VARIoT IoT vulnerabilities database

Apple Safari 2.0.3 allows remote attackers to cause a denial of service and possibly execute code via an invalid FRAME tag, possibly due to (1) multiple SCROLLING attributes with no values, or (2) a SRC attribute with no value. NOTE: due to lack of diagnosis by the researcher, it is unclear which vector is responsible. Apple Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Mac OS X is reported prone to multiple security vulnerabilities. These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition. Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues. When parsing malformed .tiff graphic files, LZWDecodeVector(), _cg_TIFFSetField () or PredictorVSetField () functions do not correctly parse the malformed data, resulting in the failure to open the graphic Application crashes. The vulnerability is triggered by the core .tiff parsing engine, so Preview, Finder, QuickTime, and Safari are all possible attack vectors. 2 When decompressing a specially crafted .zip file, the BOMStackPop () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 4 When decompressing a specially crafted .bmp file, the ReadBMP () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 5 When decompressing a specially crafted .gif file, the CFAllocatorAllocate () function does not correctly parse the malformed data, resulting in a heap overflow vulnerability. 1) An error exists in the "BOMStackPop()" function in the BOMArchiveHelper when decompressing malformed ZIP archives. 2) Some errors exists in the "KWQListIteratorImpl()", "drawText()", and "objc_msgSend_rtp()" functions in Safari when processing malformed HTML tags. 3) An error exists in the "ReadBMP()" function when processing malformed BMP images and can be exploited via e.g. Safari or the Preview application. 4) An error exists in the "CFAllocatorAllocate()" function when processing malformed GIF images and can be exploited via e.g. Safari when a user visits a malicious web site. 5) Two errors exists in the " _cg_TIFFSetField ()" and "PredictorVSetField()" functions when processing malformed TIFF images and can be exploited via e.g. The vulnerabilities have been reported in version 10.4.6. Other versions may also be affected. SOLUTION: Do not visit untrusted web sites, and do not open ZIP archives or images originating from untrusted sources. PROVIDED AND/OR DISCOVERED BY: Tom Ferris ORIGINAL ADVISORY: Tom Ferris: http://www.security-protocols.com/sp-x25-advisory.php http://www.security-protocols.com/sp-x26-advisory.php http://www.security-protocols.com/sp-x27-advisory.php http://www.security-protocols.com/sp-x28-advisory.php http://www.security-protocols.com/sp-x29-advisory.php http://www.security-protocols.com/sp-x30-advisory.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. Apache Tomcat from The Apache Software Foundation contains a vulnerability which may allow a user from a non-premitted IP address to gain access. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat contains a vulnerability which may allow a user from a non-permitted IP address to gain access to a protected context. This vulnerability was addressed and solved in ASF Bugzilla - Bug 25835. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 25835. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue. Kenichi Tsukamoto of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.Impact varies depending on the accessed context by the non-permitted IP address. For example information disclosure may be possible as a result. Apache Tomcat is prone to a security-bypass vulnerability related to extensions of 'RemoteFilterValve'. Attackers may be able to bypass certain access restrictions. The following versions are vulnerable: Tomcat 4.1.0 through 4.1.32 Tomcat 5.5.0. TITLE: Apache Tomcat Directory Listing Denial of Service SECUNIA ADVISORY ID: SA17416 VERIFY ADVISORY: http://secunia.com/advisories/17416/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: Apache Tomcat 5.x http://secunia.com/product/3571/ DESCRIPTION: David Maciejak has discovered a vulnerability in Apache Tomcat, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the inefficient generation of directory listing for web directories that has a large number of files. By sending multiple concurrent requests for such a directory, it is possible to prevent other users from accessing the directory and causes the server to consume a large amount of CPU resources. The vulnerability affects only the directory that is being listed. Files or applications in other web directories are not affected. Successful exploitation requires that directory listing is enabled in a directory with a large number of files. The vulnerability has been confirmed in Tomcat version 5.5.11 and 5.5.12 on the Windows platform, and has been reported in versions 5.5.0 through 5.5.11. Other versions may also be affected. Note: In version 5.5.12, the server will resume normal operation after a few minutes. SOLUTION: The vulnerability has been partially addressed in version 5.5.12, which will resume normal operation after a few minutes. Disable directory listing for web directories that has a large number of files. PROVIDED AND/OR DISCOVERED BY: David Maciejak ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Mitigation: Upgrade to: 4.1.32 or later 5.5.1 or later 6.0.0 or later Example: This has only been reproduced using a debugger to force a particular processing sequence across two threads. 