VARIoT IoT vulnerabilities database

Unspecified vulnerability in the VLAN Trunking Protocol (VTP) feature in Cisco IOS 12.1(22)EA3 on Catalyst 2950T switches allows remote attackers to cause a denial of service (device reboot) via a crafted Subset-Advert message packet, a different issue than CVE-2006-4774, CVE-2006-4775, and CVE-2006-4776. The VLAN Trunking Protocol (VTP) is Cisco's proprietary protocol for centralized management of VLANs.  If a malformed VTP packet is received, some switch devices may be overloaded. However, an attacker must know the VTP domain name and send malformed VTP packets to the port configured for relay on the switch to exploit this vulnerability. Multiple Cisco switches are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause affected devices to restart, effectively denying service to legitimate users. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco IOS VTP Denial of Service Vulnerability SECUNIA ADVISORY ID: SA23892 VERIFY ADVISORY: http://secunia.com/advisories/23892/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS R12.x http://secunia.com/product/50/ DESCRIPTION: David Barroso Berrueta and Alfredo Andres Omella have reported a vulnerability in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). This can be exploited to cause a device to reload by sending a specially crafted VTP packet. Successful exploitation requires knowledge of the VTP domain name and the port that is configured for trunking. PROVIDED AND/OR DISCOVERED BY: Alfredo Andres Omella and David Barroso Berrueta, S21SEC ORIGINAL ADVISORY: Cisco Advisory: http://www.cisco.com/en/US/products/products_security_response09186a00807d1a81.html 21SEC Advisory: http://www.s21sec.com/es/avisos/s21sec-034-en.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The network interface for Apple AirPort Express 6.x before Firmware Update 6.3, and AirPort Extreme 5.x before Firmware Update 5.7, allows remote attackers to cause a denial of service (unresponsive interface) via malformed packets. The Apple AirPort device is a wireless access point that provides 802.11 services to network clients.  A denial of service vulnerability exists in Apple AirPort. A malicious network attacker can send a specially crafted message, causing the network interface of the AirPort base station to stop responding. This occurs when the device handles malformed packets. Specific details regarding this issue are not currently known. This record will be updated when more information becomes available. AirPort Express firmware versions prior to 6.3 and AirPort Extreme firmware versions prior to 5.7 are vulnerable. The vulnerability is caused due to an unspecified error in the base station when handling certain network packets. SOLUTION: Apply updated firmware. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=303072 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Credit to Michael Zanetta of NETwork Security Consortium for reporting this issue

The SISCO OSI stack for Windows, as used by MMS-EASE 7.10 and earlier, AX-S4 MMS 5.01 and earlier, AX-S4 ICCP 3.0103 and earlier, and the ICCP Toolkit for MMS-EASE 4.10 and earlier, allows remote attackers to cause a denial of service (process crash) via certain network traffic, as demonstrated using a Nessus scan. A vulnerability exists in the SISCO OSI stack for Windows. If successfully exploited, an attacker could cause a denial-of-service condition. The Inter-control Center Communications Protocol (ICCP) is a protocol for communicating data in the control center of a SCADA network. A remote attacker can exploit the vulnerability to perform a denial of service attack on the service. The SISCO OSI stack on the Windows platform incorrectly handles malformed packets, and remote unauthenticated users can perform denial of service attacks on services. This issue allows remote, unauthenticated attackers to crash affected applications, denying further service to legitimate users. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: SISCO OSI Stack Denial of Service Vulnerability SECUNIA ADVISORY ID: SA22047 VERIFY ADVISORY: http://secunia.com/advisories/22047/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: SISCO MMS-EASE 7.x http://secunia.com/product/12072/ SISCO ICCP Toolkit for MMS-EASE 4.x http://secunia.com/product/12073/ SISCO AX-S4 MMS 5.x http://secunia.com/product/12071/ SISCO AX-S4 ICCP 3.x http://secunia.com/product/12070/ DESCRIPTION: A vulnerability has been reported in various SISCO products, which can be exploited by malicious people to cause a DoS (Denial of Service). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: SISCO: http://www.sisconet.com/downloads/NESSUS_Vulnerability_Announcement.pdf OTHER REFERENCES: US-CERT VU#468798: http://www.kb.cert.org/vuls/id/468798 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Drivers for certain display adapters, including (1) an unspecified ATI driver and (2) an unspecified Intel driver, might allow remote attackers to cause a denial of service (system crash) via a large JPEG image, as demonstrated in Internet Explorer using stoopid.jpg with a width and height of 9999999. Display Adapter Driver is prone to a denial-of-service vulnerability

