Section: .. / 0702-advisories /
| /// File Name: |
02.02.07.txt |
Description:
|
iDefense Security Advisory - Remote exploitation of a design error in Blue Coat Systems Inc.'s WinProxy allows attackers to trigger a heap corruption vulnerability. The vulnerability can be triggered by sending an overly long HTTP CONNECT request to WinProxy's HTTP proxy service. iDefense has confirmed this vulnerability in WinProxy 6.1a and 6.0 r1c. All previous versions are suspected vulnerable.
| | Author: | FistFuXXer | | Homepage: | http://www.idefense.com/ | | File Size: | 2663 | | Last Modified: | Feb 6 00:41:51 2007 |
| MD5 Checksum: | 952bc9a9e5539510beb9c556c2a4e22b |
|
| /// File Name: |
02.07.07-1.txt |
Description:
|
iDefense Security Advisory 02.07.07 - Remote exploitation of a stack based buffer overflow vulnerability in RARLabs Unrar may allow an attacker to execute arbitrary code with the privileges of the user opening the archive. Unrar is prone to a stack based buffer overflow when processing specially crafted password protected archives. iDefense has confirmed the existence of this vulnerability in version 3.60 for Linux and 3.61 for Windows. Previous versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3258 | | Last Modified: | Feb 8 00:32:53 2007 |
| MD5 Checksum: | 03062898bdeb5529fa5123e2e1a4f2c1 |
|
| /// File Name: |
02.07.07-2.txt |
Description:
|
iDefense Security Advisory 02.07.07 - Local exploitation of an input validation vulnerability within version 1.5.0.1052 of TmComm.sys as included with Trend Micro's AntiVirus engine could allow an attacker execute arbitrary code in kernel context. This vulnerability specifically exists due to insecure permissions on the \\.\TmComm DOS device interface. The permissions on this device allows "Everyone" write access. This could allow a locally logged in user to access functionality via IOCTLs which was designed for privileged use only. Additionally, the IOCTL handlers for this DOS device interface do not validate addresses passed to them. As such, it is possible to overwrite arbitrary memory or execute attacker-supplied code in the context of the kernel (RING 0).
| | Author: | Ruben Santamarta | | Homepage: | http://www.idefense.com/ | | File Size: | 3872 | | Last Modified: | Feb 8 00:34:20 2007 |
| MD5 Checksum: | 22568c831ac8870700d27ef6e9645b87 |
|
| /// File Name: |
02.07.07-3.txt |
Description:
|
iDefense Security Advisory 02.07.07 - Remote exploitation of a buffer overflow vulnerability within Trend Micro's AntiVirus engine could allow an attacker to crash the scan engine or execute arbitrary code. This vulnerability is caused by improper input validation when scanning specially crafted malformed UPX compressed executables. Memory corruption could occur leading to a invalid memory access or a potentially exploitable condition.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3603 | | Last Modified: | Feb 8 00:35:04 2007 |
| MD5 Checksum: | 139c09b8a3fd2b462fc65241fb55acc0 |
|
| /// File Name: |
02.13.07-2.txt |
Description:
|
iDefense Security Advisory 02.13.07 - Remote exploitation of a design error within Hewlett-Packard's "SLSd" daemon could allow an attacker to execute privileges as the superuser. The problem specifically exists due to a design error within the "SLSd_daemon" RPC daemon that provides connectivity between the distributed systems. This daemon registers itself under the RPC PROGID of 536870913 or 351456, depending on the HP-UX version. By sending a specially crafted request, the daemon will write attacker supplied data to an arbitrary file as the superuser. iDefense has confirmed the existence of this vulnerability within the "SLSd_daemon" binary as shipped with HP-UX 11.11i and 10.20. All versions are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com | | File Size: | 3194 | | Last Modified: | Feb 14 15:45:24 2007 |
| MD5 Checksum: | 941e1f5e13db359a50c195fe44b121cf |
|
| /// File Name: |
02.13.07.txt |
Description:
|
iDefense Security Advisory 02.13.07 - Remote exploitation of a design error in Microsoft Corp.'s 'wininet.dll' FTP client code could allow an attacker to execute arbitrary code. The vulnerability specifically exists in the parsing of reply lines from remote FTP servers. During an FTP session, the client makes requests for the server to perform some operation and the server responds with a numeric code, a human readable message and possibly some other information. As there can be multiple lines in a reply, code in the client breaks the reply up into lines, putting a null byte (character 0x00) after any end of line character. In the case where a line ends exactly on the last character of the reply buffer, the terminating null byte is written outside of the allocated space, overwriting a byte of the heap management structure. By sending a specially crafted series of replys to the client, the heap may be corrupted in a controlled way to cause the execution of arbitrary code.
