VARIoT IoT vulnerabilities database

Multiple unspecified vulnerabilities in the Command Line Interface (CLI) for Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.1, allow local CS-MARS administrators to execute arbitrary commands as root. A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges. This may facilitate a remote compromise of affected computers. Cisco has released version 4.2.1 to address these issues; prior versions are reported vulnerable. Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. This may facilitate unauthorized access or privilege escalation. Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers. Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks. Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed. The CS-MARS CLI is a restricted shell environment that allows authenticated administrators to perform system maintenance tasks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA05-291A Snort Back Orifice Preprocessor Buffer Overflow Original release date: October 18, 2005 Last revised: -- Source: US-CERT Systems Affected * Snort versions 2.4.0 to 2.4.2 * Sourcefire Intrusion Sensors Other products that use Snort or Snort components may be affected. I. Description Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire Intrusion Sensors, and Snort is included with a number of operating system distributions. Snort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The ping detection code does not adequately limit the amount of data that is read from the packet into a fixed-length buffer, thus creating the potential for a buffer overflow. The vulnerable code will process any UDP packet that is not destined to or sourced from the default Back Orifice port (31337/udp). An attacker could exploit this vulnerability by sending a specially crafted UDP packet to a host or network monitored by Snort. US-CERT is tracking this vulnerability as VU#175500. Further information is available in an advisory from Internet Security Systems (ISS). II. Snort typically runs with root or SYSTEM privileges, so an attacker could take complete control of a vulnerable system. An attacker does not need to target a Snort sensor directly; the attacker can target any host or network monitored by Snort. III. Solution Upgrade Sourcefire has released Snort 2.4.3 which is available from the Snort download site. For information about other vendors, please see the Systems Affected section of VU#175500. Disable Back Orifice Preprocessor To disable the Back Orifice preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems): [/etc/snort.conf] ... #preprocessor bo ... Restart Snort for the change to take effect. Restrict Outbound Traffic Consider preventing Snort sensors from initiating outbound connections and restricting outbound traffic to only those hosts and networks that have legitimate requirements to communicate with the sensors. While this will not prevent exploitation of the vulnerability, it may make it more difficult for an attacker to access a compromised system or reconnoiter other systems. Appendix A. References * US-CERT Vulnerability Note VU#175500 - <http://www.kb.cert.org/vuls/id/177500> * Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability - <http://www.snort.org/pub-bin/snortnews.cgi#99> * Snort downloads - <http://www.snort.org/dl/> * Snort 2.4.3 Changelog - <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt> * Preprocessors - <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/ node11.html#SECTION00310000000000000000> * Snort Back Orifice Parsing Remote Code Execution - <http://xforce.iss.net/xforce/alerts/id/207> ____________________________________________________________________ This vulnerability was researched and reported by Internet Security Systems (ISS). ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA05-291A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2005 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Oct 18, 2005: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3 T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H +qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX 4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ== =jjID -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: CS-MARS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21118 VERIFY ADVISORY: http://secunia.com/advisories/21118/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of system information, System access WHERE: >From local network OPERATING SYSTEM: Cisco Security Monitoring, Analysis and Response System (CS-MARS) 4.x http://secunia.com/product/6780/ DESCRIPTION: Multiple vulnerabilities have been reported in CS-MARS, which can be exploited by malicious, local users to bypass certain security restrictions and malicious people to gain knowledge of system information and compromise a vulnerable system. 2) The included JBoss web application server is also affected by an information disclosure weakness. CS-MARS also ships with an Oracle database containing several default Oracle accounts with well-known passwords. SOLUTION: Update to version 4.2.1 or later. PROVIDED AND/OR DISCOVERED BY: 1+2) Jon Hart 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml OTHER REFERENCES: SA15746: http://secunia.com/advisories/15746/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to a boundary error in the handling of Back Orifice packets. Alternatively, disable the Back Orifice pre-processor

