VARIoT IoT vulnerabilities database
VAR-200505-0310 | CVE-2005-1342 | Apple Terminal fails to properly sanitize input for "x-man-page" URI |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The x-man-page: URI handler for Apple Terminal 1.4.4 in Mac OS X 10.3.9 does not cleanse terminal escape sequences, which allows remote attackers to execute arbitrary commands. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have published advisories for 4 security vulnerabilities in Mac OS
X that were addressed by Apple Security Update 2005-005, released
today. <http://docs.info.apple.com/article.html?artnum=301528>.
This email contains brief summaries of the problems. Full details can
be found on my web site <http://remahl.se/david/vuln/>.
Description: help: URI handler execution of JavaScripts with known
paths vulnerability
My name: DR004 <http://remahl.se/david/vuln/004/>
CVE: CAN-2005-1337 [yes, cool, isn't it ;-)]
Summary: The Help Viewer application allows JavaScript and is thus
vulnerable to having scripts with arbitrary paths run with the
privileges granted to file: protocol URIs. The files can be started
with a URI on the form of help:///path/to/file.html. Combined with
XMLHttpRequest's ability to disclose arbitrary files, this security
bug becomes critcal.
Description: Invisible characters in applescript: URL protocol
messaging vulnerability
My name: DR010 <http://remahl.se/david/vuln/010/>
CVE: CAN-2005-1331
Summary: URL Protocol Messaging is a technique used by Script Editor
to facilitate sharing of AppleScripts between users. By clicking a
link (for example in a web forum), a user can create a new Script
Editor document automatically, with text from the query string of the
URI. This avoids problems with copying text from the web or manually
typing code snippets. However, the technique can be used to trick
users into running dangerous code (with embedded control characters),
since insufficient input validation is performed. Using
escape sequences and social engineering attacks it is in some cases
possible to trick the user into performing arbitrary commands.
I would like to acknowledge the willingness of Apple's Product
Security team to cooperate with me in resolving these issues. CERT's
assistance has also been helpful.
/ Regards, David Remahl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFCd9mHFlFiDoclYIURAjgqAJ9mLbjrfJr17eenCK6qp5S6HXKzgACeIH+a
PJwheHWkjnBAG4kNnAa/6QE=
=iJNj
-----END PGP SIGNATURE-----
VAR-200505-0359 | CVE-2005-1341 | Apple Mac OS X AppleScript Editor code confusing vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
Apple Terminal 1.4.4 allows attackers to execute arbitrary commands via terminal escape sequences. Apple Mac OS X Terminal is reported prone to an input validation vulnerability. A vulnerability exists in Apple Mac OS X's handling of AppleScript links, which could be exploited by remote attackers to lure users into executing malicious code. <http://docs.info.apple.com/article.html?artnum=301528>.
This email contains brief summaries of the problems. Full details can
be found on my web site <http://remahl.se/david/vuln/>.
Description: help: URI handler execution of JavaScripts with known
paths vulnerability
My name: DR004 <http://remahl.se/david/vuln/004/>
CVE: CAN-2005-1337 [yes, cool, isn't it ;-)]
Summary: The Help Viewer application allows JavaScript and is thus
vulnerable to having scripts with arbitrary paths run with the
privileges granted to file: protocol URIs. The files can be started
with a URI on the form of help:///path/to/file.html. Combined with
XMLHttpRequest's ability to disclose arbitrary files, this security
bug becomes critcal.
Description: Invisible characters in applescript: URL protocol
messaging vulnerability
My name: DR010 <http://remahl.se/david/vuln/010/>
CVE: CAN-2005-1331
Summary: URL Protocol Messaging is a technique used by Script Editor
to facilitate sharing of AppleScripts between users. By clicking a
link (for example in a web forum), a user can create a new Script
Editor document automatically, with text from the query string of the
URI. This avoids problems with copying text from the web or manually
typing code snippets. However, the technique can be used to trick
users into running dangerous code (with embedded control characters),
since insufficient input validation is performed.
Description: Mac OS X terminal emulators allow reading and writing of
window title through escape sequences
My name: DR012 <http://remahl.se/david/vuln/012/>
CVE: CAN-2005-1341
Summary: Apple Terminal (often referred to as Terminal.app) and xterm
which both ship with current versions of Mac OS X are vulnerable to a
well-known type of attack when displaying untrusted content.
