VARIoT IoT vulnerabilities database
VAR-200512-0273 | CVE-2005-3653 | CA iTechnology iGateway Service negative Content-Length Field value buffer error vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in the iGateway service for various Computer Associates (CA) iTechnology products, in iTechnology iGateway before 4.0.051230, allows remote attackers to execute arbitrary code via an HTTP request with a negative Content-Length field.
The attacker can trigger the vulnerability by supplying a negative HTTP Content-Length value and a large URI to the service.
A successful attack can result in corrupting process memory and the execution of arbitrary code with SYSTEM privileges on Windows platforms. The vendor has reported that this issue triggers only a denial-of-service condition on other platforms.
Products containing iGateway 4.0.051230 are vulnerable to this issue. iTechnology is an integrated technology that provides standard Web service interfaces for third-party products. There is a heap overflow vulnerability in iTechnology's processing of HTTP request headers. iGateway service monitors standard HTTP or SSL communication on port 5250. The service does not properly handle negative HTTP Content-Length fields. iGateway parses the Content-length field value of the HTTP request and uses this value directly in the malloc() heap allocation call, so if a negative value is provided, the heap allocation call will return a small buffer. After the malloc() call, memcpy the provided URI to the allocated buffer and overwrite it to the heap.
TITLE:
CA Products iGateway Service Content-Length Buffer Overflow
SECUNIA ADVISORY ID:
SA18591
VERIFY ADVISORY:
http://secunia.com/advisories/18591/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From local network
SOFTWARE:
BrightStor ARCserve Backup 11.x
http://secunia.com/product/312/
BrightStor ARCserve Backup 11.x (for Windows)
http://secunia.com/product/3099/
BrightStor ARCserve Backup 9.x
http://secunia.com/product/313/
BrightStor ARCserve Backup for Laptops & Desktops 11.x
http://secunia.com/product/5906/
BrightStor Enterprise Backup 10.x
http://secunia.com/product/314/
BrightStor Process Automation Manager 11.x
http://secunia.com/product/5908/
BrightStor Storage Resource Manager 11.x
http://secunia.com/product/5909/
BrightStor Storage Resource Manager 6.x
http://secunia.com/product/5910/
CA Advantage Data Transformer 2.x
http://secunia.com/product/5904/
CA AllFusion Harvest Change Manager 7.x
http://secunia.com/product/5905/
CA BrightStor Portal 11.x
http://secunia.com/product/5577/
CA BrightStor SAN Manager 11.x
http://secunia.com/product/5576/
CA eTrust Admin 8.x
http://secunia.com/product/5584/
CA eTrust Audit 1.x
http://secunia.com/product/5911/
CA eTrust Audit 8.x
http://secunia.com/product/5912/
CA eTrust Identity Minder 8.x
http://secunia.com/product/5913/
CA Unicenter Service Fulfillment 2.x
http://secunia.com/product/5942/
eTrust Secure Content Manager (SCM)
http://secunia.com/product/3391/
DESCRIPTION:
Erika Mendoza has reported a vulnerability in various CA products,
which can be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to a boundary error in the handling
of HTTP data in the iGateway component.
SOLUTION:
Update the iGateway component to version 4.0.051230 or later.
ftp://ftp.ca.com/pub/iTech/downloads/
PROVIDED AND/OR DISCOVERED BY:
Erika Mendoza
ORIGINAL ADVISORY:
Computer Associates:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778
iDEFENSE:
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Please see below for important changes to CAID 33778 (aka CVE-2005-3653;
OSVDB 22688; X-Force 24269; SecurityTracker Alert ID 1015526).
Changelog is near end of advisory.
Regards,
Ken Williams
Title: CAID 33778 - CA iGateway Content-Length Buffer Overflow
Vulnerability [v1.1]
CA Vulnerability ID: 33778
CA Advisory Date: 2006-01-23
Updated Advisory [v1.1]: 2006-01-26
Discovered By: Erika Mendoza reported this issue to iDefense.
Mitigating Factors: None.
Severity: CA has given this vulnerability a Medium risk rating.
Affected Technologies: Please note that the iGateway component is
not a product, but rather a common component that is included
with multiple products. The iGateway component is included in
the following CA products, which are consequently potentially
vulnerable.
Affected Products:
BrightStor ARCserve Backup r11.5
BrightStor ARCserve Backup r11.1
BrightStor ARCserve Backup for Windows r11
BrightStor Enterprise Backup 10.5
BrightStor ARCserve Backup v9.01
BrightStor ARCserve Backup Laptop & Desktop r11.1
BrightStor ARCserve Backup Laptop & Desktop r11
BrightStor Process Automation Manager r11.1
BrightStor SAN Manager r11.1
BrightStor SAN Manager r11.5
BrightStor Storage Resource Manager r11.5
BrightStor Storage Resource Manager r11.1
BrightStor Storage Resource Manager 6.4
BrightStor Storage Resource Manager 6.3
BrightStor Portal 11.1
Note to BrightStor Storage Resource Manager and BrightStor Portal
users: In addition to the application servers where these products
are installed, all hosts that have iSponsors deployed to them for
managing applications like Veritas Volume Manager and Tivoli TSM
are also affected by this vulnerability.
eTrust Products:
eTrust Audit 1.5 SP2 (iRecorders and ARIES)
eTrust Audit 1.5 SP3 (iRecorders and ARIES)
eTrust Audit 8.0 (iRecorders and ARIES)
eTrust Admin 8.1
eTrust Identity Minder 8.0
eTrust Secure Content Manager (SCM) R8
eTrust Integrated Threat Management (ITM) R8
eTrust Directory, R8.1 (Web Components Only)
Unicenter Products:
Unicenter CA Web Services Distributed Management R11
Unicenter AutoSys JM R11
Unicenter Management for WebLogic / Management for WebSphere R11
Unicenter Service Delivery R11
Unicenter Service Level Management (USLM) R11
Unicenter Application Performance Monitor R11
Unicenter Service Desk R11
Unicenter Service Desk Knowledge Tools R11
Unicenter Asset Portfolio Management R11
Unicenter Service Metric Analysis R11
Unicenter Service Catalog/Assure/Accounting R11
Unicenter MQ Management R11
Unicenter Application Server Management R11
Unicenter Web Server Management R11
Unicenter Exchange Management R11
Affected platforms:
AIX, HP-UX, Linux Intel, Solaris, and Windows
Status and Recommendation:
Customers with vulnerable versions of the iGateway component
should upgrade to the current version of iGateway (4.0.051230 or
later), which is available for download from the following
locations:
http://supportconnect.ca.com/
ftp://ftp.ca.com/pub/iTech/downloads/
Determining the version of iGateway:
To determine the version numbers of the iGateway components:
Go to the igateway directory:
On windows, this is %IGW_LOC%
Default path for v3.*: C:\Program Files\CA\igateway
Default path for v4.*:
C:\Program Files\CA\SharedComponents\iTechnology
On unix,
Default path for v3.*: /opt/CA/igateway
Default path for v4.*: the install directory path is contained in
opt/CA/SharedComponents/iTechnology.location.