1. Set a breakpoint right after the place where a value is to be entered in the instance variable of regexp (search:org.apache.regexp.CharacterIterator). 2. Send a request from the IP address* which is not permitted. (stopped at the breakpoint) *About the IP address which is not permitted. The character strings length of the IP address which is set in RemoteAddrValve must be same. 3. Send a request from the IP address which was set in RemoteAddrValve. (stopped at the breakpoint) In this way, the instance variable is to be overwritten here. 4. Resume the thread which is processing the step 2 above. 5. The request from the not permitted IP address will succeed. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj =9Z/F -----END PGP SIGNATURE----- . Apache Tomcat 5.x: Update to version 5.5.1 or later. SOLUTION: Patches are scheduled for release. Use a proxy or firewall to protect resources. Version 5.5.x is intented for servlet/jsp specification 2.4/2.0. More information on http://tomcat.apache.org/ Description: Many time consuming directory listing requests can cause a denial of service. Detection/PoC: On Linux: Vulnerable version tested are 5.5.0 to 5.5.11. 5.5.12 and 5.0.28 seems not to be impacted. A easy way to test : -Download Tomcat package from Tomcat archive -Unpack it, use default configuration -In webapps example dir, add some empty files (enough for the dir listing request to be long) -Thread many listing access on this directory Workaround: Upgrade to linux version 5.5.12 PS: Secunia team have done more test available on http://secunia.com/advisories/17416/ David Maciejak -------------------------------------------------------------------------------- KYXAR.FR - Mail envoy\xe9 depuis http://webmail.kyxar.fr . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: NEC WebOTX Products "RemoteFilterValve" Security Bypass Security Issue SECUNIA ADVISORY ID: SA35684 VERIFY ADVISORY: http://secunia.com/advisories/35684/ DESCRIPTION: A security issue has been reported in various NEC WebOTX products, which potentially can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to a synchronisation problem when checking IP addresses and can be exploited to bypass a filter valve that extends "RemoteFilterValve" and potentially gain access to protected contexts. The security issue is reported in the following products and versions: * WebOTX Web Edition version 4.x through 5.x * WebOTX Standard-J Edition version 4.x through 5.x * WebOTX Standard Edition version 4.x through 5.x * WebOTX Enterprise Edition version 4.x through 5.x * WebOTX UDDI Registry version 1.1 through 2.1 SOLUTION: Reportedly, patches are available. Contact the vendor's sales department for more information. For more information: SA32213 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server

Directory traversal vulnerability in Ipswitch WhatsUp Small Business 2004 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in a request to the Report service (TCP 8022). Successful exploitation could allow a remote attacker to gain access to files outside the Web root. Sensitive information may be obtained in this manner. A remote attacker can read any document. Example: http://[host]:8022/../../../../../[file] SOLUTION: Restrict access to the vulnerable service. PROVIDED AND/OR DISCOVERED BY: Independently discovered by: * Dennis Rand, Cirt.dk. * Carsten Eiram, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2005-14/ Cirt.dk: http://cirt.dk/advisories/cirt-40-advisory.