I would like to acknowledge the willingness of Apple's Product
Security team to cooperate with me in resolving these issues. CERT's
assistance has also been helpful. The most
serious of these vulnerabilities may allow a remote attacker to
execute arbitrary code. Impacts of other vulnerabilities addressed by
the update include disclosure of information and denial of service.
I.
(CAN-2005-1342)
VU#882750 - libXpm image library vulnerable to buffer overflow
libXpm image parsing code contains a buffer-overflow vulnerability
that may allow a remote attacker execute arbitrary code or cause a
denial-of-service condition.
(CAN-2004-0687)
VU#125598 - LibTIFF vulnerable to integer overflow via corrupted
directory entry count
An integer overflow in LibTIFF may allow a remote attacker to execute
arbitrary code.
(CAN-2004-1308)
VU#539110 - LibTIFF vulnerable to integer overflow in the
TIFFFetchStrip() routine
An integer overflow in LibTIFF may allow a remote attacker to execute
arbitrary code.
(CAN-2004-1307)
VU#537878 - libXpm library contains multiple integer overflow
vulnerabilities
libXpm contains multiple integer-overflow vulnerabilities that may
allow a remote attacker execute arbitrary code or cause a
denial-of-service condition.
(CAN-2004-0688)
VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly
validate external programs
Mac OS X Directory Service utilities do not properly validate code
paths to external programs, potentially allowing a local attacker to
execute arbitrary code.
(CAN-2004-1335)
VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer
overflow via incorrect handling of an environmental variable
A buffer overflow in Mac OS X's Foundation Framework's processing of
environment variables may lead to elevated privileges.
(CAN-2004-1332)
VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate
command line parameters
Apple Mac OS X Server NeST tool contains a vulnerability in the
processing of command line arguments that could allow a local attacker
to execute arbitrary code.
(CAN-2004-0594)
Please note that Apple Security Update 2005-005 addresses additional
vulnerabilities not described above. As further information becomes
available, we will publish individual Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary, for information about
specific impacts please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
disclosure of sensitive information, and denial of service.
III. Solution
Install an Update
Install the update as described in Apple Security Update 2005-005.
Appendix A. References
* US-CERT Vulnerability Note VU#582934 -
<http://www.kb.cert.org/vuls/id/582934>
* US-CERT Vulnerability Note VU#258390 -
<http://www.kb.cert.org/vuls/id/258390>
* US-CERT Vulnerability Note VU#331694 -
<http://www.kb.cert.org/vuls/id/331694>
* US-CERT Vulnerability Note VU#706838 -
<http://www.kb.cert.org/vuls/id/706838>
* US-CERT Vulnerability Note VU#539110 -
<http://www.kb.cert.org/vuls/id/539110>
* US-CERT Vulnerability Note VU#354486 -
<http://www.kb.cert.org/vuls/id/354486>
* US-CERT Vulnerability Note VU#882750 -
<http://www.kb.cert.org/vuls/id/882750>
* US-CERT Vulnerability Note VU#537878 -
<http://www.kb.cert.org/vuls/id/537878>
* US-CERT Vulnerability Note VU#125598 -
<http://www.kb.cert.org/vuls/id/125598>
* US-CERT Vulnerability Note VU#356070 -
<http://www.kb.cert.org/vuls/id/356070>
* Apple Security Update 2005-005 -
<http://docs.info.apple.com/article.html?artnum=301528>
_________________________________________________________________
These vulnerabilities were discovered by several people and reported
in Apple Security Update 2005-005. Please see the Vulnerability Notes
for individual reporter acknowledgements.
_________________________________________________________________
Feedback can be directed to the authors: Jeffrey Gennari and Jason
Rafail.
_________________________________________________________________
Copyright 2005 Carnegie Mellon University. Terms of use
Revision History
May 16, 2005: Initial release
Last updated May 16, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQojwRBhoSezw4YfQAQKb1gf/a7XQAZQR+t5+FpzRoUrJyVIg3Mf1IISP
yS5GLgfwC+4GuDEd/BA51+591OhNAWa1hO2JAUQwJ799VL7vAY6vbDW84c+S0eQ+
J+FHgddUsuvRtmsXCg2Fin1JRG4hCqBQ9q2S0h4+fM7yWSdLOY7xeAAwPOwG+bsU
AVjDMNiPACHxw7CNQ8qpPXFfo3qrV+oj55F62TbR0fujtil6yQR3lE9wSeiuLs/i
KgQFZlHMEoAwQnghwLk7eQLkzGD9eAZ+pZ7Ny0AvF7avhGflh2nFNe2acFoJ2Iw7
/gMXj/uN/ZpDssS37y38LIvyA3kIQrSlEW7iKf1wi2eQ3ntjyv/9NA==
=uqBU
-----END PGP SIGNATURE-----
VAR-200505-0350 | CVE-2005-1331 | Apple Mac OS X AppleScript Editor code confusing vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
The AppleScript Editor in Mac OS X 10.3.9 does not properly display script code for an applescript: URI, which can result in code that is different than the actual code that would be run, which could allow remote attackers to trick users into executing malicious code via certain URI characters such as NULL, control characters, and homographs. Mac OS X AppleScript editor is prone to a code obfuscation vulnerability.