The default path is /opt/CA/SharedComponents/iTechnology
Look at the <Version> element in igateway.conf.
The versions are affected by this vulnerability if you see
a value LESS THAN the following:
<Version>4.0.051230</Version> (note the format of v.s.YYMMDD)
References:
(note that URLs may wrap)
CA SupportConnect:
http://supportconnect.ca.com/
http://supportconnectw.ca.com/public/ca_common_docs/igatewaysecurity_not
ice.asp
CAID: 33778
CAID Advisory link:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778
CVE Reference: CVE-2005-3653
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3653
OSVDB Reference: OSVDB-22688
http://osvdb.org/22688
iDefense Reference:
Computer Associates iTechnology iGateway Service Content-Length
Buffer Overflow
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376
Changelog:
v1.0 - Initial Release
v1.1 - Removed several unaffected technologies; added more
reference links.
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln@ca.com, or contact me directly.
If you discover a vulnerability in CA products, please report
your findings to vuln@ca.com, or utilize our "Submit a
Vulnerability" form.
URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Dir. of CA Vulnerability Research Team
CA, One Computer Associates Plaza. Islandia, NY 11749
Contact http://www3.ca.com/contact/
Legal Notice http://ca.com/calegal.htm
Privacy Policy http://www.ca.com/caprivacy.htm
Copyright 2006 CA. All rights reserved
VAR-200512-0918 | CVE-2005-4723 | Multiple D-Link Products IP Packet Reassembly Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
D-Link DI-524 Wireless Router, DI-624 Wireless Router, and DI-784 allow remote attackers to cause a denial of service (device reboot) via a series of crafted fragmented UDP packets, possibly involving a missing fragment. D-Link is an internationally renowned provider of network equipment and solutions, and its products include a variety of router equipment.
D-Link's multiple wireless access routers have a denial of service vulnerability. Remote attackers may use this vulnerability to conduct denial of service attacks on devices.
If the attacker sends three consecutive fragmented UDP packets as follows, the device will restart:
The IP header of all messages must have the same Identification Number.
Message 1:
The MORE_FRAGMENTS flag must be set to 1 (IP_MF)
Debris offset = 0
The effective part size of the message is 8 bytes. Null bytes were used in the attack code.
Message 2:
Set the MORE_FRAGMENTS flag to 1 (0x2002)
Debris offset = 16
The valid part is 8 bytes long.
Message 3:
Set the MORE_FRAGMENTS flag to 0 (0x0003)
Debris offset = 24
The valid part is 8 bytes long.
Upon receiving the above message, the affected router will immediately terminate all current connections. DI-524 takes about 1 minute to restart to restore the connection, and DI-624 takes about 30 seconds to restart. This issue is due to a flaw in affected devices that causes them to fail when attempting to reassemble certain IP packets.
D-Link DI-524, DI-624, and Di-784 devices are affected by this issue. Due to code reuse among routers, other devices may also be affected.
It is reported that US Robotics USR8054 devices are also affected. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment.
TITLE:
D-Link Wireless Access Point Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA18833
VERIFY ADVISORY:
http://secunia.com/advisories/18833/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
OPERATING SYSTEM:
D-Link DI-784
http://secunia.com/product/8029/
D-Link DI-624
http://secunia.com/product/3660/
D-Link DI-524
http://secunia.com/product/8028/
DESCRIPTION:
Aaron Portnoy and Keefe Johnson has reported a vulnerability in
D-Link Wireless Access Point, which potentially can be exploited by
malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in the handling of
fragmented UDP packets.
The vulnerability has been reported in the following products:
* D-Link DI-524 Wireless Router (firmware version 3.20 August 18,
2005).
* D-Link DI-624 Wireless Router.
* D-Link DI-784.
SOLUTION:
The vulnerability has reportedly been fixed in the latest firmware.
PROVIDED AND/OR DISCOVERED BY:
Aaron Portnoy and Keefe Johnson
ORIGINAL ADVISORY:
http://www.thunkers.net/~deft/advisories/dlink_udp_dos.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0320 | CVE-2005-4825 | Secure Smart Manager Cisco Clean Access Denial of service attack vulnerability |
CVSS V2: 5.7 CVSS V3: - Severity: MEDIUM |
Cisco Clean Access 3.5.5 and earlier on the Secure Smart Manager allows remote attackers to bypass authentication and cause a denial of service (disk consumption), or make unauthorized files accessible, by uploading files through requests to certain JSP scripts, a related issue to CVE-2005-4332. Cisco Clean Access (CCA) is prone to a denial-of-service vulnerability
VAR-200512-0321 | CVE-2005-4826 | Multiple Cisco switch VLAN Relay Protocol Message Handling Denial of Service Vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the VLAN Trunking Protocol (VTP) feature in Cisco IOS 12.1(22)EA3 on Catalyst 2950T switches allows remote attackers to cause a denial of service (device reboot) via a crafted Subset-Advert message packet, a different issue than CVE-2006-4774, CVE-2006-4775, and CVE-2006-4776. The VLAN Trunking Protocol (VTP) is Cisco's proprietary protocol for centralized management of VLANs.
If a malformed VTP packet is received, some switch devices may be overloaded. However, an attacker must know the VTP domain name and send malformed VTP packets to the port configured for relay on the switch to exploit this vulnerability. Multiple Cisco switches are prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause affected devices to restart, effectively denying service to legitimate users.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Cisco IOS VTP Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA23892
VERIFY ADVISORY:
http://secunia.com/advisories/23892/
CRITICAL:
Less critical
IMPACT:
DoS
WHERE:
>From local network
OPERATING SYSTEM:
Cisco IOS 12.x
http://secunia.com/product/182/
Cisco IOS R12.x
http://secunia.com/product/50/
DESCRIPTION:
David Barroso Berrueta and Alfredo Andres Omella have reported a
vulnerability in Cisco IOS, which can be exploited by malicious
people to cause a DoS (Denial of Service). This can be
exploited to cause a device to reload by sending a specially crafted
VTP packet.
Successful exploitation requires knowledge of the VTP domain name and
the port that is configured for trunking.