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in Apple QuickTime before 7.0.3 allows user-assisted attackers to execute arbitrary code via a crafted MOV file that causes a sign extension of the length element in a Pascal style string. This issue is due to a failure of the application to properly validate integer signed-ness prior to using it to carry out critical operations. An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software. This issue affects both Microsoft Windows, and Apple versions of QuickTime. CVE-ID: CVE-2005-2753 Original location: http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt Severity: Critical - remote code execution. Software affected: QuickTime package 7.0.1 for Mac OS X 10.3 QuickTime package 7.0.1 for Mac OS X 10.4 QuickTime package 6.5.2 for Mac OS X 10.3 QuickTime package 6.5.2 for Mac OS X 10.2 QuickTime package 7* for Windows Older versions may be also vulnerable. Note: Following versions are not vulnerable, due to the fact I have reported the vulnerabilities before their releases: QuickTime package 7.0.2 for Mac OS X 10.3 QuickTime package 7.0.2 for Mac OS X 10.4 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Apple QuickTime Player is one of the Apple QuickTime components used by hundreds of millions of users. II. A sign extension of an embedded "Pascal" style string could result in a very large memory copy, which lead to potencial memory overwrite. The vulnerability may lead to remote code execution when specially crafted video file (MOV file) is being loaded. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Vendor (Apple) has been noticed and released all necessary patches. best regards, Piotr Bania -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 -------------------------------------------------------------------- " Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate " - Dante, Inferno Canto III _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17428 VERIFY ADVISORY: http://secunia.com/advisories/17428/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ Apple Quicktime 6.x http://secunia.com/product/810/ DESCRIPTION: Piotr Bania has reported some vulnerabilities in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. 2) An integer overflow error exists in the handling of certain movie attributes when loading a ".mov" video file. 3) A NULL pointer dereferencing error exists when handling certain missing movie attributes from a video file. 4) A boundary error exists in the QuickTime PictureViewer when decompressing PICT data. Prior versions may also be affected. SOLUTION: Update to version 7.0.3. http://www.apple.com/support/downloads/quicktime703.html PROVIDED AND/OR DISCOVERED BY: Piotr Bania ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302772 Piotr Bania: http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt http://pb.specialised.info/all/adv/quicktime-pict-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in Apple QuickTime before 7.0.3 allows user-assisted attackers to execute arbitrary code via a crafted MOV file with "Improper movie attributes.". This issue is due to a failure of the application to properly validate integer signed-ness prior to using it to carry out critical operations. An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software. This issue affects both Microsoft Windows, and Apple versions of QuickTime. CVE-ID: CVE-2005-2754 Original location: http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt Severity: Critical - remote code execution. Software affected: QuickTime package 7.0.1 for Mac OS X 10.3 QuickTime package 7.0.1 for Mac OS X 10.4 QuickTime package 6.5.2 for Mac OS X 10.3 QuickTime package 6.5.2 for Mac OS X 10.2 QuickTime package 7* for Windows Older versions may be also vulnerable. Note: Following versions are not vulnerable, due to the fact I have reported the vulnerabilities before their releases: QuickTime package 7.0.2 for Mac OS X 10.3 QuickTime package 7.0.2 for Mac OS X 10.4 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Apple QuickTime Player is one of the Apple QuickTime components used by hundreds of millions of users. II. Improper movie attributes could result in a very large memory copy, which lead to potencial memory overwrite. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Vendor (Apple) has been noticed and released all necessary patches. best regards, Piotr Bania -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 -------------------------------------------------------------------- " Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate " - Dante, Inferno Canto III _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17428 VERIFY ADVISORY: http://secunia.com/advisories/17428/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ Apple Quicktime 6.x http://secunia.com/product/810/ DESCRIPTION: Piotr Bania has reported some vulnerabilities in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. 1) An integer overflow error exists in the handling of a "Pascal" style string when loading a ".mov" video file. 3) A NULL pointer dereferencing error exists when handling certain missing movie attributes from a video file. 4) A boundary error exists in the QuickTime PictureViewer when decompressing PICT data. Prior versions may also be affected. SOLUTION: Update to version 7.0.3. http://www.apple.com/support/downloads/quicktime703.html PROVIDED AND/OR DISCOVERED BY: Piotr Bania ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302772 Piotr Bania: http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt http://pb.specialised.info/all/adv/quicktime-pict-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple QuickTime before 7.0.3 allows user-assisted attackers to overwrite memory and execute arbitrary code via a crafted PICT file that triggers an overflow during expansion. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. An attacker may leverage this issue to cause the affected QuickTime client to crash, denying service to legitimate users. It has been speculated that this issue may also facilitate code execution; any code execution would occur with the privileges of the user that activated the affected software. This issue affects both Microsoft Windows, and Apple versions of QuickTime. CVE-ID: CVE-2005-2756 Original location: http://pb.specialised.info/all/adv/quicktime-pict-adv.txt Severity: Critical - remote code execution. Software affected: QuickTime package 7.0.1 for Mac OS X 10.3 QuickTime package 7.0.1 for Mac OS X 10.4 QuickTime package 6.5.2 for Mac OS X 10.3 QuickTime package 6.5.2 for Mac OS X 10.2 QuickTime package 7* for Windows Older versions may be also vulnerable. Note: Following versions are not vulnerable, due to the fact I have reported the vulnerabilities before their releases: QuickTime package 7.0.2 for Mac OS X 10.3 QuickTime package 7.0.2 for Mac OS X 10.4 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Apple QuickTime PictureViewer is one of the Apple QuickTime components used by hundreds of millions of users. II. Expansion of compressed PICT data could exceed the size of the destination buffer, this cause an memory overwrite. The vulnerability may lead to remote code execution when specially crafted picture file (PICT file) is being loaded. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Vendor (Apple) has been noticed and released all necessary patches. best regards, Piotr Bania -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 -------------------------------------------------------------------- " Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate " - Dante, Inferno Canto III _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17428 VERIFY ADVISORY: http://secunia.com/advisories/17428/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ Apple Quicktime 6.x http://secunia.com/product/810/ DESCRIPTION: Piotr Bania has reported some vulnerabilities in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. 1) An integer overflow error exists in the handling of a "Pascal" style string when loading a ".mov" video file. 2) An integer overflow error exists in the handling of certain movie attributes when loading a ".mov" video file. 3) A NULL pointer dereferencing error exists when handling certain missing movie attributes from a video file. 4) A boundary error exists in the QuickTime PictureViewer when decompressing PICT data. Prior versions may also be affected. SOLUTION: Update to version 7.0.3. http://www.apple.com/support/downloads/quicktime703.html PROVIDED AND/OR DISCOVERED BY: Piotr Bania ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302772 Piotr Bania: http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt http://pb.specialised.info/all/adv/quicktime-pict-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple QuickTime Player before 7.0.3 allows user-assisted attackers to cause a denial of service (crash) via a crafted file with a missing movie attribute, which leads to a null dereference. Apple QuickTime PictureViewer contains a buffer overflow that may allow a remote attacker to execute arbitrary code on a vulnerable system. QuickTime is prone to a denial of service vulnerability. This issue is due to a failure in the application to handle exceptional conditions. Successful exploitation of this vulnerability will cause the application to crash, effectively denying service to legitimate users. This issue affects both Microsoft Windows, and Apple versions of QuickTime. CVE-ID: CVE-2005-2755 Original location: http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt Severity: Critical - attack against any application loading remotely-originated content. Software affected: QuickTime package 7.0.1 for Mac OS X 10.3 QuickTime package 7.0.1 for Mac OS X 10.4 QuickTime package 6.5.2 for Mac OS X 10.3 QuickTime package 6.5.2 for Mac OS X 10.2 QuickTime package 7* for Windows Older versions may be also vulnerable. Note: Following versions are not vulnerable, due to the fact I have reported the vulnerabilities before their releases: QuickTime package 7.0.2 for Mac OS X 10.3 QuickTime package 7.0.2 for Mac OS X 10.4 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Apple QuickTime Player is one of the Apple QuickTime components used by hundreds of millions of users. II. A missing movie attribute is interpreted as an extension, but the absence of the extension is not flagged as an error, resulting in a de-reference of a NULL pointer. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Vendor (Apple) has been noticed and released all necessary patches. best regards, Piotr Bania -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 -------------------------------------------------------------------- " Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate " - Dante, Inferno Canto III _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17428 VERIFY ADVISORY: http://secunia.com/advisories/17428/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ Apple Quicktime 6.x http://secunia.com/product/810/ DESCRIPTION: Piotr Bania has reported some vulnerabilities in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. 1) An integer overflow error exists in the handling of a "Pascal" style string when loading a ".mov" video file. This can result in memory overwrite due to a large memory copy, potentially allowing arbitrary code execution via a specially crafted video file. 2) An integer overflow error exists in the handling of certain movie attributes when loading a ".mov" video file. This can result in memory overwrite due to a large memory copy, potentially allowing arbitrary code execution via a specially crafted video file. This may be exploited to crash an application that uses QuickTime when a specially crafted video file is loaded. 4) A boundary error exists in the QuickTime PictureViewer when decompressing PICT data. This may be exploited to cause a memory overwrite, potentially allowing arbitrary code execution via a specially crafted PICT picture file. Prior versions may also be affected. SOLUTION: Update to version 7.0.3. http://www.apple.com/support/downloads/quicktime703.html PROVIDED AND/OR DISCOVERED BY: Piotr Bania ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302772 Piotr Bania: http://pb.specialised.info/all/adv/quicktime-mov-io1-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt http://pb.specialised.info/all/adv/quicktime-pict-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco 1200, 1131, and 1240 series Access Points, when operating in Lightweight Access Point Protocol (LWAPP) mode and controlled by 2000 and 4400 series Airespace WLAN controllers running 3.1.59.24, allow remote attackers to send unencrypted traffic to a secure network using frames with the MAC address of an authenticated end host. Cisco Airespace WLAN (Wireless LAN) devices are prone to an issue that may permit unauthorized parties to access a secure network. This may bypass the security of the wireless network as it may permit unauthorized access by hosts that have not authenticated. Legitimate end hosts can still communicate encrypted with the access point. The vulnerability is caused due to the WLAN controller accepting unencrypted traffic from end hosts even when it is configured to perform encryption. SOLUTION: Update to version 3.1.105.0 of the WLAN Controller software. Cisco 2000 Series WLAN Controller: http://www.cisco.com/pcgi-bin/tablebuild.pl/2000_series_Wireless_LAN_controller Cisco 4400 Series WLAN Controller: http://www.cisco.com/pcgi-bin/tablebuild.pl/4400_series_Wireless_LAN_controller ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Serv-U FTP Server before 6.1.0.4 allows attackers to cause a denial of service (crash) via (1) malformed packets and possibly other unspecified issues with unknown impact and attack vectors including (2) use of "~" in a pathname, and (3) memory consumption of the daemon. NOTE: it is not clear whether items (2) and above are vulnerabilities. Serv-U FTP server is prone to an unspecified denial of service vulnerability. This issue is most likely due to a failure in the application to handle exceptional conditions. Specific details regarding this issue are not currently available, this BID will be updated as more information becomes available. An attacker can exploit this vulnerability to cause the server to crash, effectively denying service to legitimate users. TITLE: Serv-U FTP Server Potential Denial of Service Vulnerability SECUNIA ADVISORY ID: SA17409 VERIFY ADVISORY: http://secunia.com/advisories/17409/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: Serv-U FTP Server 6.x http://secunia.com/product/5878/ DESCRIPTION: A vulnerability has been reported in Serv-U, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). NOTE: The ZLib and OpenSSL libraries have also been changed to version v1.2.3 and v0.9.8a respectively. SOLUTION: Update to version 6.1.0.4. http://www.serv-u.com/dn.asp PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.serv-u.com/releasenotes.asp OTHER REFERENCES: SA17151: http://secunia.com/advisories/17151/ SA16137: http://secunia.com/advisories/16137/ SA15949: http://secunia.com/advisories/15949/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 12.0 to 12.4 might allow remote attackers to execute arbitrary code via a heap-based buffer overflow in system timers. NOTE: this issue does not correspond to a specific vulnerability, rather a general weakness that only increases the feasibility of exploitation of any vulnerabilities that might exist. Such design-level weaknesses normally are not included in CVE, so perhaps this issue should be REJECTed. Cisco IOS Has a function to check the consistency of the contents of the heap memory in case of a heap overflow ( heap integrity check ) Is included, but this heap integrity check A vulnerability exists that could allow arbitrary code to be bypassed. Also, Cisco Provides a Japanese translation of the information, but recommends that you consult the English version of the advisory for the latest information.Cisco IOS Is vulnerable to a heap overflow vulnerability, which could lead to the execution of arbitrary code on the router. Cisco IOS is prone to heap-based buffer-overflow issues. Cisco has released an advisory stating that IOS upgrades are available to address the possibility of exploits of heap-based buffer-overflow vulnerabilities. It is not known at this time if the advisory addresses a specific heap overflow or just provides security enhancements to mitigate attempts to exploit heap-overflow vulnerabilities. In many cases, the overflow will only corrupt system memory and trigger a system reload if detected by the \"Check Heaps\" process that has been monitoring memory corruption. The vulnerability has been reported to affect all Cisco products that run Cisco IOS Software. Note: The vendor has reported that the vulnerability was fixed as a result of continued research related to the demonstration of an exploit for the IPv6 vulnerability. For more information: SA16272 SOLUTION: Fixes are available for IOS 12.0, 12.1, 12.2, 12.3 and 12.4 (see patch matrix in vendor advisory). http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml OTHER REFERENCES: SA16272: http://secunia.com/advisories/16272/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in F-Secure Anti-Virus for Microsoft Exchange 6.40 and Internet Gatekeeper 6.40 to 6.42 allows limited remote attackers to bypass Web Console authentication and read files. The remote threat only arises if the application has been configured to accept connections from elsewhere. The default configuration only poses a local threat. This can be exploited to read arbitrary files on the server via directory traversal attacks. Successful exploitation requires that the attacker is able to connect to the Web Console via an allowed host. PROVIDED AND/OR DISCOVERED BY: The vendor credits Mikko Korppi. ORIGINAL ADVISORY: http://www.f-secure.com/security/fsc-2005-2.shtml ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-01_readme.txt ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk642-01_readme.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Sun Java System Communications Express 2005Q1 and 2004Q2 allows local and remote attackers to read sensitive information from configuration files. A remote attacker may obtain application configuration files. SOLUTION: Apply patches. -- SPARC Platform (Solaris 8, 9 and 10) -- Apply patch 118540-21 or later. -- x86 Platform (Solaris 8, 9 and 10) -- Apply patch 118541-21 or later. -- Linux Platform -- Apply patch 118542-21 or later. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101948-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in the web server in Asus Video Security 3.5.0.0 and earlier allows remote attackers to read arbitrary files via "../" or "..\" sequences in the URL. Asus VideoSecurity Online is prone to a directory traversal vulnerability. Exploitation could allow a remote attacker to obtain sensitive information that could be used to mount further attacks. The Web server included with Asus VideoSecurity Online is not enabled by default. This vulnerability is reported to affect Asus VideoSecurity Online 3.5.0 and earlier. VideoSecurity is a powerful video surveillance software. TITLE: Asus VideoSecurity Online Two Vulnerabilities SECUNIA ADVISORY ID: SA17419 VERIFY ADVISORY: http://secunia.com/advisories/17419/ CRITICAL: Moderately critical IMPACT: Unknown, Exposure of sensitive information WHERE: >From remote SOFTWARE: Asus VideoSecurity Online 3.x http://secunia.com/product/6043/ DESCRIPTION: Luigi Auriemma has reported two vulnerabilities in Asus VideoSecurity Online, where one has an unknown impact, and the other can be exploited by malicious people to disclose sensitive information. 