| | Author: | Greg MacManus | | Homepage: | http://www.idefense.com | | File Size: | 5426 | | Related CVE(s): | CVE-2007-0217 | | Last Modified: | Feb 14 15:24:21 2007 |
| MD5 Checksum: | 9da9783032d32d571d8fbe51d6f6a082 |
|
| /// File Name: |
02.15.07-1.txt |
Description:
|
iDefense Security Advisory 02.15.07 - Remote exploitation of a resource consumption vulnerability in Clam AntiVirus' ClamAV allows attackers to degrade the service of the clamd scanner. The vulnerability specifically exists due to a file descriptor leak. When clam encounters a cabinet header with a record length of zero it will return from a function without closing a local file descriptor. This can be triggered multiple times, eventually using up all but three of its available file descriptors. This prevents clam from scanning most archives, including zip and tar files. iDefense has confirmed this vulnerability affects Clam AntiVirus ClamAV v0.90RC1.1. All versions prior to the 0.90 stable release are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com | | File Size: | 3639 | | Related CVE(s): | CVE-2007-0897 | | Last Modified: | Feb 16 02:59:38 2007 |
| MD5 Checksum: | b8d47572343b2242e38c953c15766fcf |
|
| /// File Name: |
02.15.07-2.txt |
Description:
|
iDefense Security Advisory 02.15.07 - Remote exploitation of a directory traversal vulnerability in Clam AntiVirus' ClamAV allows attackers to overwrite files owned by the clamd scanner. The vulnerability specifically exists due to the lack of validation of the id parameter string taken from a MIME header. When parsing a multi-part message clam takes this string from the header and uses it to create a local file. By sending a string such as "../../../../some/file" an attacker can create or overwrite an arbitrary file owned by the clamd process. Data from the message body is later written to this file. iDefense has confirmed this vulnerability affects Clam AntiVirus ClamAV version 0.88.6. All versions prior to the 0.90 stable release are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com | | File Size: | 3571 | | Related CVE(s): | CVE-2007-0898 | | Last Modified: | Feb 16 03:01:01 2007 |
| MD5 Checksum: | 36ee4ce39b9934279d0d981740612fec |
|
| /// File Name: |
02.16.07-1.txt |
Description:
|
iDefense Security Advisory 02.16.07 - TrendMicro's ServerProtect product uses a web interface which runs on port TCP 14942 to configure the product. This interface is protected with a user configurable password. Upon successful login, a cookie is set with the name 'splx_2376_info' and a valid session id as its value. The ServerProtect web application suffers from a design error vulnerability in its authorization checking routines. Attackers can gain full access to the web application by requesting any internal page while supplying their own 'splx_2376_info' cookie with an arbitrary value. iDefense has confirmed this vulnerability in Trend ServerProtect v1.3 for Linux. This vulnerability is not present in the Windows based versions of Server protect.
| | Author: | Damian Put | | Homepage: | http://www.idefense.com/ | | File Size: | 3317 | | Last Modified: | Feb 23 20:44:29 2007 |
| MD5 Checksum: | f95f0a15b78c940c6b57b3b8b6290278 |
|
| /// File Name: |
02.22.07-1.txt |
Description:
|
iDefense Security Advisory 02.22.07 - Remote exploitation of a buffer overflow vulnerability in VeriSign Inc.'s ConfigChk ActiveX Control could allow an attacker to execute arbitrary code within the security context of the victim. iDefense has confirmed the existence of this vulnerability within version 2.0.0.2 of VeriSign Inc's VSCnfChk.dll. All versions are suspected to be vulnerable.