PROVIDED AND/OR DISCOVERED BY:
Alfredo Andres Omella and David Barroso Berrueta, S21SEC
ORIGINAL ADVISORY:
Cisco Advisory:
http://www.cisco.com/en/US/products/products_security_response09186a00807d1a81.html
21SEC Advisory:
http://www.s21sec.com/es/avisos/s21sec-034-en.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0301 | CVE-2005-3714 | Apple AirPort Remote Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The network interface for Apple AirPort Express 6.x before Firmware Update 6.3, and AirPort Extreme 5.x before Firmware Update 5.7, allows remote attackers to cause a denial of service (unresponsive interface) via malformed packets. The Apple AirPort device is a wireless access point that provides 802.11 services to network clients.
A denial of service vulnerability exists in Apple AirPort. A malicious network attacker can send a specially crafted message, causing the network interface of the AirPort base station to stop responding. This occurs when the device handles malformed packets.
Specific details regarding this issue are not currently known. This record will be updated when more information becomes available.
AirPort Express firmware versions prior to 6.3 and AirPort Extreme firmware versions prior to 5.7 are vulnerable.
The vulnerability is caused due to an unspecified error in the base
station when handling certain network packets.
SOLUTION:
Apply updated firmware.
ORIGINAL ADVISORY:
http://docs.info.apple.com/article.html?artnum=303072
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Credit to Michael Zanetta of NETwork Security
Consortium for reporting this issue
VAR-200512-0384 | CVE-2005-4812 | SISCO OSI stack fails to properly validate packets |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SISCO OSI stack for Windows, as used by MMS-EASE 7.10 and earlier, AX-S4 MMS 5.01 and earlier, AX-S4 ICCP 3.0103 and earlier, and the ICCP Toolkit for MMS-EASE 4.10 and earlier, allows remote attackers to cause a denial of service (process crash) via certain network traffic, as demonstrated using a Nessus scan. A vulnerability exists in the SISCO OSI stack for Windows. If successfully exploited, an attacker could cause a denial-of-service condition. The Inter-control Center Communications Protocol (ICCP) is a protocol for communicating data in the control center of a SCADA network. A remote attacker can exploit the vulnerability to perform a denial of service attack on the service. The SISCO OSI stack on the Windows platform incorrectly handles malformed packets, and remote unauthenticated users can perform denial of service attacks on services.
This issue allows remote, unauthenticated attackers to crash affected applications, denying further service to legitimate users.
----------------------------------------------------------------------
Want to work within IT-Security?
Secunia is expanding its team of highly skilled security experts.
We will help with relocation and obtaining a work permit.
Currently the following type of positions are available:
http://secunia.com/quality_assurance_analyst/
http://secunia.com/web_application_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
----------------------------------------------------------------------
TITLE:
SISCO OSI Stack Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA22047
VERIFY ADVISORY:
http://secunia.com/advisories/22047/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
SISCO MMS-EASE 7.x
http://secunia.com/product/12072/
SISCO ICCP Toolkit for MMS-EASE 4.x
http://secunia.com/product/12073/
SISCO AX-S4 MMS 5.x
http://secunia.com/product/12071/
SISCO AX-S4 ICCP 3.x
http://secunia.com/product/12070/
DESCRIPTION:
A vulnerability has been reported in various SISCO products, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
SISCO:
http://www.sisconet.com/downloads/NESSUS_Vulnerability_Announcement.pdf
OTHER REFERENCES:
US-CERT VU#468798:
http://www.kb.cert.org/vuls/id/468798
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-1016 | CVE-2005-4625 | Driver Denial of Service Attack Vulnerabilities in Certain Display Adapters |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Drivers for certain display adapters, including (1) an unspecified ATI driver and (2) an unspecified Intel driver, might allow remote attackers to cause a denial of service (system crash) via a large JPEG image, as demonstrated in Internet Explorer using stoopid.jpg with a width and height of 9999999. Display Adapter Driver is prone to a denial-of-service vulnerability
VAR-200512-0642 | CVE-2005-0985 | Mac OS X Unknown vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Unspecified vulnerability in the Mac OS X kernel before 10.3.8 allows local users to cause a denial of service (temporary hang) via unspecified attack vectors related to the fan control unit (FCU) driver. There is an unknown vulnerability in the Mac OS X kernel before 10.3.8
VAR-200512-0638 | CVE-2005-3782 | Mac OS X Bypass login to restart system vulnerabilities |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Mac OS X 10.4.3 up to 10.4.6, when loginwindow uses the "Name and password" setting, and the "Show the Restart, Sleep, and Shut Down buttons" option is disabled, allows users with physical access to bypass login and reboot the system by entering ">restart", ">power", or ">shutdown" sequences after the username. Apple Mac OS X Server is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users
VAR-200512-0643 | CVE-2005-2340 | Apple QuickTime fails to properly handle corrupt media files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a crafted (1) QuickTime Image File (QTIF), (2) PICT, or (3) JPEG format image with a long data field. Apple's QuickTime is a player for files and streaming media in a variety of different formats. QuickTime is prone to a remote heap-based overflow vulnerability.
This issue presents itself when the application processes a specially crafted QTIF (QuickTime Image) file.
A successful attack can result in a remote compromise. Apple QuickTime is prone to a buffer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data before copying it to finite-sized process buffers. Unsuccessful exploit attempts will most likely crash the application.
This issue affects QuickTime 6.5.2 and 7.0.3; other versions may also be vulnerable. QuickTime 7.0.4 may also be vulnerable, but this has not been confirmed.
This issue may have previously been discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities). Quicktime will copy to the stack byte by byte when processing the data field of the qtif format file, but it does not perform the correct check, so it will cause a stack overflow in memory. The original function pointer value is 0x44332211. Just overflow it to 0x08332211 and make sure it doesn't crash before overflowing 0x44 to 0x08, and the code will execute.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-011A
Apple QuickTime Vulnerabilities
Original release date: January 11, 2006
Last revised: January 11, 2006
Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows XP
* Microsoft Windows 2000
Overview
Apple has released QuickTime 7.0.4 to correct multiple
vulnerabilities. The impacts of these vulnerabilities include
execution of arbitrary code and denial of service.
I.
(CAN-2005-3713)
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands
and denial of service.
III. Solution
Upgrade
Upgrade to QuickTime 7.0.4.
