb11gv2 ActiveX control contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. (1) main.cgi To next_file Parameters (2) img/main.cgi To next_file Parameters (3) adm/file.cgi To next_file Parameters (4) adm/file.cgi To this_file Parameters. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera firmware 1.00R22 and 1.00R24 are affected; other versions may also be vulnerable. Linksys WVC54GCA is a wireless network camera. Remote attackers can send The camera's console submits a malicious request to perform a cross-site scripting attack. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Linksys WVC54GCA Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34767 VERIFY ADVISORY: http://secunia.com/advisories/34767/ DESCRIPTION: pagvac has reported some vulnerabilities in Linksys WVC54GCA, which can be exploited by malicious people to disclose sensitive information or conduct cross-site scripting attacks, and by malicious users to bypass certain security restrictions. 1) The device sends e.g. login credentials in plain text after receiving a specially crafted UDP packet. This is related to vulnerability #1 in: SA33032 2) Input passed to the "next_file" parameter in img/main.cgi is not properly verified before being used to read files. This can be exploited to read the .htpasswd file from the current directory and disclose the administrator's password. Successful exploitation of this vulnerability requires valid user credentials. 3) Input passed to the "next_file" parameter in img/main.cgi, main.cgi, and adm/file.cgi is not properly sanitised before being returned to the user. The vulnerabilities are reported in firmware versions 1.00R22 and 1.00R24. Other versions may also be affected. SOLUTION: Use the product in trusted networks only. Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-1/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-2/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-4/ OTHER REFERENCES: SA33032: http://secunia.com/advisories/33032/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 1) A security issue is caused due to the device sending certain information (e.g. This can be exploited to gain access to sensitive information by sending a specially crafted packet to a vulnerable device. 2) A vulnerability is caused due to a boundary error in the "SetSource()" method of the NetCamPlayerWeb11gv2 ActiveX control (NetCamPlayerWeb11gv2.ocx). This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious website. SOLUTION: Update to version 1.25. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Greg Linares, eEye

The Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 sends configuration data in response to a Setup Wizard remote-management command, which allows remote attackers to obtain sensitive information such as passwords by reading the SetupWizard.exe process memory, a related issue to CVE-2008-4390. The Linksys WVC54GC NetCamPlayerWeb11gv2 ActiveX control contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The problem is CVE-2008-4390 May be related toBy a third party SetupWizard.exe By reading the process memory, you may get important information such as passwords. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera is prone to an information-disclosure vulnerability. Linksys WVC54GCA Wireless-G Internet Home Monitoring Camera firmware 1.00R22 and 1.00R24 are affected; other versions may also be vulnerable. After a wireless camera is discovered by a client using the Linksys WVC54GCA, SetupWizard.exe sends a UDP request to the device as part of the handshake, and the device responds to the request with clear-text login credentials. An attacker could find the returned login credentials from the SetupWizard.exe process and gain unauthorized administrative access. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Linksys WVC54GCA Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34767 VERIFY ADVISORY: http://secunia.com/advisories/34767/ DESCRIPTION: pagvac has reported some vulnerabilities in Linksys WVC54GCA, which can be exploited by malicious people to disclose sensitive information or conduct cross-site scripting attacks, and by malicious users to bypass certain security restrictions. 1) The device sends e.g. login credentials in plain text after receiving a specially crafted UDP packet. This is related to vulnerability #1 in: SA33032 2) Input passed to the "next_file" parameter in img/main.cgi is not properly verified before being used to read files. This can be exploited to read the .htpasswd file from the current directory and disclose the administrator's password. Successful exploitation of this vulnerability requires valid user credentials. 3) Input passed to the "next_file" parameter in img/main.cgi, main.cgi, and adm/file.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in firmware versions 1.00R22 and 1.00R24. Other versions may also be affected. SOLUTION: Use the product in trusted networks only. Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-1/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-2/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-4/ OTHER REFERENCES: SA33032: http://secunia.com/advisories/33032/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 1) A security issue is caused due to the device sending certain information (e.g. This can be exploited to gain access to sensitive information by sending a specially crafted packet to a vulnerable device. 2) A vulnerability is caused due to a boundary error in the "SetSource()" method of the NetCamPlayerWeb11gv2 ActiveX control (NetCamPlayerWeb11gv2.ocx). This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious website. SOLUTION: Update to version 1.25. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Greg Linares, eEye

Stack-based buffer overflow in the SetSource method in the NetCamPlayerWeb11gv2 ActiveX control in NetCamPlayerWeb11gv2.ocx on the Cisco Linksys WVC54GC wireless video camera before firmware 1.25 allows remote attackers to execute arbitrary code via long invalid arguments. Linksys WVC54GC NetCamPlayerWeb11gv2 Agent ActiveX Control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input. Failed attacks will likely cause denial-of-service conditions. WVC53GC with firmware versions prior to 1.25 that include the ActiveX control are vulnerable. Linksys WVC54GC is a wireless network camera that supports 802.11g protocol. If a user is tricked into browsing a specially crafted HTML document and provides a very long input parameter to the method, it can trigger a stack overflow, causing the browser to crash or execute arbitrary commands. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Linksys WVC54GCA Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34767 VERIFY ADVISORY: http://secunia.com/advisories/34767/ DESCRIPTION: pagvac has reported some vulnerabilities in Linksys WVC54GCA, which can be exploited by malicious people to disclose sensitive information or conduct cross-site scripting attacks, and by malicious users to bypass certain security restrictions. 1) The device sends e.g. login credentials in plain text after receiving a specially crafted UDP packet. This is related to vulnerability #1 in: SA33032 2) Input passed to the "next_file" parameter in img/main.cgi is not properly verified before being used to read files. This can be exploited to read the .htpasswd file from the current directory and disclose the administrator's password. Successful exploitation of this vulnerability requires valid user credentials. 3) Input passed to the "next_file" parameter in img/main.cgi, main.cgi, and adm/file.cgi is not properly sanitised before being returned to the user. Other versions may also be affected. SOLUTION: Use the product in trusted networks only. Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-1/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-2/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-4/ OTHER REFERENCES: SA33032: http://secunia.com/advisories/33032/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 1) A security issue is caused due to the device sending certain information (e.g. This can be exploited to gain access to sensitive information by sending a specially crafted packet to a vulnerable device. 2) A vulnerability is caused due to a boundary error in the "SetSource()" method of the NetCamPlayerWeb11gv2 ActiveX control (NetCamPlayerWeb11gv2.ocx). This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious website. SOLUTION: Update to version 1.25. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Greg Linares, eEye

