VARIoT IoT vulnerabilities database

Unspecified vulnerability in the TIFF viewer (possibly libTIFF) in the Photo Viewer in the Sony PlaystationPortable (PSP) 2.00 through 2.80 allows local users to execute arbitrary code via crafted TIFF images. NOTE: due to lack of details, it is not clear whether this is related to other issues such as CVE-2006-3464 or CVE-2006-3465. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Sony PSP TIFF Image Viewing Code Execution Vulnerability SECUNIA ADVISORY ID: SA21672 VERIFY ADVISORY: http://secunia.com/advisories/21672/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Sony PlayStation Portable (PSP) 2.x http://secunia.com/product/5764/ DESCRIPTION: A vulnerability has been discovered in Sony PlayStation Portable, which can be exploited by malicious people to compromise a user's system. The vulnerability has been confirmed in version 2.60 and has also been reported in versions 2.00 through 2.80. SOLUTION: Do not view untrusted images. PROVIDED AND/OR DISCOVERED BY: Discovered by NOPx86. Additional research by psp250, Skylark, Joek2100, CSwindle, JimP, and Fanjita. ORIGINAL ADVISORY: http://noobz.eu/content/home.html#280806 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote attackers to execute arbitrary code via a long database name when connecting via a WebDBM client. SAP-DB and MaxDB are prone to a remote buffer-overflow vulnerability because these applications fail to perform sufficient bounds-checking of user-supplied data before copying it to an insufficiently sized memory buffer. Failed exploit attempts will likely crash the application, denying further service to legitimate users. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Vulnerability Research http://www.symantec.com/research Security Advisory Advisory ID: SYMSA-2006-09 Advisory Title: SAP-DB/MaxDB WebDBM remote buffer overflow Author: Oliver Karow / Oliver_Karow@symantec.com Release Date: 29-08-2006 Application: SAP-DB/MaxDB 7.6.00.22 - WebDBM Platform: Windows/Unix Severity: Remotely exploitable/Local System Access Vendor status: Verified by vendor / Resolved in 7.6.00.31 CVE Number: CVE-2006-4305 Reference: http://www.securityfocus.com/bid/19660 Overview: A connection from a WebDBM Client to the DBM Server causes a buffer overflow when the given database name is too large. This can result in the execution of arbitrary code in the context of the database server. Details: SAP-DB/MaxDB is a heavy-duty, SAP-certified open source database for OLTP and OLAP usage which offers high reliability, availability, scalability and a very comprehensive feature set. It is targeted for large mySAP Business Suite environments and other applications that require maximum enterprise-level database functionality and complements the MySQL database server. A remotely exploitable vulnerability exists in MaxDB's WebDBM. Authentication is not required for successful exploitation to occur. Vendor Response: The above vulnerability has been fixed in the latest release of the product, MaxDB 7.6.00.31. Licensed and evaluation versions of MaxDB are available for download in the download section of www.mysql.com/maxdb: http://dev.mysql.com/downloads/maxdb/7.6.00.html. If there are any further questions about this statement, please contact mysql-MaxDB support. Please note that SAP customers receive their downloads via the SAP Service Marketplace www.service.sap.com and must not use downloads from the addresses above for their SAP solutions. Recommendation: The vendor has released MaxDB 7.6.00.31 to address this issue. Users should contact the vendor to obtain the appropriate upgrade. As a temporary workaround the SAP-DB WWW Service should either be disabled or have access to it restricted using appropriate network or client based access controls. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-4305 - -------Symantec Consulting Services Advisory Information------- For questions about this advisory, or to report an error: cs_advisories@symantec.com For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Consulting Services Advisory Archive: http://www.symantec.com/research/ Consulting Services Advisory GPG Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc - -------------Symantec Product Advisory Information------------- To Report a Security Vulnerability in a Symantec Product: secure@symantec.com For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc - --------------------------------------------------------------- Copyright (c) 2006 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from cs_advisories@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE8u4huk7IIFI45IARAlJoAKCqrvNsyLPPWm5Dnor9VtePm+I7zACfVqf5 gKP3gDsY1sr7ioo8+maNHFA= =vuXL -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: MaxDB WebDBM Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA21677 VERIFY ADVISORY: http://secunia.com/advisories/21677/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: MaxDB 7.x http://secunia.com/product/4012/ DESCRIPTION: Oliver Karow has reported a vulnerability in MaxDB, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in WebDBM when processing database names. The vulnerability has been reported in version 7.6.00.22. Other versions may also be affected. SOLUTION: Update to version 7.6.00.31 or later. http://dev.mysql.com/downloads/maxdb/7.6.00.html PROVIDED AND/OR DISCOVERED BY: Oliver Karow, Symantec. ORIGINAL ADVISORY: Symantec: http://www.symantec.com/enterprise/research/SYMSA-2006-009.