Appendix A. References
* US-CERT Vulnerability Note VU#629845 -
<http://www.kb.cert.org/vuls/id/629845>
* US-CERT Vulnerability Note VU#921193 -
<http://www.kb.cert.org/vuls/id/921193>
* US-CERT Vulnerability Note VU#115729 -
<http://www.kb.cert.org/vuls/id/115729>
* US-CERT Vulnerability Note VU#150753 -
<http://www.kb.cert.org/vuls/id/150753>
* US-CERT Vulnerability Note VU#913449 -
<http://www.kb.cert.org/vuls/id/913449>
* CVE-2005-2340 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340>
* CVE-2005-4092 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>
* CVE-2005-3707 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707>
* CVE-2005-3710 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710>
* CVE-2005-3713 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713>
* Security Content for QuickTime 7.0.4 -
<http://docs.info.apple.com/article.html?artnum=303101>
* QuickTime 7.0.4 -
<http://www.apple.com/support/downloads/quicktime704.html>
* About the Mac OS X 10.4.4 Update (Delta) -
<http://docs.info.apple.com/article.html?artnum=302810>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-011A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 11, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj
34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey
AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/
HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL
osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy
0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw==
=5Kiq
-----END PGP SIGNATURE-----
VAR-200512-0298 | CVE-2005-3711 | Apple QuickTime fails to properly handle corrupt media files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Integer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a TIFF image file with modified (1) "strips" (StripByteCounts) or (2) "bands" (StripOffsets) values. Apple's QuickTime is a player for files and streaming media in a variety of different formats.
A successful attack can result in a remote compromise.
NOTE: This issue was previously discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities), but has been assigned its own record to better document the vulnerability. Apple QuickTime is prone to multiple remote code-execution vulnerabilities.
These issues arise when the application handles specially crafted QTIF, TGA, TIFF, and GIF image formats.
Successful exploits of these issues may allow remote attackers to trigger a denial-of-service condition or to gain unauthorized access.
Versions prior to QuickTime 7.0.4 are vulnerable.
TITLE:
QuickTime Multiple Image/Media File Handling Vulnerabilities
SECUNIA ADVISORY ID:
SA18370
VERIFY ADVISORY:
http://secunia.com/advisories/18370/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user's system.
1) A boundary error in the handling of QTIF images can be exploited
to cause a heap-based buffer overflow. This may allow arbitrary code
execution when a malicious QTIF image is viewed.
2) Some boundary and integer overflow/underflow errors in the
handling of TGA images can be exploited to cause a buffer overflow.
3) An integer overflow error exists in the handling of TIFF images.
This can potentially be exploited to execute arbitrary code when a
malicious TIFF image is viewed.
4) A boundary error in the handling of GIF images can be exploited to
cause a heap-based buffer overflow. This may allow
arbitrary code execution when a malicious media file is viewed.
The vulnerabilities affect both the Mac OS X and the Windows
platforms.
SOLUTION:
Update to version 7.0.4.
Mac OS X (version 10.3.9 or later):
http://www.apple.com/support/downloads/quicktime704.html
Windows 2000/XP:
http://www.apple.com/quicktime/download/win.html
PROVIDED AND/OR DISCOVERED BY:
1) Varun Uppal, Kanbay.
2-3) Dejun Meng, Fortinet.
4-5) Karl Lynn, eEye Digital Security.
ORIGINAL ADVISORY:
http://docs.info.apple.com/article.html?artnum=303101
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This is due to application failure to sanitize
the parameter StripByteCounts while parsing TIFF image files. A remote
attacker could construct a web page with specially crafted tiff file and
entice a victim to view it, when the user opens the TIFF image with
Internet Explorer or Apple QuickTime Player, it'll cause memory access
violation, and leading to potential Arbitrary Command Execution.
Impact : Execute arbitrary code
Solution : Apple Computers has released a security update for this
vulnerability, which is available for downloading from Apples's web site
under security update.
Fortinet Protection: Fortinet is protecting network from this
vulnerability with latest IPS update.
Acknowledgment : Dejun Meng of Fortinet Security Research team found
this vulnerability
VAR-200512-0297 | CVE-2005-3710 | Apple QuickTime fails to properly handle corrupt media files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Integer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a TIFF image file with modified image height and width (ImageWidth) tags. Apple's QuickTime is a player for files and streaming media in a variety of different formats. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. QuickTime is prone to a remote integer-overflow vulnerability.
This issue presents itself when the application processes a specially crafted TIFF file.
A successful attack can result in a remote compromise.
Versions prior to QuickTime 7.0.4 are vulnerable. Fortinet Security Advisory: FSA-2006-03
Apple QuickTime Player ImageWidth Denial of Service Vulnerability
Advisory Date : January 12, 2006
Reported Date : November 28, 2005
Vendor : Apple computers
Affected Products : Apple QuickTime Player v7.0.3
Severity : Medium
Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710
http://docs.info.apple.com/article.html?artnum=303101
http://www.securityfocus.com/bid/16202/info
Description : Fortinet Security Research Team (FSRT) has
discovered a Denial of Service Vulnerability in the Apple QuickTime
Player. This is due to application failure to
sanitize the parameter ImageWidth value while parsing TIFF image files.
Impact : Denial of Service
Solution : Apple Computers has released a security update for
this vulnerability, which is available for downloading from Apples's web
site under security update.
Fortinet Protection: Fortinet is protecting network from this
vulnerability with latest IPS update.
Acknowledgment : Dejun Meng of Fortinet Security Research team found
this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-011A
Apple QuickTime Vulnerabilities
Original release date: January 11, 2006
Last revised: January 11, 2006
Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows XP
* Microsoft Windows 2000
Overview
Apple has released QuickTime 7.0.4 to correct multiple
vulnerabilities. The impacts of these vulnerabilities include
execution of arbitrary code and denial of service.
I. Description
Apple QuickTime 7.0.4 resolves a number of image and media file
handling vulnerabilities.
(CAN-2005-3713)
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands
and denial of service.
III. Solution
Upgrade
Upgrade to QuickTime 7.0.4.
Appendix A. References
* US-CERT Vulnerability Note VU#629845 -
<http://www.kb.cert.org/vuls/id/629845>
* US-CERT Vulnerability Note VU#921193 -
<http://www.kb.cert.org/vuls/id/921193>
* US-CERT Vulnerability Note VU#115729 -
<http://www.kb.cert.org/vuls/id/115729>
* US-CERT Vulnerability Note VU#150753 -
<http://www.kb.cert.org/vuls/id/150753>
* US-CERT Vulnerability Note VU#913449 -
<http://www.kb.cert.org/vuls/id/913449>
* CVE-2005-2340 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340>
* CVE-2005-4092 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>
* CVE-2005-3707 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707>
* CVE-2005-3710 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710>
* CVE-2005-3713 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713>
* Security Content for QuickTime 7.0.4 -
<http://docs.info.apple.com/article.html?artnum=303101>
* QuickTime 7.0.4 -
<http://www.apple.com/support/downloads/quicktime704.html>
* About the Mac OS X 10.4.4 Update (Delta) -
<http://docs.info.apple.com/article.html?artnum=302810>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-011A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 11, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj
34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey
AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/
HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL
osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy
0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw==
=5Kiq
-----END PGP SIGNATURE-----
VAR-200512-0294 | CVE-2005-3707 | Apple QuickTime fails to properly handle corrupt media files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via crafted TGA image files. Apple's QuickTime is a player for files and streaming media in a variety of different formats. For more information, see the information provided by the vendor. QuickTime is prone to a remote buffer-overflow vulnerability.