This issue was initially reported in BID 13480 (Apple Mac OS X Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a new BID. <http://docs.info.apple.com/article.html?artnum=301528>.
This email contains brief summaries of the problems. Full details can
be found on my web site <http://remahl.se/david/vuln/>.
Description: help: URI handler execution of JavaScripts with known
paths vulnerability
My name: DR004 <http://remahl.se/david/vuln/004/>
CVE: CAN-2005-1337 [yes, cool, isn't it ;-)]
Summary: The Help Viewer application allows JavaScript and is thus
vulnerable to having scripts with arbitrary paths run with the
privileges granted to file: protocol URIs. The files can be started
with a URI on the form of help:///path/to/file.html. Combined with
XMLHttpRequest's ability to disclose arbitrary files, this security
bug becomes critcal.
Description: Invisible characters in applescript: URL protocol
messaging vulnerability
My name: DR010 <http://remahl.se/david/vuln/010/>
CVE: CAN-2005-1331
Summary: URL Protocol Messaging is a technique used by Script Editor
to facilitate sharing of AppleScripts between users. By clicking a
link (for example in a web forum), a user can create a new Script
Editor document automatically, with text from the query string of the
URI. This avoids problems with copying text from the web or manually
typing code snippets. However, the technique can be used to trick
users into running dangerous code (with embedded control characters),
since insufficient input validation is performed. This can lead to execution of arbitrary
commands, aided by some of the escape sequences that Terminal supports.
Description: Mac OS X terminal emulators allow reading and writing of
window title through escape sequences
My name: DR012 <http://remahl.se/david/vuln/012/>
CVE: CAN-2005-1341
Summary: Apple Terminal (often referred to as Terminal.app) and xterm
which both ship with current versions of Mac OS X are vulnerable to a
well-known type of attack when displaying untrusted content. Using
escape sequences and social engineering attacks it is in some cases
possible to trick the user into performing arbitrary commands.
I would like to acknowledge the willingness of Apple's Product
Security team to cooperate with me in resolving these issues. CERT's
assistance has also been helpful. The most
serious of these vulnerabilities may allow a remote attacker to
execute arbitrary code. Impacts of other vulnerabilities addressed by
the update include disclosure of information and denial of service.
I. Further details are available in
the following Vulnerability Notes:
VU#356070 - Apple Terminal fails to properly sanitize input for
x-man-page URI
Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing
a remote attacker to execute arbitrary commands.
(CAN-2005-1342)
VU#882750 - libXpm image library vulnerable to buffer overflow
libXpm image parsing code contains a buffer-overflow vulnerability
that may allow a remote attacker execute arbitrary code or cause a
denial-of-service condition.
(CAN-2004-0687)
VU#125598 - LibTIFF vulnerable to integer overflow via corrupted
directory entry count
An integer overflow in LibTIFF may allow a remote attacker to execute
arbitrary code.
(CAN-2004-1308)
VU#539110 - LibTIFF vulnerable to integer overflow in the
TIFFFetchStrip() routine
An integer overflow in LibTIFF may allow a remote attacker to execute
arbitrary code.
(CAN-2004-1307)
VU#537878 - libXpm library contains multiple integer overflow
vulnerabilities
libXpm contains multiple integer-overflow vulnerabilities that may
allow a remote attacker execute arbitrary code or cause a
denial-of-service condition.
(CAN-2004-0688)
VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly
validate external programs
Mac OS X Directory Service utilities do not properly validate code
paths to external programs, potentially allowing a local attacker to
execute arbitrary code.
(CAN-2004-1335)
VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer
overflow via incorrect handling of an environmental variable
A buffer overflow in Mac OS X's Foundation Framework's processing of
environment variables may lead to elevated privileges.