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA21677 SOLUTION: Apply updated packages. -- Debian GNU/Linux 3.1 alias sarge -- Source archives: http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-7.5.00_7.5.00.24-4.dsc Size/MD5 checksum: 1141 2747ee99a22fd9b6ba0ee9229cf23956 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-7.5.00_7.5.00.24-4.diff.gz Size/MD5 checksum: 102502 b00c857a9956eed998e17a155d692d8b http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-7.5.00_7.5.00.24.orig.tar.gz Size/MD5 checksum: 16135296 4d581530145c30a46ef7a434573f3beb AMD64 architecture: http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00_7.5.00.24-4_amd64.deb Size/MD5 checksum: 681616 b4bf816d096fc5cf147e530979de8c2a http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00-dev_7.5.00.24-4_amd64.deb Size/MD5 checksum: 835926 0c6f2a9e4d8c945937afd044e15ff688 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00_7.5.00.24-4_amd64.deb Size/MD5 checksum: 602828 f1ff9957fd7713422f589e2b5ce878e1 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00-dev_7.5.00.24-4_amd64.deb Size/MD5 checksum: 110542 d1b0ad84bba2fbf2e1fc66870d217c1a http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbanalyzer_7.5.00.24-4_amd64.deb Size/MD5 checksum: 879638 6c14c3e14f8a3d311b753da8059e8718 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbmcli_7.5.00.24-4_amd64.deb Size/MD5 checksum: 1002292 249bf89f7f2b342fc23bb230c87ce0d2 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-loadercli_7.5.00.24-4_amd64.deb Size/MD5 checksum: 1924254 fedf03c8551d3c89fdcf9bd381ce25a9 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-lserver_7.5.00.24-4_amd64.deb Size/MD5 checksum: 1861026 7cd7e22627438e425fc014d5c0689882 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server_7.5.00.24-4_amd64.deb Size/MD5 checksum: 2815606 12eca89b6c94a93f0805a3be61f053f5 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-7.5.00_7.5.00.24-4_amd64.deb Size/MD5 checksum: 11762902 9543cd40e9dd2bd31668dc34bdde714b http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-dbg-7.5.00_7.5.00.24-4_amd64.deb Size/MD5 checksum: 5454626 1a9e3e48fe5e5d0088e896ca1e2c535a http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-sqlcli_7.5.00.24-4_amd64.deb Size/MD5 checksum: 125258 cbc85c2295d40664794d8dea7fdefe36 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-webtools_7.5.00.24-4_amd64.deb Size/MD5 checksum: 2469898 7cf201e9a125267ab012196a6515b4bd http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb_7.5.00.24-4_amd64.deb Size/MD5 checksum: 57530 cc1d8ba42c0213d233ecb07855733fab http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb-loader_7.5.00.24-4_amd64.deb Size/MD5 checksum: 52896 2623c86e1e8c104a7b6e534283f92d88 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb_7.5.00.24-4_amd64.deb Size/MD5 checksum: 388490 dc2719125122fc8c9d74cf621db8a159 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb-loader_7.5.00.24-4_amd64.deb Size/MD5 checksum: 195236 edff932c86a91803ac12fa12afdffe80 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb_7.5.00.24-4_amd64.deb Size/MD5 checksum: 388500 7e4f4d52029cffb09b4dec330be23f9f http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb-loader_7.5.00.24-4_amd64.deb Size/MD5 checksum: 195262 579c30388c18177e6a59fdb5b7a228ce Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00_7.5.00.24-4_i386.deb Size/MD5 checksum: 724428 7f3da03ea2e15ec1906a17a844a8de71 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00-dev_7.5.00.24-4_i386.deb Size/MD5 checksum: 884322 f87be31d0c3ccc25826a8adbb90c0fd8 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00_7.5.00.24-4_i386.deb Size/MD5 checksum: 662674 b768894d4d0613c7a78561ec3c63a736 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00-dev_7.5.00.24-4_i386.deb Size/MD5 checksum: 113500 0762412421cc8bba7920cd3e5c7ba912 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbanalyzer_7.5.00.24-4_i386.deb Size/MD5 checksum: 959610 05077a4995b6f30736dd031f650fc8bb http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbmcli_7.5.00.24-4_i386.deb Size/MD5 checksum: 1151380 f5952dd48f3c289d59c59869a7910675 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-loadercli_7.5.00.24-4_i386.deb Size/MD5 checksum: 2074392 198c3e94e284f312acb8a60680fb3dac http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-lserver_7.5.00.24-4_i386.deb Size/MD5 checksum: 1998244 e85b595329b9d3ee86abca690ae8205f http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server_7.5.00.24-4_i386.deb Size/MD5 checksum: 3087456 3ba8dc9c84e7e0d65e07b8d1f469adcd http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-7.5.00_7.5.00.24-4_i386.deb Size/MD5 checksum: 13245168 5bcd0e38d550518e611a510d338a3bd8 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-dbg-7.5.00_7.5.00.24-4_i386.deb Size/MD5 checksum: 6269766 b747c1d1155a6512266a1ce3e52a6ce1 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-sqlcli_7.5.00.24-4_i386.deb Size/MD5 checksum: 132864 f0c46a30fd72b4a29e93b9b75042c6a8 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-webtools_7.5.00.24-4_i386.deb Size/MD5 checksum: 2619482 9b66168b5b70efbd69c16a06e2de734d http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb_7.5.00.24-4_i386.deb Size/MD5 checksum: 57534 7d4cb5ef1fa3bf65d79b590023cdc1db http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb-loader_7.5.00.24-4_i386.deb Size/MD5 checksum: 52902 61f35976dd90a9e461dfceea5430fa1e http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb_7.5.00.24-4_i386.deb Size/MD5 checksum: 411124 79212c1b66ae516b5404f4d1bb314dc6 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb-loader_7.5.00.24-4_i386.deb Size/MD5 checksum: 204636 ae693e5ef1041afef92f11fa81314dfe http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb_7.5.00.24-4_i386.deb Size/MD5 checksum: 411094 3974583dbdfb586097274e4aaddf376b http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb-loader_7.5.00.24-4_i386.deb Size/MD5 checksum: 204620 c2f00a1d54744ed51c547e681595f537 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00_7.5.00.24-4_ia64.deb Size/MD5 checksum: 928300 8f9b50424dae7723c38aac9e0c9a52ab http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqldbc7.5.00-dev_7.5.00.24-4_ia64.deb Size/MD5 checksum: 1057976 d1127e1ab07ac2a3bc485f040fb0339c http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00_7.5.00.24-4_ia64.deb Size/MD5 checksum: 911096 4b2d26b87f9e8abe2a8cabb5f5a3dc38 