This issue presents itself when the application processes a specially crafted TGA image file.
A successful attack can result in a remote compromise.
Versions prior to QuickTime 7.0.4 are vulnerable. Fortinet Security Advisory: FSA-2006-04
Apple QuickTime Player Improper Memory Access Vulnerability
Advisory Date : January 12, 2006
Reported Date : November 28, 2005
Vendor : Apple computers
Affected Products : Apple QuickTime Player v7.0.3
Severity : High
Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707
http://docs.info.apple.com/article.html?artnum=303101
http://www.securityfocus.com/bid/16202/info
Description : Fortinet Security Research Team (FSRT) has
discovered a Improper Memory Access Vulnerability in the Apple QuickTime
Player.
Impact : Execute arbitrary code
Solution : Apple Computers has released a security update for
this vulnerability, which is available for downloading from Apples's web
site under security update.
Fortinet Protection: Fortinet is protecting network from this
vulnerability with latest IPS update.
Acknowledgment : Dejun Meng of Fortinet Security Research team found
this vulnerability.
Disclaimer : Although Fortinet has attempted to provide accurate
information in these materials, Fortinet assumes no legal responsibility
for the accuracy or completeness of the information. Please note that
Fortinet's product information does not constitute or contain any
guarantee, warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-011A
Apple QuickTime Vulnerabilities
Original release date: January 11, 2006
Last revised: January 11, 2006
Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows XP
* Microsoft Windows 2000
Overview
Apple has released QuickTime 7.0.4 to correct multiple
vulnerabilities. The impacts of these vulnerabilities include
execution of arbitrary code and denial of service.
I. Description
Apple QuickTime 7.0.4 resolves a number of image and media file
handling vulnerabilities.
(CAN-2005-3713)
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands
and denial of service.
III. Solution
Upgrade
Upgrade to QuickTime 7.0.4.
Appendix A. References
* US-CERT Vulnerability Note VU#629845 -
<http://www.kb.cert.org/vuls/id/629845>
* US-CERT Vulnerability Note VU#921193 -
<http://www.kb.cert.org/vuls/id/921193>
* US-CERT Vulnerability Note VU#115729 -
<http://www.kb.cert.org/vuls/id/115729>
* US-CERT Vulnerability Note VU#150753 -
<http://www.kb.cert.org/vuls/id/150753>
* US-CERT Vulnerability Note VU#913449 -
<http://www.kb.cert.org/vuls/id/913449>
* CVE-2005-2340 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340>
* CVE-2005-4092 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>
* CVE-2005-3707 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707>
* CVE-2005-3710 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710>
* CVE-2005-3713 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713>
* Security Content for QuickTime 7.0.4 -
<http://docs.info.apple.com/article.html?artnum=303101>
* QuickTime 7.0.4 -
<http://www.apple.com/support/downloads/quicktime704.html>
* About the Mac OS X 10.4.4 Update (Delta) -
<http://docs.info.apple.com/article.html?artnum=302810>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-011A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 11, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj
34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey
AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/
HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL
osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy
0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw==
=5Kiq
-----END PGP SIGNATURE-----
VAR-200512-0295 | CVE-2005-3708 | Apple QuickTime fails to properly handle corrupt media files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Integer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via crafted TGA image files. Apple's QuickTime is a player for files and streaming media in a variety of different formats. Apple QuickTime is prone to multiple remote code-execution vulnerabilities.
These issues arise when the application handles specially crafted QTIF, TGA, TIFF, and GIF image formats.
Successful exploits of these issues may allow remote attackers to trigger a denial-of-service condition or to gain unauthorized access.
Versions prior to QuickTime 7.0.4 are vulnerable.
A successful attack can result in a remote compromise.
NOTE: This issue was previously discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities), but has been assigned its own record to better document the vulnerability.
TITLE:
QuickTime Multiple Image/Media File Handling Vulnerabilities
SECUNIA ADVISORY ID:
SA18370
VERIFY ADVISORY:
http://secunia.com/advisories/18370/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user's system.
1) A boundary error in the handling of QTIF images can be exploited
to cause a heap-based buffer overflow. This may allow arbitrary code
execution when a malicious QTIF image is viewed.
2) Some boundary and integer overflow/underflow errors in the
handling of TGA images can be exploited to cause a buffer overflow.
3) An integer overflow error exists in the handling of TIFF images.
This can potentially be exploited to execute arbitrary code when a
malicious TIFF image is viewed.
4) A boundary error in the handling of GIF images can be exploited to
cause a heap-based buffer overflow. This may allow
arbitrary code execution when a malicious media file is viewed.
The vulnerabilities affect both the Mac OS X and the Windows
platforms.
SOLUTION:
Update to version 7.0.4.
Mac OS X (version 10.3.9 or later):
http://www.apple.com/support/downloads/quicktime704.html
Windows 2000/XP:
http://www.apple.com/quicktime/download/win.html
PROVIDED AND/OR DISCOVERED BY:
1) Varun Uppal, Kanbay.
2-3) Dejun Meng, Fortinet.
4-5) Karl Lynn, eEye Digital Security.
ORIGINAL ADVISORY:
http://docs.info.apple.com/article.html?artnum=303101
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This is due to application failure to sanitize
the parameter ImageWidth value while parsing TGA image files.
Impact : Execute arbitrary code
Solution : Apple Computers has released a security update for
this vulnerability, which is available for downloading from Apples's web
site under security update.
Fortinet Protection: Fortinet is protecting network from this
vulnerability with latest IPS update.
Acknowledgment : Dejun Meng of Fortinet Security Research team found
this vulnerability.
Disclaimer : Although Fortinet has attempted to provide accurate
information in these materials, Fortinet assumes no legal responsibility
for the accuracy or completeness of the information. More specific
information is available on request from Fortinet. Please note that
Fortinet's product information does not constitute or contain any
guarantee, warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-200512-0296 | CVE-2005-3709 | Apple QuickTime fails to properly handle corrupt media files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Integer underflow in Apple Quicktime before 7.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the Color Map Entry Size in a TGA image file. Apple's QuickTime is a player for files and streaming media in a variety of different formats. Apple QuickTime is prone to multiple remote code-execution vulnerabilities.
These issues arise when the application handles specially crafted QTIF, TGA, TIFF, and GIF image formats.
Successful exploits of these issues may allow remote attackers to trigger a denial-of-service condition or to gain unauthorized access.