| | Author: | David D. Rude II | | Homepage: | http://www.idefense.com/ | | File Size: | 3252 | | Last Modified: | Feb 23 21:48:48 2007 |
| MD5 Checksum: | df82f344e125c06ae77aa1dfeb7c8a42 |
|
| /// File Name: |
02.22.07-2.txt |
Description:
|
iDefense Security Advisory 02.22.07 - Local exploitation of a file creation vulnerability in IBM Corp.'s DB2 Universal Database could allow attackers to elevate privileges to the superuser. This vulnerability exists due to unsafe file access from within several setuid-root binaries. Specifically, when supplying the DB2INSTANCE environment variable, the setuid-root DB2 administration binaries will use the home directory of the specified user for loading configuration data. This allows attackers create or append to arbitrary files by creating a specific executing environment. Additionally, the user's umask settings will be honored allowing the creation of root-owned world-writable files. iDefense has confirmed the existence of this vulnerability within IBM Corp.'s DB2 Universal Database 9.1 release installed on Linux. Other versions are suspected to be vulnerable as well. This vulnerability does not affect DB2 Universal Database running on the windows platform.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3685 | | Last Modified: | Feb 23 21:49:41 2007 |
| MD5 Checksum: | 2c23d7265527b5338afca6ce75a79b57 |
|
| /// File Name: |
02.22.07-3.txt |
Description:
|
iDefense Security Advisory 02.22.07 - Local exploitation of a multiple vulnerabilities in IBM Corp.'s DB2 Universal Database allow attackers to cause a denial of service condition or elevate privileges to root. Several vulnerabilities exist due to unsafe file access from within several setuid-root binaries. Specifically, when supplying certain environment variables, the DB2 administration binaries will use the specified filename for saving data. This allows an attacker to create or append to arbitrary files as root. A heap-based buffer overflow vulnerability can occur when copying data from an environment variable. The variable contents are copied to a static BSS segment buffer without ensuring proper NUL termination. Consequently, this allows an attacker to cause a heap overflow in a later function call. A stack-based buffer overflow can occur when an environment variable contains a long string. By specifying a specially crafted value, it is possible to overwrite the return address of a function and execute arbitrary code. iDefense has confirmed the existence of these vulnerabilities within IBM Corp.'s DB2 Universal Database 9.1 release installed on Linux. Other versions, including those installed on other architectures, are suspected to be vulnerable as well. These vulnerabilities do not appear to affect DB2 Universal Database running on the windows platform.
| | Author: | Joshua J. Drake | | Homepage: | http://www.idefense.com/ | | File Size: | 4529 | | Last Modified: | Feb 23 21:50:56 2007 |
| MD5 Checksum: | 3c9750c1e4a747af81e04379de4095d8 |
|
| /// File Name: |
02.23.07-1.txt |
Description:
|
iDefense Security Advisory 02.23.07 - Remote exploitation of an input validation error causing an integer underflow in version 3.10 of the Mozilla Foundation's Network Security Services (NSS) may allow an attacker to execute arbitrary code in the context of the affected application. The vulnerability specifically exists due to a design error in the processing of malformed SSLv2 server messages. By sending a certificate with a public key too small to encrypt the "Master Secret", heap corruption can be triggered which may result in the execution of arbitrary code. iDefense has confirmed this vulnerability exists in versions 3.10 and 3.11.3 of Mozilla Network Security Services. These libraries are used in a variety of products from multiple vendors including Sun Microsystems, Red Hat and Mozilla. Previous versions are also likely to be affected. The names 'libnss3.so' on Linux based systems or 'nss3.dll' on Windows based systems may indicate the library is being used by an application.