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/libsqlod7.5.00-dev_7.5.00.24-4_ia64.deb Size/MD5 checksum: 125196 c590b2aeb6e773afc78b234880679d0b http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbanalyzer_7.5.00.24-4_ia64.deb Size/MD5 checksum: 1157550 bc505370fe0b635ed20241dcec297922 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-dbmcli_7.5.00.24-4_ia64.deb Size/MD5 checksum: 1457434 239d74377e81b0d4cceed7e1c99553a5 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-loadercli_7.5.00.24-4_ia64.deb Size/MD5 checksum: 2340496 2f32566da56fcaed5a889f29b2df2ae1 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-lserver_7.5.00.24-4_ia64.deb Size/MD5 checksum: 2253224 b49a58cd8ad452633f57c0d4c2bb7ccc http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server_7.5.00.24-4_ia64.deb Size/MD5 checksum: 4126188 db0b224332c029575c85ec3b4af7055f http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-7.5.00_7.5.00.24-4_ia64.deb Size/MD5 checksum: 16985506 7634c5b20bbed0b559c5a30a70abcff1 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-server-dbg-7.5.00_7.5.00.24-4_ia64.deb Size/MD5 checksum: 8270364 76ac234b9524ec827443e44270b10a7d http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-sqlcli_7.5.00.24-4_ia64.deb Size/MD5 checksum: 172092 c89208be8d296c2a188b52b60e42ff1c http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/maxdb-webtools_7.5.00.24-4_ia64.deb Size/MD5 checksum: 3018916 de87cf29f90c5b6e08698411c6ee6366 http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb_7.5.00.24-4_ia64.deb Size/MD5 checksum: 57530 67e6ce8dfb5282aed0aaf8c0d2e3dfba http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python-maxdb-loader_7.5.00.24-4_ia64.deb Size/MD5 checksum: 52898 00f142490fbc22408ef5347abf228baa http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb_7.5.00.24-4_ia64.deb Size/MD5 checksum: 512998 f38b9df396ef132650ddbd151780f5ce http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.3-maxdb-loader_7.5.00.24-4_ia64.deb Size/MD5 checksum: 247500 d014a66017bbabc285f0bb42df85a71e http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb_7.5.00.24-4_ia64.deb Size/MD5 checksum: 513000 244752450b149746ec25fbbb67037d9e http://security.debian.org/pool/updates/main/m/maxdb-7.5.00/python2.4-maxdb-loader_7.5.00.24-4_ia64.deb Size/MD5 checksum: 247500 06b34ba0ab20719baf4c44a828de0436 -- Debian GNU/Linux unstable alias sid -- Reportedly, the problem will be fixed soon

The Cisco Network Admission Control (NAC) 3.6.4.1 and earlier allows remote attackers to prevent installation of the Cisco Clean Access (CCA) Agent and bypass local and remote protection mechanisms by modifying (1) the HTTP User-Agent header or (2) the behavior of the TCP/IP stack. NOTE: the vendor has disputed the severity of this issue, stating that users cannot bypass authentication mechanisms. The Cisco NAC Agent is prone to a security-bypass vulnerability because of a design error in the application. An attacker can exploit this issue to bypass security restrictions. This results in a false sense of security and may aid attackers in further attacks. An attacker can connect to the network by changing the default parameters of the Windows TCP/IP stack and using a custom HTTPS client (instead of a browser) to bypass host authentication

The ArrowPoint cookie functionality for Cisco 11000 series Content Service Switches specifies an internal IP address if the administrator does not specify a string option, which allows remote attackers to obtain sensitive information. IP There is a vulnerability in which important information can be obtained because the address is specified.Important information may be obtained by a third party

The embedded HTTP server in Fuji Xerox Printing Systems (FXPS) print engine, as used in products including (1) Dell 3000cn through 5110cn and (2) Fuji Xerox DocuPrint firmware before 20060628 and Network Option Card firmware before 5.13, does not properly perform authentication for HTTP requests, which allows remote attackers to modify system configuration via crafted requests, including changing the administrator password or causing a denial of service to the print server. These issues occur because the application fails to properly validate HTTP requests. An attacker can exploit these issues to bypass authentication and gain administrative access to the affected embedded application or to cause denial-of-service conditions. This may lead to other attacks. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Dell Color Laser Printers Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21630 VERIFY ADVISORY: http://secunia.com/advisories/21630/ CRITICAL: Less critical IMPACT: Security Bypass, DoS WHERE: >From local network OPERATING SYSTEM: Dell Color Laser Printer 5110cn http://secunia.com/product/11721/ Dell Color Laser Printer 5100cn http://secunia.com/product/11733/ Dell Color Laser Printer 3110cn http://secunia.com/product/11734/ Dell Color Laser Printer 3100cn http://secunia.com/product/11736/ Dell Color Laser Printer 3010cn http://secunia.com/product/11735/ Dell Color Laser Printer 3000cn http://secunia.com/product/11737/ DESCRIPTION: Some vulnerabilities have been reported in various Dell Color Laser Printers, which can be exploited by malicious people to bypass certain security restrictions or to cause a DoS (Denial of Service). 