Versions prior to QuickTime 7.0.4 are vulnerable.
A successful attack can result in a remote compromise.
NOTE: This issue was previously discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities), but has been assigned its own record to better document the vulnerability. Fortinet Security Advisory: FSA-2006-06
Apple QuickTime Player Color Map Entry Size Buffer Overflow
Advisory Date : January 12, 2006
Reported Date : November 28, 2005
Vendor : Apple computers
Affected Products : Apple QuickTime Player v7.0.3
Severity : High
Reference : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3709
http://docs.info.apple.com/article.html?artnum=303101
http://www.securityfocus.com/bid/16202/info
Description : Fortinet Security Research Team (FSRT) has
discovered a Buffer Overflow Vulnerability in the Apple QuickTime Player. This is due to application failure to sanitize
the parameter Color Map Entry Size while parsing TGA image files.
Impact : Execute arbitrary code
Solution : Apple Computers has released a security update for
this vulnerability, which is available for downloading from Apples's web
site under security update.
Fortinet Protection: Fortinet is protecting network from this
vulnerability with latest IPS update.
Acknowledgment : Dejun Meng of Fortinet Security Research team found
this vulnerability.
Disclaimer : Although Fortinet has attempted to provide accurate
information in these materials, Fortinet assumes no legal responsibility
for the accuracy or completeness of the information. More specific
information is available on request from Fortinet. Please note that
Fortinet's product information does not constitute or contain any
guarantee, warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
TITLE:
QuickTime Multiple Image/Media File Handling Vulnerabilities
SECUNIA ADVISORY ID:
SA18370
VERIFY ADVISORY:
http://secunia.com/advisories/18370/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user's system.
1) A boundary error in the handling of QTIF images can be exploited
to cause a heap-based buffer overflow. This may allow arbitrary code
execution when a malicious QTIF image is viewed.
2) Some boundary and integer overflow/underflow errors in the
handling of TGA images can be exploited to cause a buffer overflow.
3) An integer overflow error exists in the handling of TIFF images.
This can potentially be exploited to execute arbitrary code when a
malicious TIFF image is viewed.
4) A boundary error in the handling of GIF images can be exploited to
cause a heap-based buffer overflow. This may allow
arbitrary code execution when a malicious media file is viewed.
The vulnerabilities affect both the Mac OS X and the Windows
platforms.
SOLUTION:
Update to version 7.0.4.
Mac OS X (version 10.3.9 or later):
http://www.apple.com/support/downloads/quicktime704.html
Windows 2000/XP:
http://www.apple.com/quicktime/download/win.html
PROVIDED AND/OR DISCOVERED BY:
1) Varun Uppal, Kanbay.
2-3) Dejun Meng, Fortinet.
4-5) Karl Lynn, eEye Digital Security.
ORIGINAL ADVISORY:
http://docs.info.apple.com/article.html?artnum=303101
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0019 | CVE-2005-3058 | Fortinet FortiGate URL Check for filter bypass vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Interpretation conflict in Fortinet FortiGate 2.8, running FortiOS 2.8MR10 and v3beta, allows remote attackers to bypass the URL blocker via an (1) HTTP request terminated with a line feed (LF) and not carriage return line feed (CRLF) or (2) HTTP request with no Host field, which is still processed by most web servers without violating RFC2616. Fortinet FortiGate is prone to a vulnerability that could allow users to bypass the device's URL filtering.
FortiGate devices running FortiOS v2.8MR10 and v3beta are vulnerable to this issue. Other versions may also be affected. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration.
TITLE:
FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities
SECUNIA ADVISORY ID:
SA18844
VERIFY ADVISORY:
http://secunia.com/advisories/18844/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
>From local network
OPERATING SYSTEM:
Fortinet FortiOS (FortiGate) 2.x
http://secunia.com/product/2289/
Fortinet FortiOS (FortiGate) 3.x
http://secunia.com/product/6802/
DESCRIPTION:
Mathieu Dessus has reported two vulnerabilities in FortiGate, which
can be exploited by malicious people and users to bypass certain
security restrictions.
1) The URL blocking functionality can be bypassed by
specially-crafted HTTP requests that are terminated by the CR
character instead of the CRLF characters. It is also possible to
bypass the functionality via a HTTP/1.0 request with no host header.
The vulnerability has been reported in FortiOS v2.8MR10 and v3beta.
2) The virus scanning functionality can be bypassed when sending
files over FTP under certain conditions.
The vulnerability has been reported in FortiOS v2.8MR10 and v3beta.
SOLUTION:
Do not rely on URL blocking as the only means of blocking users'
access. Desktop-based on-access virus scanners should be used
together with server-based virus scanners.
PROVIDED AND/OR DISCOVERED BY:
Mathieu Dessus
ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042139.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042140.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0013 | CVE-2005-3057 | Fortinet FortiGate Anti-virus engine bypass detection vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The FTP component in FortiGate 2.8 running FortiOS 2.8MR10 and v3beta, and other versions before 3.0 MR1, allows remote attackers to bypass the Fortinet FTP anti-virus engine by sending a STOR command and uploading a file before the FTP server response has been sent, as demonstrated using LFTP. Fortinet FortiGate is reportedly prone to a vulnerability that allows an attacker to bypass antivirus protection. This issue is said to occur when files are transferred using the FTP protocol under certain conditions.
FortiGate devices running FortiOS v2.8MR10 and v3beta are affected by this issue. Other versions may also be vulnerable. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. The FTP component of Fortinet FortiGate cannot properly filter and check files.
TITLE:
FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities
SECUNIA ADVISORY ID:
SA18844
VERIFY ADVISORY:
http://secunia.com/advisories/18844/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
>From local network
OPERATING SYSTEM:
Fortinet FortiOS (FortiGate) 2.x
http://secunia.com/product/2289/
Fortinet FortiOS (FortiGate) 3.x
http://secunia.com/product/6802/
DESCRIPTION:
Mathieu Dessus has reported two vulnerabilities in FortiGate, which
can be exploited by malicious people and users to bypass certain
security restrictions.
1) The URL blocking functionality can be bypassed by
specially-crafted HTTP requests that are terminated by the CR
character instead of the CRLF characters. It is also possible to
bypass the functionality via a HTTP/1.0 request with no host header.
The vulnerability has been reported in FortiOS v2.8MR10 and v3beta.
The vulnerability has been reported in FortiOS v2.8MR10 and v3beta.
SOLUTION:
Do not rely on URL blocking as the only means of blocking users'
access. Desktop-based on-access virus scanners should be used
together with server-based virus scanners.