| | Author: | regenrecht | | Homepage: | http://www.idefense.com/ | | File Size: | 4503 | | Related CVE(s): | CVE-2007-0008 | | Last Modified: | Feb 23 22:01:11 2007 |
| MD5 Checksum: | f7504baa6cc0b0fa891f4666537695f2 |
|
| /// File Name: |
02.23.07-2.txt |
Description:
|
iDefense Security Advisory 02.23.07 - Remote exploitation of an input validation error causing an integer underflow in version 3.10 of the Mozilla Foundation's Network Security Services (NSS) may allow an attacker to cause a stack-based buffer overflow and execute arbitrary code on the affected application. The vulnerability specifically exists in code responsible for handling the client master key. While negotiating an SSLv2 session, a client can specify invalid parameters which causes an integer underflow. The resulting value is used as the amount of memory to copy into a fixed size stack buffer. As a result, a potentially exploitable stack-based buffer overflow condition occurs. iDefense has confirmed this vulnerability exists in versions 3.10 and 3.11.3 of the Mozilla Network Security Services. These libraries are used in a variety of products from multiple vendors including Sun Microsystems, Red Hat and Mozilla. Previous versions are also likely to be affected. The names 'libnss3.so' on Linux based systems or 'nss3.dll' on Windows based systems may indicate the library is being used by an application.
| | Author: | regenrecht | | Homepage: | http://www.idefense.com/ | | File Size: | 4420 | | Related CVE(s): | CVE-2007-0009 | | Last Modified: | Feb 23 22:01:56 2007 |
| MD5 Checksum: | 8c91b8eddd1ccac797ef1086095470ef |
|
| /// File Name: |
advisory_032007.142.txt |
Description:
|
Hardened PHP Project Security Advisory - Multiple browsers suffers from a cross domain charset inheritance vulnerability. Affected include Firefox versions 2.0.0.1 and below, Internet Explorer 7,and Opera 9.
| | Author: | Stefan Esser | | Homepage: | http://www.hardened-php.net/ | | File Size: | 3451 | | Last Modified: | Feb 23 22:03:23 2007 |
| MD5 Checksum: | 0c406f7eda7195f1dc12ae3ca465699a |
|
| /// File Name: |
alibaba-exec.txt |
Description:
|
A remote code execution vulnerability in Alipay's password input control "pta.dll" allows a remote attacker the ability to take complete control of the affected system.
| | Author: | cocoruder | | Homepage: | http://ruder.cdut.net/ | | File Size: | 3464 | | Last Modified: | Feb 8 00:24:56 2007 |
| MD5 Checksum: | 540dc5afa51051e888cf578e1269e685 |
|
| /// File Name: |
BTP00000P005CF.txt |
Description:
|
Comodo Firewall Pro (former Comodo Personal Firewall) hooks many functions in SSDT and in at least seven cases it fails to validate arguments that come from the user mode. Affected versions include Comodo Firewall Pro 2.4.16.174 and Comodo Personal Firewall 2.3.6.81.
| | Homepage: | http://www.matousec.com/ | | Related Exploit: | BTP00000P005CF.zip | | File Size: | 1169 | | Last Modified: | Feb 5 23:05:13 2007 |
| MD5 Checksum: | 70dbf1a4a2904f73f4f89fba108d3b43 |
|
| /// File Name: |
bugzilla-multiple.txt |
Description:
|
Bugzilla Security Advisory - Bugzilla versions 2.20.1 and above suffer from a cross site scripting vulnerability. Version 2.23.3 suffers from a database password disclosure flaw.
| | Author: | Frederic Buclin, Dave Miller, Olav Vitters, Max Kanat-Alexander | | Homepage: | http://www.bugzilla.org/ | | File Size: | 3732 | | Last Modified: | Feb 5 23:24:19 2007 |
| MD5 Checksum: | 69ffd8fbfbab9aae67c189f99ee9d20b |
|
| /// File Name: |
CAID-35112.txt |
Description:
|
CA eTrust Intrusion Detection contains a vulnerability that can allow a remote attacker to cause a denial of service condition. Affected Products include eTrust Intrusion Detection 3.0 SP1, eTrust Intrusion Detection 3.0, and eTrust Intrusion Detection 2.0 SP1.