1) The embedded FTP server does not restrict the use of the FTP PORT command. This can be exploited to connect to arbitrary systems through the FTP server. This can be exploited to make unauthorized changes to the system configuration or to cause a DoS. The vulnerability has been reported in Dell 5110cn, Dell 3110cn, and Dell 3010cn with firmware versions prior to A01 and in Dell 5100cn, Dell 3100cn, and Dell 3000cn with firmware versions prior to A05. NOTE: Other products using the Fuji Xerox Printing Engine may also be affected. SOLUTION: Apply patches. Dell 5110cn (firmware versions prior to A01): http://ftp.us.dell.com/printer/R130538.EXE Dell 3110cn (firmware versions prior to A01): http://ftp.us.dell.com/printer/R130356.EXE Dell 3010cn (firmware versions prior to A01): http://ftp.us.dell.com/printer/R132075.EXE Dell 5100cn (firmware versions prior to A05): http://ftp.us.dell.com/printer/R132718.EXE Dell 3100cn (firmware versions prior to A05): http://ftp.us.dell.com/printer/R132079.EXE Dell 3000cn (firmware versions prior to A05): http://ftp.us.dell.com/printer/R132368.EXE PROVIDED AND/OR DISCOVERED BY: Nate Johnson and Sean Krulewitch, Indiana University. ORIGINAL ADVISORY: https://itso.iu.edu/20060824_FXPS_Print_Engine_Vulnerabilities ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . PROVIDED AND/OR DISCOVERED BY: Nate Johnson and Sean Krulewitch, Indiana University. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Indiana University Security Advisory: Fuji Xerox Printing Systems (FXPS)[1] print engine vulnerabilities Advisory ID: 20060824_FXPS_Print_Engine_Vulnerabilities[2] Revisions: 08-24-2006 2350 UTC 1.0 Initial Public Release Issues: FTP bounce attack is possible when FTP printing is enabled (CVE-2006-2112)[3] Embedded HTTP server allows unauthenticated access to system configuration and settings (CVE-2006-2113)[4] Credit/acknowledgement: CVE-2006-2112 Date of discovery: 04-11-2006 Nate Johnson, Lead Security Engineer, Indiana University Sean Krulewitch, Deputy IT Security Officer, Indiana University CVE-2006-2113 Date of discovery: 04-11-2006 Sean Krulewitch, Deputy IT Security Officer, Indiana University Summary: Certain FXPS print engines contain vulnerabilities that allow a remote attacker to perform FTP bounce attacks through the FTP printing interface or allow unauthenticated access to the embedded HTTP remote user interface. This allows an attacker to cause the FTP server to make arbitrary connections to ports on another system, which can be used to bypass access controls and hide the the true identity of the source of the attacker's traffic. A successful attacker would be able to reset the administrator password but would not be capable of exposing the current password. Mitigation/workarounds: Disabling FTP printing prevents the FTP bounce attack. Disabling the embedded web server prevents the DoS/unauthorized configuration change attack. Best practice suggests that access controls and network firewall policies be put into place to only allow connections from trusted machines and networks. Criticality: These vulnerabilities have a combined risk of moderately critical. Footnotes: [1] http://www.fxpsc.co.jp/en/ [2] https://itso.iu.edu/20060824_FXPS_Print_Engine_Vulnerabilities [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2112 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2113 [5] http://ftp.us.dell.com/printer/R130538.EXE [6] http://ftp.us.dell.com/printer/R130356.EXE [7] http://ftp.us.dell.com/printer/R132075.EXE [8] http://ftp.us.dell.com/printer/R132718.EXE [9] http://ftp.us.dell.com/printer/R132079.EXE [10] http://ftp.us.dell.com/printer/R132368.EXE All contents are Copyright 2006 The Trustees of Indiana University. All rights reserved. - -- Sean Krulewitch, Deputy IT Security Officer IT Security Office, Office of the VP for Information Technology Indiana University For PGP Key or S/MIME cert: https://www.itso.iu.edu/Sean_Krulewitch -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQA/AwUBRO46FTOEdAVfeKEbEQKc+ACeNvyfI5+GXspTdx32rSxH+WHfXW8AoKPe AJYb0WM59jddPs4cSXaZOyQq =Y7Kv -----END PGP SIGNATURE-----

Fuji Xerox Printing Systems (FXPS) print engine, as used in products including (1) Dell 3000cn through 5110cn and (2) Fuji Xerox DocuPrint firmware before 20060628 and Network Option Card firmware before 5.13, allows remote attackers to use the FTP printing interface as a proxy ("FTP bounce") by using arbitrary PORT arguments to connect to systems for which access would be otherwise restricted. This could result in the proxying of arbitrary requests by a user through the system using the vulnerable FTP print server. Successful exploits may allow an attacker to make connections to arbitrary hosts and generate traffic with the identity of the vulnerable FTP print server. As a result, this may allow the attacker to bypass access controls and security restrictions by masking the original source of the attacker's traffic. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Dell Color Laser Printers Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21630 VERIFY ADVISORY: http://secunia.com/advisories/21630/ CRITICAL: Less critical IMPACT: Security Bypass, DoS WHERE: >From local network OPERATING SYSTEM: Dell Color Laser Printer 5110cn http://secunia.com/product/11721/ Dell Color Laser Printer 5100cn http://secunia.com/product/11733/ Dell Color Laser Printer 3110cn http://secunia.com/product/11734/ Dell Color Laser Printer 3100cn http://secunia.com/product/11736/ Dell Color Laser Printer 3010cn http://secunia.com/product/11735/ Dell Color Laser Printer 3000cn http://secunia.com/product/11737/ DESCRIPTION: Some vulnerabilities have been reported in various Dell Color Laser Printers, which can be exploited by malicious people to bypass certain security restrictions or to cause a DoS (Denial of Service). 1) The embedded FTP server does not restrict the use of the FTP PORT command. 