Unspecified vulnerability in the Mac OS X kernel before 10.3.8 allows local users to cause a denial of service (temporary hang) via unspecified attack vectors related to the fan control unit (FCU) driver. There is an unknown vulnerability in the Mac OS X kernel before 10.3.8

Mac OS X 10.4.3 up to 10.4.6, when loginwindow uses the "Name and password" setting, and the "Show the Restart, Sleep, and Shut Down buttons" option is disabled, allows users with physical access to bypass login and reboot the system by entering ">restart", ">power", or ">shutdown" sequences after the username. Apple Mac OS X Server is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users

Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a crafted (1) QuickTime Image File (QTIF), (2) PICT, or (3) JPEG format image with a long data field. Apple's QuickTime is a player for files and streaming media in a variety of different formats. QuickTime is prone to a remote heap-based overflow vulnerability. This issue presents itself when the application processes a specially crafted QTIF (QuickTime Image) file. A successful attack can result in a remote compromise. Apple QuickTime is prone to a buffer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data before copying it to finite-sized process buffers. Unsuccessful exploit attempts will most likely crash the application. This issue affects QuickTime 6.5.2 and 7.0.3; other versions may also be vulnerable. QuickTime 7.0.4 may also be vulnerable, but this has not been confirmed. This issue may have previously been discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities). Quicktime will copy to the stack byte by byte when processing the data field of the qtif format file, but it does not perform the correct check, so it will cause a stack overflow in memory. The original function pointer value is 0x44332211. Just overflow it to 0x08332211 and make sure it doesn't crash before overflowing 0x44 to 0x08, and the code will execute. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----

Integer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a TIFF image file with modified (1) "strips" (StripByteCounts) or (2) "bands" (StripOffsets) values. Apple's QuickTime is a player for files and streaming media in a variety of different formats. A successful attack can result in a remote compromise. NOTE: This issue was previously discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities), but has been assigned its own record to better document the vulnerability. Apple QuickTime is prone to multiple remote code-execution vulnerabilities. These issues arise when the application handles specially crafted QTIF, TGA, TIFF, and GIF image formats. Successful exploits of these issues may allow remote attackers to trigger a denial-of-service condition or to gain unauthorized access. Versions prior to QuickTime 7.0.4 are vulnerable. TITLE: QuickTime Multiple Image/Media File Handling Vulnerabilities SECUNIA ADVISORY ID: SA18370 VERIFY ADVISORY: http://secunia.com/advisories/18370/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. 1) A boundary error in the handling of QTIF images can be exploited to cause a heap-based buffer overflow. This may allow arbitrary code execution when a malicious QTIF image is viewed. 2) Some boundary and integer overflow/underflow errors in the handling of TGA images can be exploited to cause a buffer overflow. 3) An integer overflow error exists in the handling of TIFF images. This can potentially be exploited to execute arbitrary code when a malicious TIFF image is viewed. 4) A boundary error in the handling of GIF images can be exploited to cause a heap-based buffer overflow. This may allow arbitrary code execution when a malicious media file is viewed. The vulnerabilities affect both the Mac OS X and the Windows platforms. SOLUTION: Update to version 7.0.4. Mac OS X (version 10.3.9 or later): http://www.apple.com/support/downloads/quicktime704.html Windows 2000/XP: http://www.apple.com/quicktime/download/win.html PROVIDED AND/OR DISCOVERED BY: 1) Varun Uppal, Kanbay. 2-3) Dejun Meng, Fortinet. 4-5) Karl Lynn, eEye Digital Security. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=303101 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This is due to application failure to sanitize the parameter StripByteCounts while parsing TIFF image files. A remote attacker could construct a web page with specially crafted tiff file and entice a victim to view it, when the user opens the TIFF image with Internet Explorer or Apple QuickTime Player, it'll cause memory access violation, and leading to potential Arbitrary Command Execution. Impact : Execute arbitrary code Solution : Apple Computers has released a security update for this vulnerability, which is available for downloading from Apples's web site under security update. Fortinet Protection: Fortinet is protecting network from this vulnerability with latest IPS update. Acknowledgment : Dejun Meng of Fortinet Security Research team found this vulnerability