(CAN-2004-1332)
VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate
command line parameters
Apple Mac OS X Server NeST tool contains a vulnerability in the
processing of command line arguments that could allow a local attacker
to execute arbitrary code.
(CAN-2004-0594)
Please note that Apple Security Update 2005-005 addresses additional
vulnerabilities not described above. As further information becomes
available, we will publish individual Vulnerability Notes.
II. Impact
The impacts of these vulnerabilities vary, for information about
specific impacts please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
disclosure of sensitive information, and denial of service.
III. Solution
Install an Update
Install the update as described in Apple Security Update 2005-005.
Appendix A. References
* US-CERT Vulnerability Note VU#582934 -
<http://www.kb.cert.org/vuls/id/582934>
* US-CERT Vulnerability Note VU#258390 -
<http://www.kb.cert.org/vuls/id/258390>
* US-CERT Vulnerability Note VU#331694 -
<http://www.kb.cert.org/vuls/id/331694>
* US-CERT Vulnerability Note VU#706838 -
<http://www.kb.cert.org/vuls/id/706838>
* US-CERT Vulnerability Note VU#539110 -
<http://www.kb.cert.org/vuls/id/539110>
* US-CERT Vulnerability Note VU#354486 -
<http://www.kb.cert.org/vuls/id/354486>
* US-CERT Vulnerability Note VU#882750 -
<http://www.kb.cert.org/vuls/id/882750>
* US-CERT Vulnerability Note VU#537878 -
<http://www.kb.cert.org/vuls/id/537878>
* US-CERT Vulnerability Note VU#125598 -
<http://www.kb.cert.org/vuls/id/125598>
* US-CERT Vulnerability Note VU#356070 -
<http://www.kb.cert.org/vuls/id/356070>
* Apple Security Update 2005-005 -
<http://docs.info.apple.com/article.html?artnum=301528>
_________________________________________________________________
These vulnerabilities were discovered by several people and reported
in Apple Security Update 2005-005. Please see the Vulnerability Notes
for individual reporter acknowledgements.
_________________________________________________________________
Feedback can be directed to the authors: Jeffrey Gennari and Jason
Rafail.
_________________________________________________________________
Copyright 2005 Carnegie Mellon University. Terms of use
Revision History
May 16, 2005: Initial release
Last updated May 16, 2005
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQojwRBhoSezw4YfQAQKb1gf/a7XQAZQR+t5+FpzRoUrJyVIg3Mf1IISP
yS5GLgfwC+4GuDEd/BA51+591OhNAWa1hO2JAUQwJ799VL7vAY6vbDW84c+S0eQ+
J+FHgddUsuvRtmsXCg2Fin1JRG4hCqBQ9q2S0h4+fM7yWSdLOY7xeAAwPOwG+bsU
AVjDMNiPACHxw7CNQ8qpPXFfo3qrV+oj55F62TbR0fujtil6yQR3lE9wSeiuLs/i
KgQFZlHMEoAwQnghwLk7eQLkzGD9eAZ+pZ7Ny0AvF7avhGflh2nFNe2acFoJ2Iw7
/gMXj/uN/ZpDssS37y38LIvyA3kIQrSlEW7iKf1wi2eQ3ntjyv/9NA==
=uqBU
-----END PGP SIGNATURE-----
VAR-200505-1008 | CVE-2005-1028 | PHP-Nuke Security hole |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
PHP-Nuke 6.x through 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) index.php with the forum_admin parameter set, (2) the Surveys module, or (3) the Your_Account module, which reveals the path in a PHP error message. PHP-Nuke is prone to a information disclosure vulnerability
VAR-200505-1002 | CVE-2005-1062 | [CAN-2005-1062] Management Protocol Allows Local Remote Password Cracking Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to quickly obtain passwords that are 5 characters or less via brute force methods. Personal Firewall is prone to a remote security vulnerability
VAR-200505-1169 | CVE-2005-1180 | PHP-Nuke HTTP Response split vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
HTTP Response Splitting vulnerability in the Surveys module in PHP-Nuke 7.6 allows remote attackers to spoof web content and poison web caches via hex-encoded CRLF ("%0d%0a") sequences in the forwarder parameter. PHP-Nuke is prone to a remote security vulnerability.
----------------------------------------------------------------------
Want a new IT Security job?
Vacant positions at Secunia:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
PHP-Nuke "forwarder" Parameter HTTP Response Splitting
SECUNIA ADVISORY ID:
SA14965
VERIFY ADVISORY:
http://secunia.com/advisories/14965/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
SOFTWARE:
PHP-Nuke 7.x
http://secunia.com/product/2385/
DESCRIPTION:
Diabolic Crab has reported a vulnerability in PHP-Nuke, which can be
exploited by malicious people to conduct cross-site scripting
attacks.