jmx-console/HtmlAdaptor in the jmx-console in the JBoss web application server, as shipped with Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.1, allows remote attackers to gain privileges as the CS-MARS administrator and execute arbitrary Java code via an invokeOp action in the BSHDeployer jboss.scripts service name. A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges. Cisco Security Monitoring, Analysis and Response System (CS-MARS) is prone to multiple vulnerabilities, including privilege-escalation, arbitrary command-execution, and information-disclosure issues. This may facilitate a remote compromise of affected computers. Cisco has released version 4.2.1 to address these issues; prior versions are reported vulnerable. Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. This may facilitate unauthorized access or privilege escalation. Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers. Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks. Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed. There is a loophole when the server processes user requests. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA05-291A Snort Back Orifice Preprocessor Buffer Overflow Original release date: October 18, 2005 Last revised: -- Source: US-CERT Systems Affected * Snort versions 2.4.0 to 2.4.2 * Sourcefire Intrusion Sensors Other products that use Snort or Snort components may be affected. I. Description Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire Intrusion Sensors, and Snort is included with a number of operating system distributions. Snort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The ping detection code does not adequately limit the amount of data that is read from the packet into a fixed-length buffer, thus creating the potential for a buffer overflow. The vulnerable code will process any UDP packet that is not destined to or sourced from the default Back Orifice port (31337/udp). An attacker could exploit this vulnerability by sending a specially crafted UDP packet to a host or network monitored by Snort. US-CERT is tracking this vulnerability as VU#175500. Further information is available in an advisory from Internet Security Systems (ISS). II. Snort typically runs with root or SYSTEM privileges, so an attacker could take complete control of a vulnerable system. An attacker does not need to target a Snort sensor directly; the attacker can target any host or network monitored by Snort. III. Solution Upgrade Sourcefire has released Snort 2.4.3 which is available from the Snort download site. For information about other vendors, please see the Systems Affected section of VU#175500. Disable Back Orifice Preprocessor To disable the Back Orifice preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems): [/etc/snort.conf] ... #preprocessor bo ... Restart Snort for the change to take effect. Restrict Outbound Traffic Consider preventing Snort sensors from initiating outbound connections and restricting outbound traffic to only those hosts and networks that have legitimate requirements to communicate with the sensors. While this will not prevent exploitation of the vulnerability, it may make it more difficult for an attacker to access a compromised system or reconnoiter other systems. Appendix A. References * US-CERT Vulnerability Note VU#175500 - <http://www.kb.cert.org/vuls/id/177500> * Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability - <http://www.snort.org/pub-bin/snortnews.cgi#99> * Snort downloads - <http://www.snort.org/dl/> * Snort 2.4.3 Changelog - <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt> * Preprocessors - <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/ node11.html#SECTION00310000000000000000> * Snort Back Orifice Parsing Remote Code Execution - <http://xforce.iss.net/xforce/alerts/id/207> ____________________________________________________________________ This vulnerability was researched and reported by Internet Security Systems (ISS). ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA05-291A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2005 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Oct 18, 2005: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3 T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H +qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX 4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ== =jjID -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: CS-MARS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21118 VERIFY ADVISORY: http://secunia.com/advisories/21118/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of system information, System access WHERE: >From local network OPERATING SYSTEM: Cisco Security Monitoring, Analysis and Response System (CS-MARS) 4.x http://secunia.com/product/6780/ DESCRIPTION: Multiple vulnerabilities have been reported in CS-MARS, which can be exploited by malicious, local users to bypass certain security restrictions and malicious people to gain knowledge of system information and compromise a vulnerable system. 2) The included JBoss web application server is also affected by an information disclosure weakness. CS-MARS also ships with an Oracle database containing several default Oracle accounts with well-known passwords. SOLUTION: Update to version 4.2.1 or later. PROVIDED AND/OR DISCOVERED BY: 1+2) Jon Hart 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml OTHER REFERENCES: SA15746: http://secunia.com/advisories/15746/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to a boundary error in the handling of Back Orifice packets. Alternatively, disable the Back Orifice pre-processor

Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.1 ships with an Oracle database that contains several default accounts and passwords, which allows attackers to obtain sensitive information. A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges. This may facilitate a remote compromise of affected computers. Cisco has released version 4.2.1 to address these issues; prior versions are reported vulnerable. Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. This may facilitate unauthorized access or privilege escalation. Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers. Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks. Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed. CS-MARS uses an Oracle database to store sensitive network events and configuration data. Information in the database may include authentication credentials for network devices, such as firewalls, routers and IPS devices, and details of network security events. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA05-291A Snort Back Orifice Preprocessor Buffer Overflow Original release date: October 18, 2005 Last revised: -- Source: US-CERT Systems Affected * Snort versions 2.4.0 to 2.4.2 * Sourcefire Intrusion Sensors Other products that use Snort or Snort components may be affected. I. Description Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire Intrusion Sensors, and Snort is included with a number of operating system distributions. Snort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The ping detection code does not adequately limit the amount of data that is read from the packet into a fixed-length buffer, thus creating the potential for a buffer overflow. The vulnerable code will process any UDP packet that is not destined to or sourced from the default Back Orifice port (31337/udp). An attacker could exploit this vulnerability by sending a specially crafted UDP packet to a host or network monitored by Snort. US-CERT is tracking this vulnerability as VU#175500. Further information is available in an advisory from Internet Security Systems (ISS). II. Snort typically runs with root or SYSTEM privileges, so an attacker could take complete control of a vulnerable system. An attacker does not need to target a Snort sensor directly; the attacker can target any host or network monitored by Snort. III. Solution Upgrade Sourcefire has released Snort 2.4.3 which is available from the Snort download site. For information about other vendors, please see the Systems Affected section of VU#175500. Disable Back Orifice Preprocessor To disable the Back Orifice preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems): [/etc/snort.conf] ... #preprocessor bo ... Restart Snort for the change to take effect. Restrict Outbound Traffic Consider preventing Snort sensors from initiating outbound connections and restricting outbound traffic to only those hosts and networks that have legitimate requirements to communicate with the sensors. While this will not prevent exploitation of the vulnerability, it may make it more difficult for an attacker to access a compromised system or reconnoiter other systems. Appendix A. References * US-CERT Vulnerability Note VU#175500 - <http://www.kb.cert.org/vuls/id/177500> * Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability - <http://www.snort.org/pub-bin/snortnews.cgi#99> * Snort downloads - <http://www.snort.org/dl/> * Snort 2.4.3 Changelog - <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt> * Preprocessors - <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/ node11.html#SECTION00310000000000000000> * Snort Back Orifice Parsing Remote Code Execution - <http://xforce.iss.net/xforce/alerts/id/207> ____________________________________________________________________ This vulnerability was researched and reported by Internet Security Systems (ISS). ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA05-291A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2005 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Oct 18, 2005: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3 T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H +qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX 4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ== =jjID -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: CS-MARS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21118 VERIFY ADVISORY: http://secunia.com/advisories/21118/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of system information, System access WHERE: >From local network OPERATING SYSTEM: Cisco Security Monitoring, Analysis and Response System (CS-MARS) 4.x http://secunia.com/product/6780/ DESCRIPTION: Multiple vulnerabilities have been reported in CS-MARS, which can be exploited by malicious, local users to bypass certain security restrictions and malicious people to gain knowledge of system information and compromise a vulnerable system. 2) The included JBoss web application server is also affected by an information disclosure weakness. SOLUTION: Update to version 4.2.1 or later. PROVIDED AND/OR DISCOVERED BY: 1+2) Jon Hart 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml OTHER REFERENCES: SA15746: http://secunia.com/advisories/15746/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to a boundary error in the handling of Back Orifice packets. Alternatively, disable the Back Orifice pre-processor