Multiple buffer overflows in Rumpus before 6.0.1 allow remote attackers to (1) cause a denial of service (segmentation fault) via a long HTTP verb in the HTTP component; and allow remote authenticated users to execute arbitrary code via a long argument to the (2) MKD, (3) XMKD, (4) RMD, and other unspecified commands in the FTP component. Maxum Rumpus FTP Server is prone to a remote denial-of-service vulnerability. This issue allows remote attackers to crash affected servers, denying service to legitimate users. Maxum Rumpus is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application, possibly with root privileges. Failed exploit attempts will result in a denial-of-service condition. Versions prior to Rumpus 6.0.1 are vulnerable. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Rumpus Multiple Vulnerabilities SECUNIA ADVISORY ID: SA32892 VERIFY ADVISORY: http://secunia.com/advisories/32892/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Rumpus 6.x http://secunia.com/advisories/product/20643/ DESCRIPTION: Blue Moon Consulting has reported some vulnerabilities in Rumpus, which can be exploited by malicious people to cause a DoS (Denial of Service) and by malicious users to potentially compromise a vulnerable system. 1) An error in the HTTP service when processing overly long HTTP methods can be exploited to cause a crash. 2) A boundary error in the FTP service when processing arguments sent to the e.g. "MKD", "XMKD", "RMD" FTP commands can be exploited to cause a stack-based buffer overflow. Successful exploitation of this vulnerability may allow execution of arbitrary code, but requires valid FTP credentials. The vulnerabilities are reported in version 6.0. SOLUTION: Update to version 6.0.1. PROVIDED AND/OR DISCOVERED BY: Blue Moon Consulting ORIGINAL ADVISORY: Blue Moon Consulting (BMSA 2008-09): http://lists.grok.org.uk/pipermail/full-disclosure/2008-December/066086.html Maxum: http://www.maxum.com/Rumpus/News601.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in Apple QuickTime Player 7.5.5 and iTunes 8.0.2.20 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a MOV file with "long arguments," related to an "off by one overflow.". Apple iTunes and QuickTime are prone to a buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects the following: iTunes 8.0.2.20 through 9.0.1.8 QuickTime 7.3.4 through QuickTime X Additional versions or applications that rely on the QuickTime library may also be affected. Apple QuickTime Player is Apple's media player software. A stack buffer overflow exists in Apple QuickTime Player 7.5.5 and iTunes 8.0.2.20

Siemens C450 IP and C475 IP VoIP devices allow remote attackers to cause a denial of service (disconnected calls and device reboot) via a crafted SIP packet to UDP port 5060. A remote attacker may exploit this issue to cause vulnerable devices to drop all current calls and reboot, resulting in a denial-of-service condition. Both Siemens C450IP and C475IP are popular VOIP phone devices. There is a loophole in the device processing malformed request data. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Siemens C450IP / C475IP Denial of Service Vulnerability SECUNIA ADVISORY ID: SA32827 VERIFY ADVISORY: http://secunia.com/advisories/32827/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Siemens C450IP http://secunia.com/advisories/product/20611/ Siemens C475IP http://secunia.com/advisories/product/20612/ DESCRIPTION: A vulnerability has been reported in Siemens C450IP / C475IP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the processing of SIP messages. SOLUTION: Restrict network access to the device. PROVIDED AND/OR DISCOVERED BY: sky & Any ORIGINAL ADVISORY: http://milw0rm.com/exploits/7220 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Siemens C450IP and C475IP are popular VOIP telephone equipment.  The device has loopholes when processing malformed request data. If a remote attacker sends a specially crafted UDP packet to port 5060 of the phone, it will cause the device to disconnect all calls and restart.

Apple Safari cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue. This allows attackers to bypass security features provided by secure cookies. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems

Directory traversal vulnerability in the web interface in Apple iPhone Configuration Web Utility 1.0 on Windows allows remote attackers to read arbitrary files via unspecified vectors. Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. iPhone is a smart phone product released by Apple Inc. (Apple.Inc, formerly Apple Computer) at the global WWDC 07 conference on January 10, 2007. Remote attackers can read arbitrary files through unknown means. The vulnerability is caused due to an input validation error when processing HTTP GET requests. This can be exploited to download arbitrary files from the affected system via directory traversal attacks. Other versions may also be affected. SOLUTION: Restrict network access to the application. PROVIDED AND/OR DISCOVERED BY: Corey LeBleu and r@b13$ of Digital Defense, Inc. Vulnerability Research Team ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2008-November/065822.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------