Integer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a TIFF image file with modified image height and width (ImageWidth) tags. Apple's QuickTime is a player for files and streaming media in a variety of different formats. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. QuickTime is prone to a remote integer-overflow vulnerability. This issue presents itself when the application processes a specially crafted TIFF file. A successful attack can result in a remote compromise. Versions prior to QuickTime 7.0.4 are vulnerable. Fortinet Security Advisory: FSA-2006-03 Apple QuickTime Player ImageWidth Denial of Service Vulnerability Advisory Date : January 12, 2006 Reported Date : November 28, 2005 Vendor : Apple computers Affected Products : Apple QuickTime Player v7.0.3 Severity : Medium Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710 http://docs.info.apple.com/article.html?artnum=303101 http://www.securityfocus.com/bid/16202/info Description : Fortinet Security Research Team (FSRT) has discovered a Denial of Service Vulnerability in the Apple QuickTime Player. This is due to application failure to sanitize the parameter ImageWidth value while parsing TIFF image files. Impact : Denial of Service Solution : Apple Computers has released a security update for this vulnerability, which is available for downloading from Apples's web site under security update. Fortinet Protection: Fortinet is protecting network from this vulnerability with latest IPS update. Acknowledgment : Dejun Meng of Fortinet Security Research team found this vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. Description Apple QuickTime 7.0.4 resolves a number of image and media file handling vulnerabilities. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----

Buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via crafted TGA image files. Apple's QuickTime is a player for files and streaming media in a variety of different formats. For more information, see the information provided by the vendor. QuickTime is prone to a remote buffer-overflow vulnerability. This issue presents itself when the application processes a specially crafted TGA image file. A successful attack can result in a remote compromise. Versions prior to QuickTime 7.0.4 are vulnerable. Fortinet Security Advisory: FSA-2006-04 Apple QuickTime Player Improper Memory Access Vulnerability Advisory Date : January 12, 2006 Reported Date : November 28, 2005 Vendor : Apple computers Affected Products : Apple QuickTime Player v7.0.3 Severity : High Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707 http://docs.info.apple.com/article.html?artnum=303101 http://www.securityfocus.com/bid/16202/info Description : Fortinet Security Research Team (FSRT) has discovered a Improper Memory Access Vulnerability in the Apple QuickTime Player. Impact : Execute arbitrary code Solution : Apple Computers has released a security update for this vulnerability, which is available for downloading from Apples's web site under security update. Fortinet Protection: Fortinet is protecting network from this vulnerability with latest IPS update. Acknowledgment : Dejun Meng of Fortinet Security Research team found this vulnerability. Disclaimer : Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. Description Apple QuickTime 7.0.4 resolves a number of image and media file handling vulnerabilities. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----

Integer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via crafted TGA image files. Apple's QuickTime is a player for files and streaming media in a variety of different formats. Apple QuickTime is prone to multiple remote code-execution vulnerabilities. These issues arise when the application handles specially crafted QTIF, TGA, TIFF, and GIF image formats. Successful exploits of these issues may allow remote attackers to trigger a denial-of-service condition or to gain unauthorized access. Versions prior to QuickTime 7.0.4 are vulnerable. A successful attack can result in a remote compromise. NOTE: This issue was previously discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities), but has been assigned its own record to better document the vulnerability. TITLE: QuickTime Multiple Image/Media File Handling Vulnerabilities SECUNIA ADVISORY ID: SA18370 VERIFY ADVISORY: http://secunia.com/advisories/18370/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. 1) A boundary error in the handling of QTIF images can be exploited to cause a heap-based buffer overflow. This may allow arbitrary code execution when a malicious QTIF image is viewed. 