1) A boundary error in the authorisation handling can be exploited to cause a buffer overflow by sending a specially crafted request to the web server. 2) An input validation error in the request handling can be exploited to disclose the content of arbitrary files via directory traversal attacks. The vulnerabilities have been reported in version 3.5.0.0 and prior. Other versions may also be affected. SOLUTION: Disable the built-in web server. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/asusvsbugs-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Asus Video Security 3.5.0.0 and earlier, when using authorization, allows remote attackers to execute arbitrary code via a long username/password string. Asus VideoSecurity Online is prone to a buffer overflow in the authentication mechanism of the included Web server. This issue only exists if authentication is enabled on the Web server. The Web server included with Asus VideoSecurity Online is not enabled by default. This vulnerability is reported to affect Asus VideoSecurity Online 3.5.0 and earlier. VideoSecurity is a powerful video surveillance software. TITLE: Asus VideoSecurity Online Two Vulnerabilities SECUNIA ADVISORY ID: SA17419 VERIFY ADVISORY: http://secunia.com/advisories/17419/ CRITICAL: Moderately critical IMPACT: Unknown, Exposure of sensitive information WHERE: >From remote SOFTWARE: Asus VideoSecurity Online 3.x http://secunia.com/product/6043/ DESCRIPTION: Luigi Auriemma has reported two vulnerabilities in Asus VideoSecurity Online, where one has an unknown impact, and the other can be exploited by malicious people to disclose sensitive information. 1) A boundary error in the authorisation handling can be exploited to cause a buffer overflow by sending a specially crafted request to the web server. 2) An input validation error in the request handling can be exploited to disclose the content of arbitrary files via directory traversal attacks. The vulnerabilities have been reported in version 3.5.0.0 and prior. Other versions may also be affected. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/asusvsbugs-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Cisco Management Center (MC) for IPS Sensors (IPS MC) 2.1 can omit port field values while generating the Cisco IOS IPS configuration file, wich can cause some signatures to be disabled and makes it easier for attackers to escape detection. Cisco IDS/IPS solution, configured by either Cisco IPS MC v2.1, Cisco IDS MC, Cisco SDM or by using the Cisco IOS CLI are vulnerable as well. This causes some signatures belonging to certain classes to be incorrectly disabled, potentially allowing malicious traffic to pass through. SOLUTION: Apply patches. http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids-app PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple interpretation error in Fortinet 2.48.0.0 allows remote attackers to bypass virus scanning via a file such as BAT, HTML, and EML with an "MZ" magic byte sequence which is normally associated with EXE, which causes the file to be treated as a safe type that could still be executed as a dangerous file type by applications on the end system, as demonstrated by a "triple headed" program that contains EXE, EML, and HTML content, aka the "magic byte bug.". Fortinet is prone to a security bypass vulnerability. TheHacker is an antivirus engine

Multiple SQL injection vulnerabilities in PHP-Nuke 7.8 allow remote attackers to modify SQL queries and execute arbitrary PHP code via (1) the username parameter in the Your Account page, (2) the url parameter in the Downloads module, and (3) the description parameter in the Web_Links module. PHPNuke is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. Remote attackers can insert malicious SQL statement strings into the input data to operate the database without authorization. TITLE: PHP-Nuke SQL Injection Vulnerabilities SECUNIA ADVISORY ID: SA17315 VERIFY ADVISORY: http://secunia.com/advisories/17315/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: rgod has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been confirmed in version 7.8. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: rgod ORIGINAL ADVISORY: http://rgod.altervista.org/phpnuke78sql.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in DiskMountNotify for Symantec Norton AntiVirus 9.0.3 allows local users to gain privileges by modifying the PATH to reference a malicious (1) ps or (2) grep file. TITLE: Symantec Norton AntiVirus / LiveUpdate for Macintosh Privilege Escalation SECUNIA ADVISORY ID: SA17268 VERIFY ADVISORY: http://secunia.com/advisories/17268/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Symantec Norton Utilities for Macintosh 8.x http://secunia.com/product/5953/ Symantec LiveUpdate for Macintosh 3.x http://secunia.com/product/5954/ Symantec Norton AntiVirus for Macintosh 10.x http://secunia.com/product/5949/ Symantec Norton AntiVirus for Macintosh 9.x http://secunia.com/product/5948/ Symantec Norton Internet Security for Macintosh 3.x http://secunia.com/product/5951/ Symantec Norton Personal Firewall for Macintosh 3.x http://secunia.com/product/5950/ Symantec Norton SystemWorks for Macintosh 3.x http://secunia.com/product/5952/ DESCRIPTION: Some vulnerabilities have been reported in Symantec Norton AntiVirus for Macintosh and Symantec LiveUpdate for Macintosh, which can be exploited by malicious, local users to gain escalated privileges. 