Multiple interpretation error in unspecified versions of Fortinet Antivirus allows remote attackers to bypass virus detection via a malicious executable in a specially crafted RAR file with malformed central and local headers, which can still be opened by products such as Winrar and PowerZip, even though they are rejected as corrupted by Winzip and BitZipper. Fortinet Antivirus is prone to a security bypass vulnerability. Fortinet Antivirus is an antivirus software designed by Fortinet Company using signature database and heuristic scanning engine. Fortinet Antivirus unidentified version has multiple interpretation errors. The specially crafted RAR file contains malformed central and partial headers. Although it is considered damaged by Winzip and BitZipper and rejected, it can still be opened by products such as Winrar and PowerZip

The FWDRV driver in Kerio Personal Firewall 4.2 and Server Firewall 1.1.1 allows local users to cause a denial of service (crash) by setting the PAGE_NOACCESS or PAGE_GUARD protection on the Page Environment Block (PEB), which triggers an exception, aka the "PEB lockout vulnerability.". Kerio Personal Firewall and ServerFirewall are prone to a local denial of service vulnerability. Reports indicate that the FWDRV driver does not verify access to memory associated with the Process Environment Block (PEB) of the application. An attacker can trigger fatal exceptions and cause the firewall process to terminate. A denial of service condition in the firewall can expose computers to further attacks. Kerio Personal Firewall and Server Firewall are easy-to-use firewall products. Kerio Personal Firewall and Server Firewall are easy-to-use firewall products. When parsing the PEB, FWDRV does not check whether the memory is accessible, that is to say, if the attacker can set PAGE_NOACCESS or PAGE_GUARD protection on the PEB, it will cause an exception and the machine will blue screen of death. This can be exploited to crash the system via a malicious application that locks the memory page where its PEB resides before connecting to the network. * Kerio ServerFirewall version 1.1.1 and prior. SOLUTION: Kerio Personal Firewall: Update to version 4.2.1 or later. Kerio ServerFirewall: Update to version 1.1.2 or later. PROVIDED AND/OR DISCOVERED BY: Piotr Bania ORIGINAL ADVISORY: Kerio: http://www.kerio.com/security_advisory.html Piotr Bania: http://pb.specialised.info/all/adv/kerio-fwdrv-dos-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in Kaspersky Anti-Virus Engine, as used in Kaspersky Personal 5.0.227, Anti-Virus On-Demand Scanner for Linux 5.0.5, and F-Secure Anti-Virus for Linux 4.50 allows remote attackers to execute arbitrary code via a crafted CHM file. On Microsoft platforms, the affected software cannot execute arbitrary code, but prevents Kaspersky Anti-Virus from scanning any files, thus potentially allowing later malicious code to reach its target. For more information: SA17130 The vulnerability has been reported in version 4.50. Prior versions may also be affected. TITLE: Kaspersky Anti-Virus Engine CHM File Parsing Buffer Overflow SECUNIA ADVISORY ID: SA17130 VERIFY ADVISORY: http://secunia.com/advisories/17130/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Kaspersky Anti-Virus 5.x http://secunia.com/product/2781/ DESCRIPTION: A vulnerability has been reported in Kaspersky Anti-Virus, which can be exploited by malicious people to cause a DoS (Denial of Service), or compromise a vulnerable system. The vulnerability is caused due to a boundary error in the scan engine when parsing a malformed CHM file. This can be exploited to cause a heap-based buffer overflow when a specially crafted CHM file is scanned. On Windows platforms, the anti-virus may fail to scan any other files after a malformed CHM file has been encountered. SOLUTION: The vulnerability has reportedly been fixed via a signature update after July 2005. PROVIDED AND/OR DISCOVERED BY: Discovered by anonymous person and reported via iDEFENSE. ORIGINAL ADVISORY: iDEFENSE: http://www.idefense.com/application/poi/display?id=318&type=vulnerabilities ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Planet Technology Corp FGSW2402RS switch with firmware 1.2 has a default password, which allows attackers with physical access to the device's serial port to gain privileges. An attacker can exploit this vulnerability to gain administrative access to the switch; the consequences will vary depending on the network configuration. Reports indicate to exploit this vulnerability an attacker must have access to a machine directly connected to the vulnerable device through the RS-232 port connection. Though uncomfirmed this vulnerability may be remotely exploitable if access to the affected device exists using some other means. This would greatly affect possible exposure to this vulnerability