2) The embedded HTTP server does not authenticate certain HTTP requests correctly. This can be exploited to make unauthorized changes to the system configuration or to cause a DoS. The vulnerability has been reported in Dell 5110cn, Dell 3110cn, and Dell 3010cn with firmware versions prior to A01 and in Dell 5100cn, Dell 3100cn, and Dell 3000cn with firmware versions prior to A05. NOTE: Other products using the Fuji Xerox Printing Engine may also be affected. SOLUTION: Apply patches. Dell 5110cn (firmware versions prior to A01): http://ftp.us.dell.com/printer/R130538.EXE Dell 3110cn (firmware versions prior to A01): http://ftp.us.dell.com/printer/R130356.EXE Dell 3010cn (firmware versions prior to A01): http://ftp.us.dell.com/printer/R132075.EXE Dell 5100cn (firmware versions prior to A05): http://ftp.us.dell.com/printer/R132718.EXE Dell 3100cn (firmware versions prior to A05): http://ftp.us.dell.com/printer/R132079.EXE Dell 3000cn (firmware versions prior to A05): http://ftp.us.dell.com/printer/R132368.EXE PROVIDED AND/OR DISCOVERED BY: Nate Johnson and Sean Krulewitch, Indiana University. ORIGINAL ADVISORY: https://itso.iu.edu/20060824_FXPS_Print_Engine_Vulnerabilities ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . PROVIDED AND/OR DISCOVERED BY: Nate Johnson and Sean Krulewitch, Indiana University. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Indiana University Security Advisory: Fuji Xerox Printing Systems (FXPS)[1] print engine vulnerabilities Advisory ID: 20060824_FXPS_Print_Engine_Vulnerabilities[2] Revisions: 08-24-2006 2350 UTC 1.0 Initial Public Release Issues: FTP bounce attack is possible when FTP printing is enabled (CVE-2006-2112)[3] Embedded HTTP server allows unauthenticated access to system configuration and settings (CVE-2006-2113)[4] Credit/acknowledgement: CVE-2006-2112 Date of discovery: 04-11-2006 Nate Johnson, Lead Security Engineer, Indiana University Sean Krulewitch, Deputy IT Security Officer, Indiana University CVE-2006-2113 Date of discovery: 04-11-2006 Sean Krulewitch, Deputy IT Security Officer, Indiana University Summary: Certain FXPS print engines contain vulnerabilities that allow a remote attacker to perform FTP bounce attacks through the FTP printing interface or allow unauthenticated access to the embedded HTTP remote user interface. A successful attacker would be able to reset the administrator password but would not be capable of exposing the current password. Mitigation/workarounds: Disabling FTP printing prevents the FTP bounce attack. Disabling the embedded web server prevents the DoS/unauthorized configuration change attack. Best practice suggests that access controls and network firewall policies be put into place to only allow connections from trusted machines and networks. Criticality: These vulnerabilities have a combined risk of moderately critical. Footnotes: [1] http://www.fxpsc.co.jp/en/ [2] https://itso.iu.edu/20060824_FXPS_Print_Engine_Vulnerabilities [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2112 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2113 [5] http://ftp.us.dell.com/printer/R130538.EXE [6] http://ftp.us.dell.com/printer/R130356.EXE [7] http://ftp.us.dell.com/printer/R132075.EXE [8] http://ftp.us.dell.com/printer/R132718.EXE [9] http://ftp.us.dell.com/printer/R132079.EXE [10] http://ftp.us.dell.com/printer/R132368.EXE All contents are Copyright 2006 The Trustees of Indiana University. All rights reserved. - -- Sean Krulewitch, Deputy IT Security Officer IT Security Office, Office of the VP for Information Technology Indiana University For PGP Key or S/MIME cert: https://www.itso.iu.edu/Sean_Krulewitch -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQA/AwUBRO46FTOEdAVfeKEbEQKc+ACeNvyfI5+GXspTdx32rSxH+WHfXW8AoKPe AJYb0WM59jddPs4cSXaZOyQq =Y7Kv -----END PGP SIGNATURE-----

Cisco PIX 500 Series Security Appliances and ASA 5500 Series Adaptive Security Appliances, when running 7.0(x) up to 7.0(5) and 7.1(x) up to 7.1(2.4), and Firewall Services Module (FWSM) 3.1(x) up to 3.1(1.6), causes the EXEC password, local user passwords, and the enable password to be changed to a "non-random value" under certain circumstances, which causes administrators to be locked out and might allow attackers to gain access. Cisco PIX Firewall In the case where the configuration process is incomplete, the software crashes or the password stored in the startup configuration is unintentionally specified by the user when multiple users change the configuration in parallel. There is a vulnerability that changes to the value of.There is a possibility of unauthorized access to the target device using the changed password. Multiple Cisco Firewall appliances are prone to an authentication-bypass vulnerability. The vulnerability occurs because the firmware fails to properly handle certain configuration errors, resulting in unintended password changes to non-random specific passwords. This issue allows remote attackers to gain unauthorized access to the affected network appliances with administrative or local user privileges. These issues are tracked by Cisco Bug IDs CSCse02703 and CSCsd81487. Cisco PIX, ASA, and FWSM are very popular firewall devices that provide firewall services capable of stateful packet filtering and deep packet inspection. There are only two situations that can trigger this software bug: * Software crashes, usually caused by software bugs. Note that not all software crashes lead to the undesirable results described above. * Two or more users make configuration changes simultaneously on the same device. The vulnerability is triggered regardless of the method used to access the device (Command Line Interface [CLI], Adaptive Security Device Manager [ASDM], Firewall Management Center, etc.). Note that when saving the configuration to a stable medium that stores the startup configuration via the write memory or copy running-config startup-config commands, the password in the startup configuration is changed. In normal operation, the password in the startup configuration is not changed without saving the running configuration. If an AAA server (RADIUS or TACACS+) is used for authentication, regardless of whether LOCAL authentication is configured as fallback, only changing the password in the startup configuration when the AAA server is unavailable will cause the above undesirable results. This prevents administrators from being able to log in to the device if authentication is configured to use a password stored in the launch configuration. If a malicious user is able to guess the new password and restarts the device, whether it is an automatic restart caused by a software crash or a manual restart by a network administrator, unauthorized access to the device is possible. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Firewall Products Unintentional Password Modification SECUNIA ADVISORY ID: SA21616 VERIFY ADVISORY: http://secunia.com/advisories/21616/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco PIX 7.x http://secunia.com/product/6102/ Cisco Adaptive Security Appliance (ASA) 7.x http://secunia.com/product/6115/ SOFTWARE: Cisco Firewall Services Module (FWSM) 3.x http://secunia.com/product/8614/ Cisco Firewall Services Module (FWSM) 2.x http://secunia.com/product/5088/ Cisco Firewall Services Module (FWSM) 1.x http://secunia.com/product/2273/ DESCRIPTION: A security issue has been reported in various Cisco Firewall products, which may allow malicious people to bypass certain security restrictions. The error may happen during a software crash or multiple users configuring a device at the same time. This may result in users being locked out or lead to unauthorised access to an affected device. SOLUTION: Update to a fixed version (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Terje Bless, Helse Nord IKT. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in Cisco VPN 3000 series concentrators before 4.1, 4.1.x up to 4.1(7)L, and 4.7.x up to 4.7(2)F allow attackers to execute the (1) CWD, (2) MKD, (3) CDUP, (4) RNFR, (5) SIZE, and (6) RMD FTP commands to modify files or create and delete directories via unknown vectors. The Cisco VPN 3000 series concentrators are prone to a vulnerability that allows attackers to access arbitrary files. An attacker can exploit this issue to rename and delete arbitrary files on the affected device in the context of the FTP server process. This may facilitate further attacks. The Cisco VPN Series Concentrators consist of a general-purpose remote-access virtual private network (VPN) platform and client software that combines high availability, performance, and scalability with today's most advanced encryption and authentication technologies for professional operations Provide services to merchants or enterprise users. * Change the configuration of the hub by renaming or deleting configuration and certificate files through RNFR and RMD FTP commands. Please note that since none of these vulnerabilities allow unauthorized users to upload or download files from the hub, it is not possible to obtain device configurations or upload modified configurations by exploiting these vulnerabilities. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco VPN 3000 Concentrator FTP Management Vulnerabilities SECUNIA ADVISORY ID: SA21617 VERIFY ADVISORY: http://secunia.com/advisories/21617/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Cisco VPN 3000 Concentrator http://secunia.com/product/90/ DESCRIPTION: Two vulnerabilities have been reported in Cisco VPN 3000 Concentrator, which can be exploited by malicious people to bypass certain security restrictions. This can e.g. be exploited to delete configuration files and certificates on the device. Successful exploitation requires that the device has been configured to use FTP as a management protocol (default setting). The vulnerabilities affect models 3005, 3015, 3020, 3030, 3060, and 3080 running the following versions: * Any version prior to 4.1 * Any 4.1.x version prior to, and including, 4.1(7)L * Any 4.7.x version prior to, and including, 4.7(2)F SOLUTION: Update to version 4.1(7)M or 4.7(2)G. http://www.cisco.com/pcgi-bin/tablebuild.pl/vpn3000-3des?psrtdcat20e2 Network security best practises recommend restricting access to the FTP service (or disabling it if not needed to manage the VPN 3000 concentrator). PROVIDED AND/OR DISCOVERED BY: The vendor credits NCC Group. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Symantec Norton Personal Firewall 2006 9.1.0.33, and possibly earlier, does not properly protect Norton registry keys, which allows local users to provide Trojan horse libraries to Norton by using RegSaveKey and RegRestoreKey to modify HKLM\SOFTWARE\Symantec\CCPD\SuiteOwners, as demonstrated using NISProd.dll. NOTE: in most cases, this attack would not cross privilege boundaries, because modifying the SuiteOwners key requires administrative privileges. However, this issue is a vulnerability because the product's functionality is intended to protect against privileged actions such as this. An attacker may exploit this vulnerability to bypass Norton's registry protection mechanism and modify the 'SuiteOwners' registry entry to load an arbitrary library file. This will likely lead to further attacks. The individual who discovered this issue claims to have tested it on Norton Personal Firewall 2006 version 9.1.0.33. Other versions could also be affected. Norton Internet Security products that include the vulnerable application may also be affected. RETIRED: This BID is being retired; further investigation indicates that the application is not vulnerable to this issue. Norton uses its own registry key to prevent the operation of other applications, but can use the API functions RegSaveKey and RegRestoreKey to bypass the protection of the registry key HKLM\SOFTWARE\Symantec\CCPD\SuiteOwners. This registry key is also used to store some important information such as NISProd.dll. Malicious applications can use RegSaveKey and RegRestoreKey to modify the value in SuiteOwners, causing Norton to load fake function libraries into the process. Malicious code in the fake function library can manipulate any Norton component and bypass all security protections