2) Some boundary and integer overflow/underflow errors in the handling of TGA images can be exploited to cause a buffer overflow. 3) An integer overflow error exists in the handling of TIFF images. This can potentially be exploited to execute arbitrary code when a malicious TIFF image is viewed. 4) A boundary error in the handling of GIF images can be exploited to cause a heap-based buffer overflow. This may allow arbitrary code execution when a malicious media file is viewed. The vulnerabilities affect both the Mac OS X and the Windows platforms. SOLUTION: Update to version 7.0.4. Mac OS X (version 10.3.9 or later): http://www.apple.com/support/downloads/quicktime704.html Windows 2000/XP: http://www.apple.com/quicktime/download/win.html PROVIDED AND/OR DISCOVERED BY: 1) Varun Uppal, Kanbay. 2-3) Dejun Meng, Fortinet. 4-5) Karl Lynn, eEye Digital Security. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=303101 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This is due to application failure to sanitize the parameter ImageWidth value while parsing TGA image files. Impact : Execute arbitrary code Solution : Apple Computers has released a security update for this vulnerability, which is available for downloading from Apples's web site under security update. Fortinet Protection: Fortinet is protecting network from this vulnerability with latest IPS update. Acknowledgment : Dejun Meng of Fortinet Security Research team found this vulnerability. Disclaimer : Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Integer underflow in Apple Quicktime before 7.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Color Map Entry Size in a TGA image file. Apple's QuickTime is a player for files and streaming media in a variety of different formats. Apple QuickTime is prone to multiple remote code-execution vulnerabilities. These issues arise when the application handles specially crafted QTIF, TGA, TIFF, and GIF image formats. Successful exploits of these issues may allow remote attackers to trigger a denial-of-service condition or to gain unauthorized access. Versions prior to QuickTime 7.0.4 are vulnerable. A successful attack can result in a remote compromise. NOTE: This issue was previously discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities), but has been assigned its own record to better document the vulnerability. Fortinet Security Advisory: FSA-2006-06 Apple QuickTime Player Color Map Entry Size Buffer Overflow Advisory Date : January 12, 2006 Reported Date : November 28, 2005 Vendor : Apple computers Affected Products : Apple QuickTime Player v7.0.3 Severity : High Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3709 http://docs.info.apple.com/article.html?artnum=303101 http://www.securityfocus.com/bid/16202/info Description : Fortinet Security Research Team (FSRT) has discovered a Buffer Overflow Vulnerability in the Apple QuickTime Player. This is due to application failure to sanitize the parameter Color Map Entry Size while parsing TGA image files. Impact : Execute arbitrary code Solution : Apple Computers has released a security update for this vulnerability, which is available for downloading from Apples's web site under security update. Fortinet Protection: Fortinet is protecting network from this vulnerability with latest IPS update. Acknowledgment : Dejun Meng of Fortinet Security Research team found this vulnerability. Disclaimer : Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . TITLE: QuickTime Multiple Image/Media File Handling Vulnerabilities SECUNIA ADVISORY ID: SA18370 VERIFY ADVISORY: http://secunia.com/advisories/18370/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. 1) A boundary error in the handling of QTIF images can be exploited to cause a heap-based buffer overflow. This may allow arbitrary code execution when a malicious QTIF image is viewed. 2) Some boundary and integer overflow/underflow errors in the handling of TGA images can be exploited to cause a buffer overflow. 3) An integer overflow error exists in the handling of TIFF images. This can potentially be exploited to execute arbitrary code when a malicious TIFF image is viewed. 4) A boundary error in the handling of GIF images can be exploited to cause a heap-based buffer overflow. This may allow arbitrary code execution when a malicious media file is viewed. The vulnerabilities affect both the Mac OS X and the Windows platforms. SOLUTION: Update to version 7.0.4. Mac OS X (version 10.3.9 or later): http://www.apple.com/support/downloads/quicktime704.html Windows 2000/XP: http://www.apple.com/quicktime/download/win.html PROVIDED AND/OR DISCOVERED BY: 1) Varun Uppal, Kanbay. 2-3) Dejun Meng, Fortinet. 4-5) Karl Lynn, eEye Digital Security. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=303101 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Interpretation conflict in Fortinet FortiGate 2.8, running FortiOS 2.8MR10 and v3beta, allows remote attackers to bypass the URL blocker via an (1) HTTP request terminated with a line feed (LF) and not carriage return line feed (CRLF) or (2) HTTP request with no Host field, which is still processed by most web servers without violating RFC2616. Fortinet FortiGate is prone to a vulnerability that could allow users to bypass the device's URL filtering. FortiGate devices running FortiOS v2.8MR10 and v3beta are vulnerable to this issue. Other versions may also be affected. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. TITLE: FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities SECUNIA ADVISORY ID: SA18844 VERIFY ADVISORY: http://secunia.com/advisories/18844/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Fortinet FortiOS (FortiGate) 2.x http://secunia.com/product/2289/ Fortinet FortiOS (FortiGate) 3.x http://secunia.com/product/6802/ DESCRIPTION: Mathieu Dessus has reported two vulnerabilities in FortiGate, which can be exploited by malicious people and users to bypass certain security restrictions. 1) The URL blocking functionality can be bypassed by specially-crafted HTTP requests that are terminated by the CR character instead of the CRLF characters. It is also possible to bypass the functionality via a HTTP/1.0 request with no host header. The vulnerability has been reported in FortiOS v2.8MR10 and v3beta. 2) The virus scanning functionality can be bypassed when sending files over FTP under certain conditions. The vulnerability has been reported in FortiOS v2.8MR10 and v3beta. SOLUTION: Do not rely on URL blocking as the only means of blocking users' access. Desktop-based on-access virus scanners should be used together with server-based virus scanners. PROVIDED AND/OR DISCOVERED BY: Mathieu Dessus ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042139.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042140.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The FTP component in FortiGate 2.8 running FortiOS 2.8MR10 and v3beta, and other versions before 3.0 MR1, allows remote attackers to bypass the Fortinet FTP anti-virus engine by sending a STOR command and uploading a file before the FTP server response has been sent, as demonstrated using LFTP. Fortinet FortiGate is reportedly prone to a vulnerability that allows an attacker to bypass antivirus protection. This issue is said to occur when files are transferred using the FTP protocol under certain conditions. FortiGate devices running FortiOS v2.8MR10 and v3beta are affected by this issue. Other versions may also be vulnerable. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. The FTP component of Fortinet FortiGate cannot properly filter and check files. TITLE: FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities SECUNIA ADVISORY ID: SA18844 VERIFY ADVISORY: http://secunia.com/advisories/18844/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Fortinet FortiOS (FortiGate) 2.x http://secunia.com/product/2289/ Fortinet FortiOS (FortiGate) 3.x http://secunia.com/product/6802/ DESCRIPTION: Mathieu Dessus has reported two vulnerabilities in FortiGate, which can be exploited by malicious people and users to bypass certain security restrictions. 1) The URL blocking functionality can be bypassed by specially-crafted HTTP requests that are terminated by the CR character instead of the CRLF characters. It is also possible to bypass the functionality via a HTTP/1.0 request with no host header. The vulnerability has been reported in FortiOS v2.8MR10 and v3beta. The vulnerability has been reported in FortiOS v2.8MR10 and v3beta. SOLUTION: Do not rely on URL blocking as the only means of blocking users' access. Desktop-based on-access virus scanners should be used together with server-based virus scanners. PROVIDED AND/OR DISCOVERED BY: Mathieu Dessus ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042139.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042140.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a GIF image file with a crafted Netscape Navigator Application Extension Block that modifies the heap in the Picture Modifier block. Apple's QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime's handling of Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. QuickTime is prone to a remote heap-based overflow vulnerability. This issue presents itself when the application processes a specially crafted GIF image file. A successful attack can result in a remote compromise. Versions prior to QuickTime 7.0.4 are vulnerable. This flaw has proven to allow for reliable control of data on the heap chunk and can be exploited via a web site by using ActiveX controls. The heap can be overwritten in the Picture Modifier block. The block size calculate code such as: .text:66A339CC mov ax, [esi+0Ch] .text:66A339D0 xor ecx, ecx .text:66A339D2 mov [esp+34h+var_28], ecx .text:66A339D6 mov [esp+34h+var_24], ecx .text:66A339DA mov [esp+34h+var_20], ecx .text:66A339DE mov [esp+34h+var_1C], ecx .text:66A339E2 mov word ptr [esp+34h+var_10], cx .text:66A339E7 mov [esp+34h+arg_4], eax .text:66A339EB movsx eax, ax .text:66A339EE mov word ptr [esp+34h+var_10+2], cx .text:66A339F3 mov cx, [esi+8] .text:66A339F7 movsx edx, cx .text:66A339FA sub eax, edx .text:66A339FC movsx edx, word ptr [esi+6] .text:66A33A00 add eax, 3Eh .text:66A33A03 push edi .text:66A33A04 movsx edi, word ptr [esi+0Ah] .text:66A33A08 sar eax, 3 .text:66A33A0B lea ebx, [esi+6] .text:66A33A0E and eax, 0FFFFFFFCh .text:66A33A11 sub edi, edx .text:66A33A13 movsx edx, ax .text:66A33A16 mov [esi+4], ax .text:66A33A1A imul edi, edx The allocate code is : .text:66A33A68 push edi .text:66A33A69 call sub_668B5B30 But when it real process data to this memory, it use real decode data to write this memory but didn\xa1\xaft check this heap size. This is segment of the write code function(sub_66AE0A70): .text:66AE0B18 movsx edx, word ptr [edi+12h] ; default .text:66AE0B1C imul edx, [edi+0Ch] .text:66AE0B20 mov ecx, [edi+4] .text:66AE0B23 inc word ptr [edi+16h] .text:66AE0B27 mov eax, [esp+arg_0] .text:66AE0B2B add edx, ecx .text:66AE0B2D mov [eax], edx .text:66AE0B2F mov eax, [ebp+10h] .text:66AE0B32 test eax, eax .text:66AE0B34 jz short loc_66AE0B62 .text:66AE0B36 mov ax, [ebp+1Ch] .text:66AE0B3A mov edx, [ebp+0Ch] .text:66AE0B3D movzx cx, ah .text:66AE0B41 mov ch, al .text:66AE0B43 mov [edx], cx .text:66AE0B46 movsx eax, word ptr [edi+12h] .text:66AE0B4A imul eax, [ebp+14h] .text:66AE0B4E add eax, [ebp+10h] .text:66AE0B51 mov cx, [ebp+18h] .text:66AE0B55 mov [ebp+0Ch], eax .text:66AE0B58 mov [ebp+1Ah], cx .text:66AE0B5C mov word ptr [ebp+1Ch], 0 Vendor Status: Apple has released a patch for this vulnerability. An attacker can create a qtif file and send it to the user via email, web page, or qtif file with activex and can directy overflow a function pointer immediately used so it can bypass any stack overflow protection in systems such as xp sp2 and 2003 sp1. Technical Details: When Quicktime processes the data field of a qtif format file, it will copy it to the stack by a byte to a byte , but there is no proper checking, so it will cause a stack overflow in memory. And in this stack, there is a function pointer which will be used immediately when it pre byte copies, so we can use it to bypass any stack overflow protection, such in xp sp2 and 2003 sp1. The origin function point value is 0x44332211. We only need to overflow it to : 0x08332211, ensuring it didn't cause a crash before the 0x44 has been overflowed to 0x08. When it overflows to 0x08332211, we can execute code to 0x08332211, and can first use javascript to get this memory and set my code in it. call [esp+138h+arg_4] <- call a function point in the stack, but this point can be overflowed References QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CVE-2005-2340. Credit: Discovery: Fang Xing Greetings: Thanks to all the guys at eEye, and especially Karl Lynn's help. Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. Description Apple QuickTime 7.0.4 resolves a number of image and media file handling vulnerabilities. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----

Multiple Check Point Zone Labs ZoneAlarm products before 7.0.362, including ZoneAlarm Security Suite 5.5.062.004 and 6.5.737, use insecure default permissions for critical files, which allows local users to gain privileges or bypass security controls. Multiple Check Point ZoneAlarm products are prone to local privilege-escalation vulnerabilities. An attacker can exploit these issues to gain elevated privileges and completely compromise an affected computer. These issues have been confirmed in: ZoneAlarm 6.5.737 ZoneAlarm Security Suite 5.5.062.004 and 6.5.737. Other versions are likely vulnerable as well. The following are vulnerable: - Versions prior to ZoneAlarm 7.0.362 - Zone Labs products that include 'vsdatant.sys' 6.5.737.0. ZoneAlarm is a personal computer firewall that protects personal data and privacy. The IOCTL handling code of the ZoneAlarm product vsdatant.sys device driver does not validate the userland-supplied addresses passed to IOCTL 0x8400000F and IOCTL 0x84000013. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: ZoneAlarm Products Insecure Directory Permissions and IOCTL Handler Privilege Escalation SECUNIA ADVISORY ID: SA26513 VERIFY ADVISORY: http://secunia.com/advisories/26513/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: ZoneAlarm 6.x http://secunia.com/product/5806/ ZoneAlarm 7.x http://secunia.com/product/13889/ ZoneAlarm 5.x http://secunia.com/product/4647/ ZoneAlarm Pro 5.x http://secunia.com/product/4280/ ZoneAlarm Pro 6.x http://secunia.com/product/6071/ ZoneAlarm Security Suite 5.x http://secunia.com/product/4272/ ZoneAlarm 2.x http://secunia.com/product/3056/ ZoneAlarm 3.x http://secunia.com/product/153/ ZoneAlarm 4.x http://secunia.com/product/150/ ZoneAlarm Anti-Spyware 6.x http://secunia.com/product/6073/ ZoneAlarm Antivirus 5.x http://secunia.com/product/4271/ ZoneAlarm Antivirus 6.x http://secunia.com/product/6074/ ZoneAlarm Internet Security Suite 6.x http://secunia.com/product/6072/ ZoneAlarm Plus 3.x http://secunia.com/product/3057/ ZoneAlarm Plus 4.x http://secunia.com/product/151/ ZoneAlarm Pro 2.x http://secunia.com/product/152/ ZoneAlarm Pro 3.x http://secunia.com/product/1960/ ZoneAlarm Pro 4.x http://secunia.com/product/1961/ ZoneAlarm Wireless Security 5.x http://secunia.com/product/4648/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in ZoneAlarm products, which can be exploited by malicious, local users to gain escalated privileges. 1) Insufficient address space verification within the 0x8400000F and 0x84000013 IOCTL handlers of vsdatant.sys and insecure permissions on the "\\.\vsdatant" device interface can be exploited to e.g. access the said IOCTL handlers and overwrite arbitrary memory and execute code with kernel privileges. SOLUTION: Update to version 7.0.362. http://www.zonealarm.com/store/content/catalog/download_buy.jsp?dc=12bms&ctry=US&lang=en PROVIDED AND/OR DISCOVERED BY: 1) Ruben Santamarta, reported via iDefense Labs. 2) Discovered by an anonymous person and reported via iDefense Labs. ORIGINAL ADVISORY: iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=584 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=585 Reversemode: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=53 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . BACKGROUND Zone Alarm products provide security solutions such as anti-virus, firewall, spy-ware, and ad-ware protection. http://www.zonelabs.com/ II. The vulnerability specifically exists in the default file Access Control List (ACL) settings that are applied during installation. When an administrator installs any of the Zone Labs ZoneAlarm tools, the default ACL allows any user to modify the installed files. Some of the programs run as system services. This allows a user to simply replace an installed ZoneAlarm file with their own code that will later be executed with system-level privileges. III. ANALYSIS Exploitation allows local attackers to escalate privileges to the system level. It is also possible to use this vulnerability to simply disable protection by moving all of the executable files so that they cannot start on a reboot. IV. V. WORKAROUND Apply proper Access Control List settings to the directory that ZoneAlarm Security Suite is installed in. The ACL rules should make sure that no regular users can modify files in the directory. VI. http://www.zonealarm.com/store/content/catalog/products/trial_zaFamily/trial_zaFamily.jsp VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-2932 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/29/2005 Initial vendor notification 09/29/2005 Initial vendor response 10/19/2006 Second vendor notification 08/20/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Research in Motion (RIM) BlackBerry Router allows remote attackers to cause a denial of service (communication disruption) via crafted Server Routing Protocol (SRP) packets. The Blackberry Enterprise Server Router component is prone to a denial of service vulnerability. This could only be exploited by an attacker who can communicate with the Router. 1) An error exists in the Attachment Service when handling malformed TIFF image attachments. This can be exploited to prevent a BlackBerry user from viewing attachments. Successful exploitation requires that the attacker is able to connect to the BlackBerry Server/Router via port 3101/tcp. SOLUTION: The vendor recommends the following workaround. 1) Exclude TIFF images from being processed by the Attachment Service and/or disable the image attachment distiller. Refer to the vendor's original advisory for specific instructions. PROVIDED AND/OR DISCOVERED BY: FX, Phenoelit. ORIGINAL ADVISORY: http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167898 http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167895 OTHER REFERENCES: US-CERT VU#570768: http://www.kb.cert.org/vuls/id/570768 US-CERT VU#392920: http://www.kb.cert.org/vuls/id/392920 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Juniper NetScreen-Security Manager (NSM) 2004 FP2 and FP3 allow remote attackers to cause a denial of service (crash or hang of server components that are automatically restarted) via a long crafted string on (1) port 7800 (the GUI Server port) or (2) port 7801 (the Device Server port). Juniper NSM is prone to a remote denial of service vulnerability. A remote attacker may trigger a crash or hang in the server and deny service to legitimate users. It should be noted that the application ships with a watchdog service that periodically restarts the services. NSM 2004 FP2 and FP3 are reportedly vulnerable. NetScreen-Security Manager (NSM) is a security