Stack-based buffer overflow in PWIWrapper.dll for Webroot Desktop Firewall before 1.3.0build52 allows local users to execute arbitrary code as SYSTEM by sending a crafted DeviceIoControl command, then removing an allowed program from the firewall list. Webroot Software Desktop Firewall is susceptible to multiple local vulnerabilities. The first issue is a buffer overflow vulnerability, due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. Local attackers may exploit this first issue to execute arbitrary machine code with SYSTEM privileges. Attackers require the ability to modify the firewall's list of allowed applications. The second issue is an authentication bypass vulnerability. This issue is due to a failure of the firewall to properly enforce built-in password protection, allowing local attackers to disable the firewall. Local attackers may exploit the second issue to disable the firewall, aiding them in further attacks. These issues may only be exploited by local attackers with privileges allowing them to utilize 'DeviceIoControl()' to send commands to the firewall driver. These issues are reported to exist in version 1.3.0.43. Other versions may also be affected. SOLUTION: Update to version 1.3.0 build 52. PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong, Secunia Research. ORIGINAL ADVISORY: Webroot: http://support.webroot.com/ics/support/KBAnswer.asp?questionID=2332 Secunia Research: http://secunia.com/secunia_research/2005-10/advisory/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Computer Associates (CA) iGateway 3.0 and 4.0 before 4.0.050623, when running in debug mode, allows remote attackers to execute arbitrary code via HTTP GET requests. Multiple Computer Associates products are susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the affected products to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. This issue exists in the iTechnology iGateway component that is included in multiple Computer Associates products. Versions 1.x, 2.x, and the current 4.x versions of the iGateway component are not affected by this issue. Version 3.0.040107 and earlier 3.x versions are affected. This issue is only exploitable if the non-default components are installed, the 'igateway.conf' configuration file has debugging enabled, and the service is then manually restarted. Computer Associates is the world's leading security vendor, products include a variety of antivirus software. TITLE: CA iGateway Debug Mode HTTP GET Request Buffer Overflow SECUNIA ADVISORY ID: SA17085 VERIFY ADVISORY: http://secunia.com/advisories/17085/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: CA iGateway 4.x http://secunia.com/product/5821/ CA iGateway 3.x http://secunia.com/product/5820/ DESCRIPTION: Erika Mendoza has reported a vulnerability in CA iGateway, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error when parsing HTTP GET requests. Successful exploitation requires that debug mode is enabled. The vulnerability has been reported in version 3.0 and 4.0 released prior to 2005-06-23. Note: Exploit code for this vulnerability is publicly available. SOLUTION: The vendor recommends that iGateway should not be run in debug mode. PROVIDED AND/OR DISCOVERED BY: Erika Mendoza ORIGINAL ADVISORY: http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?id=33485 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Webroot Desktop Firewall before 1.3.0build52 allows local users to disable the firewall, even when password protection is enabled, via certain DeviceIoControl commands. The first issue is a buffer overflow vulnerability, due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. Local attackers may exploit this first issue to execute arbitrary machine code with SYSTEM privileges. Attackers require the ability to modify the firewall's list of allowed applications. The second issue is an authentication bypass vulnerability. Local attackers may exploit the second issue to disable the firewall, aiding them in further attacks. These issues may only be exploited by local attackers with privileges allowing them to utilize 'DeviceIoControl()' to send commands to the firewall driver. These issues are reported to exist in version 1.3.0.43. Other versions may also be affected. 1) A boundary error in PWIWrapper.dll when deleting a program from the list of "allowed" programs can cause a stack-based buffer overflow in FirewallNTService.exe. Successful exploitation allows non-privileged users to execute arbitrary code with SYSTEM privileges, but requires the the ability to add and remove programs from the firewall's permitted application list. SOLUTION: Update to version 1.3.0 build 52. PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong, Secunia Research. ORIGINAL ADVISORY: Webroot: http://support.webroot.com/ics/support/KBAnswer.asp?questionID=2332 Secunia Research: http://secunia.com/secunia_research/2005-10/advisory/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in Apple QuickTime Player before 7.1 allows remote attackers to execute arbitrary code via a crafted JPEG image. Apple QuickTime fails to properly handle JPEG images. Apple Quicktime Has multiple vulnerabilities. For more information, see the information provided by the vendor. These issues affect both Mac OS X and Microsoft Windows releases of the software. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. CVE-2006-1461 An attacker can create a specially crafted Flash movie to trigger a buffer overflow, resulting in arbitrary command execution with user privileges or denial of service. CVE-2006-1462, CVE-2006-1463 An attacker can create a specially crafted H.264 movie to trigger integer overflow or buffer overflow, resulting in arbitrary command execution with user privileges or denial of service. CVE-2006-1464 An attacker can create a specially crafted MPEG4 movie to trigger a buffer overflow, resulting in arbitrary command execution or denial of service with user privileges. CVE-2006-1465 An attacker can create a specially crafted AVI movie to trigger a buffer overflow, resulting in arbitrary command execution or denial of service with user privileges. CVE-2006-1453, CVE-2006-1454 QuickDraw has two vulnerabilities when processing malformed PICT files. Malformed font information may cause stack overflow, and malformed graphics data may cause heap overflow. An attacker can create specially crafted PICT graphics. CVE-2006-2238 An attacker can create a specially crafted BMP graphic to trigger a buffer overflow, causing arbitrary commands to be executed with user privileges or denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-132A Apple Mac Products Affected by Multiple Vulnerabilities Original release date: May 12, 2006 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X version 10.3.9 (Panther) and version 10.4.6 (Tiger) * Apple Mac OS X Server version 10.3.9 and version 10.4.6 * Apple Safari web browser * Apple Mail Previous versions of Mac OS X may also be affected. Please see Apple Security Update 2006-003 for further information. Impacts of other vulnerabilities include bypassing security restrictions and denial of service. I. Further details are available in the individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. III. Solution Install an update Install Apple Security Update 2006-003. This and other updates are available via Apple Update. Disable "Open 'safe' files after downloading" For additional protection, disable the option to "Open 'safe' files after downloading," as specified in "Securing Your Web Browser." Appendix A. References * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/#Safari> * Apple Security Update 2006-003 - <http://docs.info.apple.com/article.html?artnum=303737> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> ____________________________________________________________________ These vulnerabilities were reported in Apple Security Update 2006-003. Please see the Vulnerability Notes for individual reporter acknowledgements. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-132A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-132A Feedback VU#519473" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 12, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRGTxnX0pj593lg50AQKebgf+PTa7qCt6QQRcXGlJ3vjPFOdO1VNRMGr8 WOP8JKHbCK93O3E6YtHJ3nQTJBfyq169TQijWvoWvjjXM603DojGXUXgTBZFhTSG c4L0jE2+nD3273nZXGPreFJAsPxK6me7d4Of/KQ/prJnUfrnWNxfrP90CmXRKNLD +4eC4BEjNXCqpb0ki62WQM7NED6IgfgNZWfO7faTSRYNRdEyLAgetQxZVm5eepyK BJO3rRBBRkOIkIIG5o/J5ViqgiuUP75N37QqTc7BtyzQR2OeWepytJvkMvJUBVAG r0fLUKvhT4wdHxsNGVGCxLNf3NHG1UuWNO3UZ9MeBmREdmeT+K0l9A== =cabu -----END PGP SIGNATURE-----

Buffer overflow in the TIFF library in the Photo Viewer for Sony PSP 2.0 firmware allows remote attackers to cause a denial of service via a crafted TIFF image. PSP is prone to a denial-of-service vulnerability. The full name of PSP is PlayStation Portable, which is a new handheld game console developed by SONY. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Sony PSP Photo Viewer TIFF File Handling Buffer Overflow SECUNIA ADVISORY ID: SA16922 VERIFY ADVISORY: http://secunia.com/advisories/16922/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Sony PSP (PlayStation Portable) http://secunia.com/product/5764/ DESCRIPTION: A vulnerability has been reported in Sony PSP, which potentially can be exploited by malicious people to compromise a user's system. This may be related to: SA15320 The vulnerability has been reported in firmware version 2.0. Other versions may also be affected. SOLUTION: Do not open untrusted TIFF files. ORIGINAL ADVISORY: http://pspupdates.qj.net/2005/09/20-overflow-found-and-working.html OTHER REFERENCES: SA15320 http://secunia.com/advisories/15320/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Internet Explorer 6.0, and possibly other versions, allows remote attackers to bypass the same origin security policy and make requests outside of the intended domain by calling open on an XMLHttpRequest object (Microsoft.XMLHTTP) and using tab, newline, and carriage return characters within the first argument (method name), which is supported by some proxy servers that convert tabs to spaces. NOTE: this issue can be leveraged to conduct referer spoofing, HTTP Request Smuggling, and other attacks. Microsoft Internet Explorer is prone to a weakness that permits the injection of arbitrary HTTP requests due to improper verification of parameters passed to XmlHttpRequest. An attacker may craft a website that instantiates the affected control and forces the browser to request a site on the same host (or another host in case a forwarding proxy is employed). The attacker would then intercept the response and steal sensitive data to aid in further attacks