Buffer overflow in the Xsan Filesystem driver on Mac OS X 10.4.7 and OS X Server 10.4.7 allows local users with Xsan write access, to execute arbitrary code via unspecified vectors related to "processing a path name.". A buffer overflow vulnerability in Apple's Xsan product may allow a local attacker to run arbitrary code with root privileges or create a denial-of-service condition. Apple Xsan filesystem is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it into an insufficiently sized buffer. Failed exploit attempts will likely crash the system, denying service to legitimate users. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Xsan Filesystem Path Name Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA21551 VERIFY ADVISORY: http://secunia.com/advisories/21551/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Xsan Filesystem 1.x http://secunia.com/product/11577/ DESCRIPTION: A vulnerability has been reported in Xsan Filesystem, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a boundary error in the Xsan Filesystem driver when processing path names and can be exploited to cause a buffer overflow. SOLUTION: Update to version 1.4. http://www.apple.com/support/downloads/xsanfilesystem14formacosx104.html PROVIDED AND/OR DISCOVERED BY: The vendor credits Andrew Wellington, Australian National University. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=304188 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Netgear FVG318 running firmware 1.0.40 allows remote attackers to cause a denial of service (router reset) via TCP packets with bad checksums. Netgear FVG318 wireless routers are prone to a remote denial-of-service vulnerability. Exploiting this issue may permit an attacker to crash affected devices, denying further network services to legitimate users. Firmware version 1.0.40 is vulnerable; other versions may also be affected

PHP remote file inclusion vulnerability in SAPID CMS 123 rc3 allows remote attackers to execute arbitrary PHP code via a URL in the (1) root_path parameter in usr/extensions/get_infochannel.inc.php and the (2) GLOBALS["root_path"] parameter in usr/extensions/get_tree.inc.php. (1) usr/extensions/get_infochannel.inc.php of root_path Parameters (2) usr/extensions/get_tree.inc.php of GLOBALS["root_path"] Parameters. Multiple SAPID applications are prone to multiple remote file-include vulnerabilities. These may facilitate a compromise of the application and the underlying system; other attacks are also possible. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: SAPID CMS "root_path" File Inclusion Vulnerability SECUNIA ADVISORY ID: SA21410 VERIFY ADVISORY: http://secunia.com/advisories/21410/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: SAPID CMS 1.x http://secunia.com/product/6323/ DESCRIPTION: Simo64 has discovered some vulnerabilities in SAPID CMS, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "root_path" parameter in usr/extensions/get_infochannel.inc.php and usr/extensions/get_tree.inc.php is not properly verified before being used to include files. Successful exploitation requires that "register_globals" is enabled. The vulnerabilities have been confirmed in version 1.2.3 Stable and 1.2.3 RC3. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly verified. PROVIDED AND/OR DISCOVERED BY: Simo64 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Microsoft Internet Explorer allows remote attackers to cause a denial of service (crash) via an IFRAME with a certain XML file and XSL stylesheet that triggers a crash in mshtml.dll when a refresh is called, probably a null pointer dereference. Microsoft Internet Explorer is prone to a denial-of-service vulnerability when handling malicious HTML files. Successfully exploiting this issue allows attackers to consume excessive CPU resources in the affected browser and eventually cause Internet Explorer to crash, causing a denial-of-service

Linksys WRT54g firmware 1.00.9 does not require credentials when making configuration changes, which allows remote attackers to modify arbitrary configurations via a direct request to Security.tri, as demonstrated using the SecurityMode and layout parameters, a different issue than CVE-2006-2559. Linksys WRT54G routers do not properly validate user credentials before allowing configuration changes. This vulnerability CVE-2006-2559 Is a different vulnerability.By a third party Security.tri Any setting may be changed through a direct request to. Linksys WRT54GS is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication. Linksys WRT54GS is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device. This issue is reported to affect firmware version 1.00.9; other firmware versions may also be affected. Linksys WRT54GS is a wireless router device that combines several functions. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Linksys WRT54G Configuration Manipulation and Request Forgery SECUNIA ADVISORY ID: SA21372 VERIFY ADVISORY: http://secunia.com/advisories/21372/ CRITICAL: Less critical IMPACT: Hijacking, Manipulation of data WHERE: >From remote OPERATING SYSTEM: Linksys WRT54G Wireless-G Broadband Router http://secunia.com/product/3523/ DESCRIPTION: Ginsu Rabbit has reported a vulnerability and a security issue in Linksys WRT54G, which can be exploited by malicious people to conduct cross-site request forgery attacks and manipulate the configuration. disable wireless security). 2) An error exists in the web interface caused due to the device allowing users to change the router configuration via HTTP requests without performing any validity checks to verify the user's request. SOLUTION: Filter traffic to affected devices and do not visit untrusted web sites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Ginsu Rabbit ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048495.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco PIX 500 Series Security Appliances allows remote attackers to send arbitrary UDP packets to intranet devices via unspecified vectors involving Session Initiation Protocol (SIP) fixup commands, a different issue than CVE-2006-4032. NOTE: the vendor, after working with the researcher, has been unable to reproduce the issue. Cisco PIX is reportedly prone to an unauthorized UDP port-forwarding vulnerability. Attackers may exploit this issue to forward UDP datagrams to arbitrary hosts protected by affected firewall devices, potentially bypassing firewall rules. This may aid attackers in further attacks against computers protected by affected firewall devices. This BID will be updated as further information becomes available