1) The suid "DiskMountNotify" component of Symantec Norton AntiVirus for Macintosh fails to set its execution path environment. This may be exploited by malicious users to execute arbitrary commands with System Administrative privileges by modifying the execution path that the component uses to locate system commands. The vulnerability has been reported in the following versions : * version 9.0.0, 9.0.1 * version 9.0.2 (English, Japanese) * version 9.0.2 Build 5 (French, German, Italian) * version 9.0.3 (English, Japanese) * version 10.0.0, 10.0.1 2) The LiveUpdate component uses a suid command-line application to interface with the Java interpreter. This can be exploited by malicious users to execute arbitrary Java code with System Administrative privileges using the interface application. The vulnerability has been reported in the following products: * LiveUpdate for Macintosh versions 3.0.0, 3.0.1 and 3.0.2 * LiveUpdate for Macintosh version 3.0.3 Build 5 (English) * LiveUpdate for Macintosh version 3.0.3 Build 11, 3.5.0 Build 47 * Norton AntiVirus 9.0.x, 10.0.0, 10.0.1 * Norton Personal Firewall 3.0.x, 3.1.0 * Norton Internet Security 3.0.x * Norton Utilities 8.0.x * Norton SystemWorks 3.0.x SOLUTION: Update to the latest version via Live Update. PROVIDED AND/OR DISCOVERED BY: The vendor credits iDEFENSE. ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2005.10.19.html http://securityresponse.symantec.com/avcenter/security/Content/2005.10.19a.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

** SPLIT ** The jlucaller program in LiveUpdate for Symantec Norton AntiVirus 9.0.3 on Macintosh runs setuid when executing Java programs, which allows local users to gain privileges. NOTE: due to a CNA error, this candidate was also originally assigned to an issue in DiskMountNotify. Use CVE-2005-3270 for the DiskMountNotify issue, and CVE-2005-2759 for the LiveUpdate issue. This issue is due to a failure of the application to properly utilize the PATH environment variable in a setuid-superuser binary. This vulnerability allows local attackers to gain superuser privileges, leading to complete compromise of the affected computer. This may be exploited by malicious users to execute arbitrary commands with System Administrative privileges by modifying the execution path that the component uses to locate system commands. The vulnerability has been reported in the following versions : * version 9.0.0, 9.0.1 * version 9.0.2 (English, Japanese) * version 9.0.2 Build 5 (French, German, Italian) * version 9.0.3 (English, Japanese) * version 10.0.0, 10.0.1 2) The LiveUpdate component uses a suid command-line application to interface with the Java interpreter. This can be exploited by malicious users to execute arbitrary Java code with System Administrative privileges using the interface application. The vulnerability has been reported in the following products: * LiveUpdate for Macintosh versions 3.0.0, 3.0.1 and 3.0.2 * LiveUpdate for Macintosh version 3.0.3 Build 5 (English) * LiveUpdate for Macintosh version 3.0.3 Build 11, 3.5.0 Build 47 * Norton AntiVirus 9.0.x, 10.0.0, 10.0.1 * Norton Personal Firewall 3.0.x, 3.1.0 * Norton Internet Security 3.0.x * Norton Utilities 8.0.x * Norton SystemWorks 3.0.x SOLUTION: Update to the latest version via Live Update. PROVIDED AND/OR DISCOVERED BY: The vendor credits iDEFENSE. ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2005.10.19.html http://securityresponse.symantec.com/avcenter/security/Content/2005.10.19a.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco CSS 11500 Content Services Switch (CSS) with SSL termination services allows remote attackers to cause a denial of service (memory corruption and device reload) via a malformed client certificate during SSL session negotiation. This vulnerability only occurs if the CSS is configured to support SSL terminal services, and SSL terminal services are not configured by default. SOLUTION: Fixes are available (see patch matrix in vendor advisory). http://www.cisco.com/en/US/products/products_security_advisory09186a008054bc9b.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20051019-css.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------