Sybari Antigen 8.0 SR2 does not properly filter SMTP messages, which allows remote attackers to bypass custom filter rules and send file attachments of arbitrary file types via a message with a subject of "Antigen forwarded attachment". Sybari Antigen for Exchange/SMTP products are vulnerable to an attachment rule bypass vulnerability. A successful attack may result in arbitrary attachments and unwanted content being delivered to users. It should be noted that this issue does not disable or bypass antivirus scanning of attachments. Sybari Antigen v8.0 SR2 for Exchange and Sybari Antigen v8.0 SR2 for SMTP Gateways are reportedly vulnerable. Other versions may be affected as well. Sybari Antigen is a multi-scanning engine solution that integrates eight different scanning engines from detection to execution in a single product, providing a higher level of security protection against today's malicious code attacks. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Antigen for Exchange "Antigen forwarded attachment" Filter Bypass SECUNIA ADVISORY ID: SA16759 VERIFY ADVISORY: http://secunia.com/advisories/16759/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Antigen 8.x http://secunia.com/product/5731/ DESCRIPTION: Alan G. The vulnerability is caused due to a design error in the processing of mails with the subject "Antigen forwarded attachment". This can be exploited to bypass certain custom filters for file attachments. The vulnerability has been reported in version 8.0 SR2. Some other issues which may be security related have also been reported by the vendor. SOLUTION: Update to version 8.0 SR3 for Exchange (Build 1517). http://www.sybari.com/portal/alias__Rainbow/lang__en-US/tabID__3359/DesktopDefault.aspx PROVIDED AND/OR DISCOVERED BY: Alan G. Monaghan, Gardner Publications, Inc ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS is vulnerable to a denial-of-service and unauthorized-access vulnerability. An attacker can exploit this issue to cause denial-of-service conditions in the EIGRP implementation of selective neighbors and potentially intercept, modify, and redirect messages. Cisco is tracking this vulnerability as bug id CSCsc13698.

Apple Safari allows remote attackers to cause a denial of service (application crash) via a crafted data:// URL. Apple Safari is prone to a memory corruption vulnerability. This issue is exposed when the browser opens specific 'data:' URIs, causing the browser to crash. Though unconfirmed, this vulnerability could be exploitable to execute arbitrary code. Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Safari "data:" URI Handler Denial of Service Weakness SECUNIA ADVISORY ID: SA16875 VERIFY ADVISORY: http://secunia.com/advisories/16875/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Jonathan Rockway has discovered a weakness in Safari, which can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to an error in the processing of URLs in the "data:" URI handler. This can be exploited to crash a vulnerable browser via e.g. an image tag referencing a specially crafted "data:" URL. Example: data://<h1>crash</h1> The weakness has been confirmed in version 2.0 (412.2). Other versions may also be affected. SOLUTION: Do not browse untrusted web sites. PROVIDED AND/OR DISCOVERED BY: Jonathan Rockway ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in the WYSIWYG editor in PHP-Nuke before 7.9 Final have unknown impact and attack vectors. PHP-Nuke is prone to a remote security vulnerability. PHP Nuke is a professional content management system (CMS). The complete solution of PHP-Nuke is suitable for anyone who wants to build their own portal website. It includes news management, advertisement management, forum system, voting system, FAQ system, IP Shielding system, knowledge encyclopedia, e-newsletter, etc. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: PHP-Nuke Unspecified wysiwyg Editor Vulnerabilities SECUNIA ADVISORY ID: SA16843 VERIFY ADVISORY: http://secunia.com/advisories/16843/ CRITICAL: Moderately critical IMPACT: Unknown WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Some potential vulnerabilities have been reported in PHP-Nuke with unknown impacts . SOLUTION: Update to version 7.9. http://www.phpnuke.org/modules.php?name=Release PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.phpnuke.org/modules.php?name=News&file=article&sid=7435 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Avocent CCM console server running firmware 2.1 CCM4850 allows remote authenticated attackers to bypass port restrictions by connecting to the server via SSH and using the connect command to access the serial port. Avocent CCM is prone to a vulnerability that permits the bypass of access control to privileged ports. This issue is due to a failure in the application to perform proper authorization before granting access to internal functions. An attacker can exploit this vulnerability to bypass access control and gain privileged access to ports and devices connected to the vulnerable appliance. Avocent CCM is a multi-computer controller. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Avocent CCM Port Access Control Bypass Vulnerability SECUNIA ADVISORY ID: SA16836 VERIFY ADVISORY: http://secunia.com/advisories/16836/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Avocent CCM XX50 http://secunia.com/product/5714/ DESCRIPTION: Dirk Wetter has reported a vulnerability in Avocent CCM, which can be exploited by malicious users to bypass certain security restrictions. The vulnerability has been reported in CCM4850 with firmware 2.1. SOLUTION: Update to firmware version 2.3. ftp://ftp.avocent.com/public/product-upgrades/$ds1800/CCMx50%20Series/CCMx50%27s_AV_2.3/ PROVIDED AND/OR DISCOVERED BY: Dirk Wetter ORIGINAL ADVISORY: http://drwetter.org/cs-probs/avocent-sshbug.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and possibly other versions before 4.20.7, allows remote attackers to execute arbitrary code via a long HTTP POST request. WRT54G v1.0 is prone to a remote security vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts may cause a denial-of-service condition. Linksys WRT54G Router Remote Administration apply.cgi Buffer Overflow Vulnerability iDEFENSE Security Advisory 09.13.05 www.idefense.com/application/poi/display?id=305&type=vulnerabilities September 13, 2005 I. BACKGROUND The Linksys WRT54G is a combination wireless access point, switch and router. More information is available at the following URL: http://www.linksys.com/products/product.asp?prid=508 II. The vulnerability specifically exists in the 'apply.cgi' handler of the httpd running on the internal interfaces, including the by default the wireless interface. This handler is used by the many of the configuration pages to perform the configuration management of the router. III. This could allow any operation to be performed on the router, including changing passwords and firewall configuration, installation of new firmware with other features, or denial of service. Exploitation of this vulnerability requires that an attacker can connect to the web management port of the router. The httpd is running by default but is only accessible via the LAN ports or the WLAN (wireless LAN). An attacker who can associate via the wireless interface to the network running a vulnerable httpd could send an exploit from a wireless device, and so not require direct physical access to an affected network. Additionally, if the httpd is configured to listen on the WAN (internet) interface, this vulnerability would be exploitable remotely over the internet. On some versions of the WRT54G firmware the buffer used to store the POST input, 'post_buf', is before a structure in memory containing pointers to the 'mime_handlers' structure, which contains function pointers for handling the various types of input. By overwriting this structure so some function pointers point into post_buf, it is possible to execute arbitrary commands. Overwriting these values with nulls will prevent access to the httpd on the system until the router is restarted. Overwriting these values with 'garbage' values will cause the httpd to crash but it will be restarted by a system monitoring process within 2 minutes, allowing multiple exploitation attempts. Although authentication checks are performed on access to this page, the code which reads in the buffer is executed even if authentication fails, so as to clear the input buffer from the client before returning an error message. This may allow an unauthenticated user to exploit the vulnerability. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in version 3.01.03 of the firmware of the Linksys WRT54G, and has identified the same code is present in version 3.03.6. All versions prior to 4.20.7 may be affected. As this firmware is Open Source, and based on a reference implementation supplied by the original hardware maker, there may be other affected 3rd party firmware which use the same or similar code, and are thus also affected. V. WORKAROUND In order to mitigate exposure of the internal network to outside attackers, ensure encryption is enabled on the wireless interface. The exact settings to use are dependent on your wireless deployment policies. VI. VENDOR RESPONSE This vulnerability is addressed in firmware version 4.20.7 available for download at: http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout &packedargs=c%3DL_Download_C2%26cid%3D1115417109974%26sku%3D112491680264 5 &pagename=Linksys%2FCommon%2FVisitorWrapper VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2799 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/07/2005 Initial vendor notification 06/07/2005 Initial vendor response 09/13/2005 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus of iDEFENSE Labs. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) sid, and (3) pid parameters in a POST request, which bypasses security checks that are performed for GET requests. PHP-Nuke is prone to a sql-injection vulnerability. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. There are multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8. When magic_quotes_gpc is disabled, a remote attacker can execute arbitrary SQL commands. Such requests bypass the security checks performed for GET requests. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: PHP-Nuke SQL Injection Vulnerabilities SECUNIA ADVISORY ID: SA16801 VERIFY ADVISORY: http://secunia.com/advisories/16801/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Robin Verton has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been confirmed in version 7.7. Version 7.8 and prior are reportedly also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Robin Verton ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------