PROVIDED AND/OR DISCOVERED BY:
Mathieu Dessus
ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042139.html
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042140.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200512-0300 | CVE-2005-3713 | Apple QuickTime fails to properly handle corrupt media files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a GIF image file with a crafted Netscape Navigator Application Extension Block that modifies the heap in the Picture Modifier block. Apple's QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime's handling of Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. QuickTime is prone to a remote heap-based overflow vulnerability.
This issue presents itself when the application processes a specially crafted GIF image file.
A successful attack can result in a remote compromise.
Versions prior to QuickTime 7.0.4 are vulnerable.
This flaw has proven to allow for reliable control of data on the heap chunk and can be exploited via a web site by using ActiveX controls. The heap can be overwritten in the Picture Modifier block.
The block size calculate code such as:
.text:66A339CC mov ax, [esi+0Ch]
.text:66A339D0 xor ecx, ecx
.text:66A339D2 mov [esp+34h+var_28], ecx
.text:66A339D6 mov [esp+34h+var_24], ecx
.text:66A339DA mov [esp+34h+var_20], ecx
.text:66A339DE mov [esp+34h+var_1C], ecx
.text:66A339E2 mov word ptr [esp+34h+var_10], cx
.text:66A339E7 mov [esp+34h+arg_4], eax
.text:66A339EB movsx eax, ax
.text:66A339EE mov word ptr [esp+34h+var_10+2], cx
.text:66A339F3 mov cx, [esi+8]
.text:66A339F7 movsx edx, cx
.text:66A339FA sub eax, edx
.text:66A339FC movsx edx, word ptr [esi+6]
.text:66A33A00 add eax, 3Eh
.text:66A33A03 push edi
.text:66A33A04 movsx edi, word ptr [esi+0Ah]
.text:66A33A08 sar eax, 3
.text:66A33A0B lea ebx, [esi+6]
.text:66A33A0E and eax, 0FFFFFFFCh
.text:66A33A11 sub edi, edx
.text:66A33A13 movsx edx, ax
.text:66A33A16 mov [esi+4], ax
.text:66A33A1A imul edi, edx
The allocate code is :
.text:66A33A68 push edi
.text:66A33A69 call sub_668B5B30
But when it real process data to this memory, it use real decode data to write this memory
but didn\xa1\xaft check this heap size. This is segment of the write code function(sub_66AE0A70):
.text:66AE0B18 movsx edx, word ptr [edi+12h] ; default
.text:66AE0B1C imul edx, [edi+0Ch]
.text:66AE0B20 mov ecx, [edi+4]
.text:66AE0B23 inc word ptr [edi+16h]
.text:66AE0B27 mov eax, [esp+arg_0]
.text:66AE0B2B add edx, ecx
.text:66AE0B2D mov [eax], edx
.text:66AE0B2F mov eax, [ebp+10h]
.text:66AE0B32 test eax, eax
.text:66AE0B34 jz short loc_66AE0B62
.text:66AE0B36 mov ax, [ebp+1Ch]
.text:66AE0B3A mov edx, [ebp+0Ch]
.text:66AE0B3D movzx cx, ah
.text:66AE0B41 mov ch, al
.text:66AE0B43 mov [edx], cx
.text:66AE0B46 movsx eax, word ptr [edi+12h]
.text:66AE0B4A imul eax, [ebp+14h]
.text:66AE0B4E add eax, [ebp+10h]
.text:66AE0B51 mov cx, [ebp+18h]
.text:66AE0B55 mov [ebp+0Ch], eax
.text:66AE0B58 mov [ebp+1Ah], cx
.text:66AE0B5C mov word ptr [ebp+1Ch], 0
Vendor Status:
Apple has released a patch for this vulnerability. An attacker can create a qtif file and send
it to the user via email, web page, or qtif file with activex and can
directy overflow a function pointer immediately used so it can bypass
any stack overflow protection in systems such as xp sp2 and 2003 sp1.
Technical Details:
When Quicktime processes the data field of a qtif format file, it will
copy it to the stack by a byte to a byte , but there is no proper
checking, so it will cause a stack overflow in memory. And in this
stack, there is a function pointer which will be used immediately when
it pre byte copies, so we can use it to bypass any stack overflow
protection, such in xp sp2 and 2003 sp1.
The origin function point value is 0x44332211. We only need to overflow
it to : 0x08332211, ensuring it didn't cause a crash before the 0x44 has
been overflowed to 0x08. When it overflows to 0x08332211, we can
execute code to 0x08332211, and can first use javascript to get this
memory and set my code in it.
call [esp+138h+arg_4] <- call a function point in the stack, but this
point can be overflowed
References
QuickTime: QuickTime File Format
http://developer.apple.com/documentation/QuickTime/QTFF/index.html
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Vendor Status:
Apple has released a patch for this vulnerability. The patch is
available via the Updates section of the affected applications.
This vulnerability has been assigned the CVE identifier CVE-2005-2340.
Credit:
Discovery: Fang Xing
Greetings:
Thanks to all the guys at eEye, and especially Karl Lynn's help.
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-011A
Apple QuickTime Vulnerabilities
Original release date: January 11, 2006
Last revised: January 11, 2006
Source: US-CERT
Systems Affected
Apple QuickTime on systems running
* Apple Mac OS X
* Microsoft Windows XP
* Microsoft Windows 2000
Overview
Apple has released QuickTime 7.0.4 to correct multiple
vulnerabilities. The impacts of these vulnerabilities include
execution of arbitrary code and denial of service.
I. Description
Apple QuickTime 7.0.4 resolves a number of image and media file
handling vulnerabilities.
(CAN-2005-3713)
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands
and denial of service.
III. Solution
Upgrade
Upgrade to QuickTime 7.0.4.
Appendix A. References
* US-CERT Vulnerability Note VU#629845 -
<http://www.kb.cert.org/vuls/id/629845>
* US-CERT Vulnerability Note VU#921193 -
<http://www.kb.cert.org/vuls/id/921193>
* US-CERT Vulnerability Note VU#115729 -
<http://www.kb.cert.org/vuls/id/115729>
* US-CERT Vulnerability Note VU#150753 -
<http://www.kb.cert.org/vuls/id/150753>
* US-CERT Vulnerability Note VU#913449 -
<http://www.kb.cert.org/vuls/id/913449>
* CVE-2005-2340 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340>
* CVE-2005-4092 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092>
* CVE-2005-3707 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707>
* CVE-2005-3710 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710>
* CVE-2005-3713 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713>
* Security Content for QuickTime 7.0.4 -
<http://docs.info.apple.com/article.html?artnum=303101>
* QuickTime 7.0.4 -
<http://www.apple.com/support/downloads/quicktime704.html>
* About the Mac OS X 10.4.4 Update (Delta) -
<http://docs.info.apple.com/article.html?artnum=302810>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-011A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 11, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj
34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey
AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/
HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL
osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy
0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw==
=5Kiq
-----END PGP SIGNATURE-----
VAR-200512-0017 | CVE-2005-2932 | ZoneAlarm Product Multiple Local Licensing Boosts |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Multiple Check Point Zone Labs ZoneAlarm products before 7.0.362, including ZoneAlarm Security Suite 5.5.062.004 and 6.5.737, use insecure default permissions for critical files, which allows local users to gain privileges or bypass security controls. Multiple Check Point ZoneAlarm products are prone to local privilege-escalation vulnerabilities.