management platform that provides management and monitoring of devices, networks, and security configurations and policies. TITLE: Juniper NetScreen Security Manager Potential Denial of Service SECUNIA ADVISORY ID: SA18232 VERIFY ADVISORY: http://secunia.com/advisories/18232/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: NetScreen-Security Manager (NSM) 2004 http://secunia.com/product/2843/ DESCRIPTION: David Maciejak has reported a vulnerability in NetScreen Security Manager (NSM) which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error in "guiSrv" and "devSrv". This can be exploited to crash the service via specially crafted input sent to port 7800 and 7801. The vulnerability has been reported in NSM 2004 FP2 and FP3. Other versions may also be affected. SOLUTION: Update to version FP4r1 (2005.1). PROVIDED AND/OR DISCOVERED BY: David Maciejak ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Safari, LaunchServices, and/or CoreTypes in Apple Mac OS X 10.4 up to 10.4.5 allows attackers to trick a user into opening an application that appears to be a safe file type. NOTE: due to the lack of specific information in the vendor advisory, it is not clear how CVE-2006-0397, CVE-2006-0398, and CVE-2006-0399 are different. Apple Safari WebKit component is vulnerable to buffer overflow. This may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Commands would be executed in the context of the user opening the archive file. Attackers can reportedly use Safari and Apple Mail as exploitation vectors for this vulnerability. Mac OS X 10.4.5 is reported to be vulnerable. Earlier versions may also be affected. Apple Safari is a web browser bundled with the Apple operating system. There is an issue in Safari's handling of automatic opening of downloaded files. Safari's default configuration allows files to be automatically opened after downloading a safe file. Due to this default configuration and inconsistencies in Safari and OS X's security files, Safari may execute arbitrary shell commands if a specially crafted page is viewed. TITLE: Mac OS X KHTMLParser Denial of Service Weakness SECUNIA ADVISORY ID: SA18220 VERIFY ADVISORY: http://secunia.com/advisories/18220/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Tom Ferris has discovered a weakness in Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to an error in the KHTMLParser when parsing certain malformed HTML documents. This can be exploited to crash an application that uses the parser via a specially crafted HTML file. In certain cases, this may cause the system to become unresponsive. Other applications that use the parser may also be affected. SOLUTION: Do not open or follow links to HTML files from non-trusted sources. PROVIDED AND/OR DISCOVERED BY: Tom Ferris ORIGINAL ADVISORY: http://security-protocols.com/advisory/sp-x22-advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension. Apple Safari WebKit component is vulnerable to buffer overflow. Mac OS X of Web browser Safari Contains an arbitrary code execution vulnerability in its default configuration. Safari Now, in the default settings, Resource forks Refer to the file type defined in .If the file type is image / video / compressed file, "Safe" file Will be processed automatically. This allows for crafted files "Safe" file There is a possibility that arbitrary code execution may be executed as a result. Exploit code that exploits this vulnerability has already been published.A remote third party could execute arbitrary code with the privileges of the logged-in user. If a user is logged in with an account with administrator privileges, the resulting vulnerable system could be completely controlled. Commands would be executed in the context of the user opening the archive file. Attackers can reportedly use Safari and Apple Mail as exploitation vectors for this vulnerability. Mac OS X 10.4.5 is reported to be vulnerable. Earlier versions may also be affected. Apple Safari is a web browser bundled with the Apple operating system. There is an issue in Safari's handling of automatic opening of downloaded files. TITLE: Mac OS X KHTMLParser Denial of Service Weakness SECUNIA ADVISORY ID: SA18220 VERIFY ADVISORY: http://secunia.com/advisories/18220/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Tom Ferris has discovered a weakness in Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to an error in the KHTMLParser when parsing certain malformed HTML documents. This can be exploited to crash an application that uses the parser via a specially crafted HTML file. In certain cases, this may cause the system to become unresponsive. Other applications that use the parser may also be affected. SOLUTION: Do not open or follow links to HTML files from non-trusted sources. PROVIDED AND/OR DISCOVERED BY: Tom Ferris ORIGINAL ADVISORY: http://security-protocols.com/advisory/sp-x22-advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------