Input passed to the "forwarder" parameter is not properly sanitised.
This can be exploited to inject malicious characters into HTTP
headers and may allow execution of arbitrary HTML and script code in
a user's browser session in context of an affected site.
The vulnerability has been confirmed in version 7.5. Other versions
may also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
Diabolic Crab
ORIGINAL ADVISORY:
http://www.digitalparadox.org/advisories/pnuke.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200505-0314 | CVE-2005-1346 | Symantec Antivirus product vulnerability |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Multiple Symantec AntiVirus products, including Norton AntiVirus 2005 11.0.0, Web Security Web Security 3.0.1.72, Mail Security for SMTP 4.0.5.66, AntiVirus Scan Engine 4.3.7.27, SAV/Filter for Domino NT 3.1.1.87, and Mail Security for Exchange 4.5.4.743, when running on Windows, allows remote attackers to cause a denial of service (component crash) and avoid detection via a crafted RAR file. Web Security is prone to a denial-of-service vulnerability
VAR-200505-0603 | CVE-2005-0328 | of netgear rt311 Vulnerabilities in products from multiple vendors such as |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Zyxel P310, P314, P324 and Netgear RT311, RT314 running the latest firmware, allows remote attackers on the WAN to obtain the IP address of the LAN side interface by pinging a valid LAN IP address, which generates an ARP reply from the WAN address side that maps the LAN IP address to the WAN's MAC address. of netgear rt311 Unspecified vulnerabilities exist in products from multiple vendors.None. Rt311 is prone to a remote security vulnerability
VAR-200505-0687 | CVE-2005-0350 | Vulnerabilities in multiple F-Secure products |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in multiple F-Secure Anti-Virus and Internet Security products allows remote attackers to execute arbitrary code via a crafted ARJ archive. f-secure anti-virus , F-Secure Internet Security , f-secure personal express There are unspecified vulnerabilities in multiple F-Secure products such asNone. F-Secure Anti-Virus is prone to a remote security vulnerability
VAR-200505-0655 | CVE-2005-0431 | Barracuda Spam Firewall Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Barracuda Spam Firewall 3.1.10 and earlier does not restrict the domains that white-listed domains can send mail to, which allows members of white-listed domains to use Barracuda as an open mail relay for spam. Barracuda Spam Firewall is prone to a remote security vulnerability
VAR-200505-0203 | CVE-2005-0498 | Gigafast router Information disclosure vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Gigafast router (aka CompUSA router) allows remote attackers to gain sensitive information and bypass the login page via a direct request to backup.cfg, which reveals the administrator password in plaintext. Gigafast Router is prone to a information disclosure vulnerability
VAR-200505-1049 | CVE-2005-0998 | PHP-Nuke Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Web_Links module for PHP-Nuke 7.6 allows remote attackers to obtain sensitive information via an invalid show parameter, which triggers a division by zero PHP error that leaks the full pathname of the server. PHP-Nuke is prone to a information disclosure vulnerability
VAR-200505-1052 | CVE-2005-1001 | PHP-Nuke Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
PHP-Nuke 7.6 allows remote attackers to obtain sensitive information via direct requests to (1) the Surveys module with the file parameter set to comments or (2) 3D-Fantasy/theme.php, which leaks the full pathname of the web server in a PHP error message. PHP-Nuke is prone to a information disclosure vulnerability. The full pathname of the server
VAR-200505-0002 | CVE-1999-1557 | Ipswitch IMail Buffer overflow vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Buffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password. IMail is prone to a denial-of-service vulnerability
VAR-200505-0979 | CVE-2005-1106 | QuickTime for Windows Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
PictureViewer in QuickTime for Windows 6.5.2 allows remote attackers to cause a denial of service (application crash) via a GIF image with the maximum depth start value, possibly triggering an integer overflow. Quicktime Pictureviewer is prone to a denial-of-service vulnerability
VAR-200505-0616 | CVE-2005-0341 | Apple Safari Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple Safari 1.2.4 does not obey the Content-type field in the HTTP header and renders text as HTML, which allows remote attackers to inject arbitrary web script or HTML and perform cross-site scripting (XSS) attacks. Safari is prone to a cross-site scripting vulnerability
VAR-200505-0527 | CVE-2005-0970 | Mac OS X Permissions and Access Control Vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Mac OS X 10.3.9 and earlier allows users to install, create, and execute setuid/setgid scripts, contrary to the intended design, which may allow attackers to conduct unauthorized activities with escalated privileges via vulnerable scripts. Mac OS X is prone to a remote security vulnerability. An attacker could take advantage of elevated privileges to perform unauthorized actions through a vulnerable script
VAR-200504-0069 | CVE-2005-1063 | Kerio Management Port Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to cause a denial of service (CPU consumption) via certain attacks that force the product to "compute unexpected conditions" and "perform cryptographic operations.". Various Kerio products are vulnerable to a denial of service vulnerability with regards to the administration port.