| | Author: | Ken Williams | | Homepage: | http://www3.ca.com/ | | File Size: | 3429 | | Related OSVDB(s): | 32290 | | Related CVE(s): | CVE-2007-1005 | | Last Modified: | Mar 5 23:31:48 2007 |
| MD5 Checksum: | 12add59dad847ba49e68e54ca2879c5b |
|
| /// File Name: |
cisco-sa-20070131-sip.txt |
Description:
|
Cisco Security Advisory - Cisco devices running IOS which support voice and are not configured for Session Initiated Protocol (SIP) are vulnerable to a crash under yet to be determined conditions, but isolated to traffic destined to Port 5060. SIP is enabled by default on all Advanced images which support voice and do not contain the fix for CSCsb25337. There are no reports of this vulnerability on the devices which are properly configured for SIP processing. Workarounds exist to mitigate the effects of this problem. IOS releases that include voice support after 12.3(14)T, 12.3(8)YC1, 12.3(8)YG and all of 12.4 are affected.
| | Homepage: | http://www.cisco.com/ | | File Size: | 21930 | | Last Modified: | Jan 31 23:52:05 2007 |
| MD5 Checksum: | ef630cb93afce94787df82c139fd9b8b |
|
| /// File Name: |
cisco-sa-20070213-iosips.txt |
Description:
|
Cisco Security Advisory - The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include a flaw where fragmented IP packets may be used to evade signature inspection and another flaw where IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.
| | Homepage: | http://www.cisco.com/ | | File Size: | 24702 | | Last Modified: | Feb 14 15:05:23 2007 |
| MD5 Checksum: | 3c3c330852f9ad6e7663f928dbe5017b |
|
| /// File Name: |
cisco-sa-20070214-fwsm.txt |
Description:
|
Cisco Security Advisory - Multiple vulnerabilities exist in the Cisco Firewall Services Module (FWSM). These vulnerabilities occur in the processing of specific Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), Session Initiation Protocol (SIP), and Simple Network Management Protocol (SNMP) traffic. If verbose logging is enabled for debugging purposes, a vulnerability exists when the FWSM processes packets destined to itself. All of these vulnerabilities may result in a reload of the device. An additional vulnerability is included in this advisory in which the manipulation of access control lists (ACLs) that make use of object groups may corrupt the ACL and create a situation where unwanted traffic may be permitted or desirable traffic may be blocked.
| | Homepage: | http://www.cisco.com/ | | File Size: | 41063 | | Last Modified: | Feb 14 17:28:19 2007 |
| MD5 Checksum: | 81507c5ff4d851323d723cbf6d6fdbd0 |
|
| /// File Name: |
cisco-sa-20070214-pix.txt |
Description:
|
Cisco Security Advisory - Multiple vulnerabilities have been found in Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. They affect enhanced inspection of Malformed Hypertext Transfer Protocol (HTTP) traffic, inspection of malformed Session Initiation Protocol (SIP) packets, inspection of a stream of malformed Transmission Control Protocol (TCP) packets, and privilege escalation.
| | Homepage: | http://www.cisco.com/ | | File Size: | 26971 | | Last Modified: | Feb 14 17:18:41 2007 |
| MD5 Checksum: | b821bb1d898f29a1e9d50d79ba46895d |
|
| /// File Name: |
cisco-sa-20070221-phone.txt |
Description:
|
Cisco Security Advisory - Certain Cisco Unified IP Conference Station and IP Phone devices contain vulnerabilities which may allow unauthorized users to gain administrative access to vulnerable devices.
| | Homepage: | http://www.cisco.com/ | | File Size: | 18821 | | Last Modified: | Feb 23 19:14:27 2007 |
| MD5 Checksum: | 50aae22a39a331a4524510ead2dc1b4c |
|
| /// File Name: |
cisco-sa-20070221-supplicant.txt |
Description:
|
Cisco Security Advisory - The Cisco Secure Services Client (CSSC) is a software client that enables customers to deploy a single authentication framework using the 802.1X authentication standard across multiple device types to access both wired and wireless networks. A lightweight version of the CSSC client is also a component of the Cisco Trust Agent (CTA) within the Cisco Network Admission Control (NAC) Framework solution. These products are affected by multiple vulnerabilities including privilege escalations and information disclosure.
| | Homepage: | http://www.cisco.com/ | | File Size: | 18702 | | Last Modified: | Feb 23 19:15:19 2007 |
| MD5 Checksum: | b030fad2ee8b30943ebf8516146868fc |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