Barracuda Spam Firewall (BSF), possibly 3.3.03.053, contains a hardcoded password for the admin account for logins from 127.0.0.1 (localhost), which allows local users to gain privileges. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Barracuda Spam Firewall is an integrated hardware and software spam solution for protecting mail servers. Using a hardware-encoded password for the administrator account when logging in locally could allow an attacker to gain access. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. Prior versions may also be affected. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Safari on the Apple iPod touch (aka iTouch) and iPhone 1.1.1 allows user-assisted remote attackers to cause a denial of service (application crash), and enable filesystem browsing by the local user, via a certain TIFF file. Safari is prone to a denial-of-service vulnerability. The iPod touch (also known as iTouch) is an MP4 player released by Apple, and the iPhone is a smartphone released by it. There is a vulnerability in the Safari browser of iPod touch when processing malformed TIFF images. Attackers may use this vulnerability to control the user's system. If a user is tricked into viewing a specially crafted TIFF graphic using the Safari browser embedded in the above product, it may trigger a buffer overflow, resulting in denial of service or execution of arbitrary commands. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Apple iPod touch / iPhone TIFF Image Processing Vulnerability SECUNIA ADVISORY ID: SA27213 VERIFY ADVISORY: http://secunia.com/advisories/27213/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple iPhone 1.x http://secunia.com/product/15128/ Apple iPod touch 1.x http://secunia.com/product/16074/ DESCRIPTION: A vulnerability has been reported in Apple iPod touch and Apple iPhone, which potentially can be exploited by malicious people to compromise a vulnerable device. The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari web browser. The vulnerability is reported in iPod touch version 1.1.1 and iPhone version 1.1.1. Other versions may also be affected. This may be related to: SA21304 SOLUTION: Do not browse untrusted web sites and do not open untrusted TIFF images. PROVIDED AND/OR DISCOVERED BY: Niacin ORIGINAL ADVISORY: http://www.toc2rta.com/?q=node/22 OTHER REFERENCES: SA21304: http://secunia.com/advisories/21304/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. Successful exploitation allows crashing applications linked against libTIFF and may also allow execution of arbitrary code. PROVIDED AND/OR DISCOVERED BY: Tavis Ormandy, Google Security Team. For more information: SA21304 SOLUTION: Apply updated packages

Unspecified vulnerability in Cisco IOS CallManager Express (CME) allows remote attackers to gain sensitive information (user names) from the Session Initiation Protocol (SIP) user directory via certain SIP messages, aka bug CSCse92417. Cisco CallManager Express is prone to an information-disclosure vulnerability because the application fails to protect sensitive data from an attacker. An attacker could exploit this issue to retrieve potentially sensitive information that may aid in further attacks. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco CallManager Express SIP User Directory Disclosure SECUNIA ADVISORY ID: SA21335 VERIFY ADVISORY: http://secunia.com/advisories/21335/ CRITICAL: Not critical IMPACT: Exposure of sensitive information WHERE: >From local network SOFTWARE: Cisco CallManager Express 3.x http://secunia.com/product/11230/ DESCRIPTION: A weakness has been reported in Cisco CallManager Express, which can be exploited by malicious people to disclose potentially sensitive information. This can be exploited to disclose the names of the users in the SIP user database by sending specially crafted SIP messages. SOLUTION: The vendor recommends implementing the VoIP (Voice over Internet Protocol) infrastructure and data devices on separate VLANs according to best security practices. PROVIDED AND/OR DISCOVERED BY: The vendor credits Dave Endler and Mark Collier. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060802-sip.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Intel 2100 PRO/Wireless Network Connection driver PROSet before 7.1.4.6 allows local users to corrupt memory and execute code via "requests for capabilities from higher-level protocol drivers or user-level applications" involving crafted frames, a different issue than CVE-2006-3992. Microsoft Windows drivers for Intel 2100 PRO/Wireless Network Connection Hardware contain a memory corruption vulnerability. This vulnerability may allow an attacker to execute arbitrary code on a vulnerable system. Intel PRO/Wireless 2100 versions prior to 7.1.4.6 with driver version 1.2.4.37 for Windows are vulnerable

Unspecified vulnerability in the Centrino (1) w22n50.sys, (2) w22n51.sys, (3) w29n50.sys, and (4) w29n51.sys Microsoft Windows drivers for Intel 2200BG and 2915ABG PRO/Wireless Network Connection before 10.5 with driver 9.0.4.16 allows remote attackers to execute arbitrary code via certain frames that trigger memory corruption. Microsoft Windows drivers for Intel Centrino wireless adapters fail to properly handle malformed frames. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. An attacker within range of a vulnerable Wi-Fi station can trigger these issues to corrupt memory to execute code with kernel-level privileges. A successful attack can result in a complete compromise of the affected computer. Intel PRO/Wireless 2200BG and 2915ABG versions prior to 10.5 with driver version 9.0.4.16 for Windows are vulnerable