An attacker can exploit these issues to gain elevated privileges and completely compromise an affected computer.
These issues have been confirmed in:
ZoneAlarm 6.5.737
ZoneAlarm Security Suite 5.5.062.004 and 6.5.737.
Other versions are likely vulnerable as well.
The following are vulnerable:
- Versions prior to ZoneAlarm 7.0.362
- Zone Labs products that include 'vsdatant.sys' 6.5.737.0. ZoneAlarm is a personal computer firewall that protects personal data and privacy. The IOCTL handling code of the ZoneAlarm product vsdatant.sys device driver does not validate the userland-supplied addresses passed to IOCTL 0x8400000F and IOCTL 0x84000013.
----------------------------------------------------------------------
BETA test the new Secunia Personal Software Inspector!
The Secunia PSI detects installed software on your computer and
categorises it as either Insecure, End-of-Life, or Up-To-Date.
Effectively enabling you to focus your attention on software
installations where more secure versions are available from the
vendors.
Download the free PSI BETA from the Secunia website:
https://psi.secunia.com/
----------------------------------------------------------------------
TITLE:
ZoneAlarm Products Insecure Directory Permissions and IOCTL Handler
Privilege Escalation
SECUNIA ADVISORY ID:
SA26513
VERIFY ADVISORY:
http://secunia.com/advisories/26513/
CRITICAL:
Less critical
IMPACT:
Privilege escalation
WHERE:
Local system
SOFTWARE:
ZoneAlarm 6.x
http://secunia.com/product/5806/
ZoneAlarm 7.x
http://secunia.com/product/13889/
ZoneAlarm 5.x
http://secunia.com/product/4647/
ZoneAlarm Pro 5.x
http://secunia.com/product/4280/
ZoneAlarm Pro 6.x
http://secunia.com/product/6071/
ZoneAlarm Security Suite 5.x
http://secunia.com/product/4272/
ZoneAlarm 2.x
http://secunia.com/product/3056/
ZoneAlarm 3.x
http://secunia.com/product/153/
ZoneAlarm 4.x
http://secunia.com/product/150/
ZoneAlarm Anti-Spyware 6.x
http://secunia.com/product/6073/
ZoneAlarm Antivirus 5.x
http://secunia.com/product/4271/
ZoneAlarm Antivirus 6.x
http://secunia.com/product/6074/
ZoneAlarm Internet Security Suite 6.x
http://secunia.com/product/6072/
ZoneAlarm Plus 3.x
http://secunia.com/product/3057/
ZoneAlarm Plus 4.x
http://secunia.com/product/151/
ZoneAlarm Pro 2.x
http://secunia.com/product/152/
ZoneAlarm Pro 3.x
http://secunia.com/product/1960/
ZoneAlarm Pro 4.x
http://secunia.com/product/1961/
ZoneAlarm Wireless Security 5.x
http://secunia.com/product/4648/
DESCRIPTION:
Some vulnerabilities and a security issue have been reported in
ZoneAlarm products, which can be exploited by malicious, local users
to gain escalated privileges.
1) Insufficient address space verification within the 0x8400000F and
0x84000013 IOCTL handlers of vsdatant.sys and insecure permissions on
the "\\.\vsdatant" device interface can be exploited to e.g. access
the said IOCTL handlers and overwrite arbitrary memory and execute
code with kernel privileges.
SOLUTION:
Update to version 7.0.362.
http://www.zonealarm.com/store/content/catalog/download_buy.jsp?dc=12bms&ctry=US&lang=en
PROVIDED AND/OR DISCOVERED BY:
1) Ruben Santamarta, reported via iDefense Labs.
2) Discovered by an anonymous person and reported via iDefense Labs.
ORIGINAL ADVISORY:
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=584
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=585
Reversemode:
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=53
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
Zone Alarm products provide security solutions such as anti-virus,
firewall, spy-ware, and ad-ware protection.
http://www.zonelabs.com/
II.
The vulnerability specifically exists in the default file Access Control
List (ACL) settings that are applied during installation. When an
administrator installs any of the Zone Labs ZoneAlarm tools, the
default ACL allows any user to modify the installed files. Some of the
programs run as system services. This allows a user to simply replace
an installed ZoneAlarm file with their own code that will later be
executed with system-level privileges.
III. ANALYSIS
Exploitation allows local attackers to escalate privileges to the system
level. It is also possible to use this vulnerability to simply disable
protection by moving all of the executable files so that they cannot
start on a reboot.
IV.
V. WORKAROUND
Apply proper Access Control List settings to the directory that
ZoneAlarm Security Suite is installed in. The ACL rules should make
sure that no regular users can modify files in the directory.
VI.
http://www.zonealarm.com/store/content/catalog/products/trial_zaFamily/trial_zaFamily.jsp
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-2932 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
09/29/2005 Initial vendor notification
09/29/2005 Initial vendor response
10/19/2006 Second vendor notification
08/20/2007 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information
VAR-200512-0645 | CVE-2005-2342 | Blackberry Enterprise Server Router SRP Packet Denial Of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Research in Motion (RIM) BlackBerry Router allows remote attackers to cause a denial of service (communication disruption) via crafted Server Routing Protocol (SRP) packets. The Blackberry Enterprise Server Router component is prone to a denial of service vulnerability. This could only be exploited by an attacker who can communicate with the Router.
1) An error exists in the Attachment Service when handling malformed
TIFF image attachments. This can be exploited to prevent a BlackBerry
user from viewing attachments.
Successful exploitation requires that the attacker is able to connect
to the BlackBerry Server/Router via port 3101/tcp.
SOLUTION:
The vendor recommends the following workaround.
1) Exclude TIFF images from being processed by the Attachment Service
and/or disable the image attachment distiller.
Refer to the vendor's original advisory for specific instructions.
PROVIDED AND/OR DISCOVERED BY:
FX, Phenoelit.
ORIGINAL ADVISORY:
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167898
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167895
OTHER REFERENCES:
US-CERT VU#570768:
http://www.kb.cert.org/vuls/id/570768
US-CERT VU#392920:
http://www.kb.cert.org/vuls/id/392920
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------