This issue is due to a failure of the application to properly handle exceptional conditions with regards to specifically malformed data.
A remote attacker may leverage these issues, without requiring
authentication, to exhaust resources on an affected computer, effectively
denying service for legitimate users.
The vendor has addressed this issue in Kerio MailServer 6.0.9, Kerio
WinRoute Firewall 6.0.11, and Kerio Personal Firewall 4.1.3; earlier
versions of these products are reported vulnerable. Kerio WinRoute Firewall is an enterprise-level firewall of American Kerio Company, which provides functions such as Internet sharing, virus protection and transparent proxy
VAR-200505-1240 | CVE-2005-1280 |
OpenSSL may fail to properly parse invalid ASN.1 structures
Related entries in the VARIoT exploits database: VAR-E-200504-0269 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. A buffer overflow in certain Apple AirPort drivers may allow an attacker to execute arbitrary code with system privileges, or create a denial-of-service condition. Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ tcpdump Is a management tool for capturing network traffic and supports multiple protocols. The issue occurs because of the way tcpdump decodes Resource ReSerVation Protocol (RSVP) packets.
This issue affects tcpdump 3.9.x/CVS and earlier. This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig72CF56A4065A77499C855538
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated tcpdump packages fix security issues
Advisory ID: FLSA:156139
Issue date: 2006-04-04
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2005-1267, CVE-2005-1278, CVE-2005-1279,
CVE-2005-1280
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated tcpdump packages that fix several security issues are now
available.
2. Relevant releases/architectures:
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
3. Problem description:
Several denial of service bugs were found in the way tcpdump processes
certain network packets. It is possible for an attacker to inject a
carefully crafted packet onto the network, crashing a running tcpdump
session. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CVE-2005-1267, CVE-2005-1278,
CVE-2005-1279, and CVE-2005-1280 to these issues.
Users of tcpdump are advised to upgrade to these erratum packages, which
contain backported security patches and are not vulnerable to these
issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D156139
6. RPMs required:
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tcpdump-3.7.2-7.9=
=2E4.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/tcpdump-3.7.2-7.9.=
4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/libpcap-0.7.2-7.9.=
4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/arpwatch-2.1a11-7.=
9.4.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tcpdump-3.7.2-8.f=
c1.3.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/tcpdump-3.7.2-8.fc=
1.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/libpcap-0.7.2-8.fc=
1.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/arpwatch-2.1a11-8.=
fc1.3.legacy.i386.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tcpdump-3.8.2-6.F=
C2.3.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/tcpdump-3.8.2-6.FC=
2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/libpcap-0.8.3-6.FC=
2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/arpwatch-2.1a13-6.=
FC2.3.legacy.i386.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
0beccb4a6dd929174bc2d70d680a2e3c4a094391
redhat/9/updates/i386/tcpdump-3.7.2-7.9.4.legacy.i386.rpm
71e1ffc2c4dbf2a5c754630e198f17af94000e66
redhat/9/updates/i386/libpcap-0.7.2-7.9.4.legacy.i386.rpm
843a832974f531413a8e406491f6c91d09bda24d
redhat/9/updates/i386/arpwatch-2.1a11-7.9.4.legacy.i386.rpm
192fa5bbebe8039f3c23b8aa26804d1c4b788412
redhat/9/updates/SRPMS/tcpdump-3.7.2-7.9.4.legacy.src.rpm
1a426b6225718dbd325fbe0c6d54f8904b710103
fedora/1/updates/i386/tcpdump-3.7.2-8.fc1.3.legacy.i386.rpm
45cffdb7d98c2eb03da004d89b776a7050ff5c40
fedora/1/updates/i386/libpcap-0.7.2-8.fc1.3.legacy.i386.rpm
75e263aa296969c873d0475cc1c0785c30ea24d6
fedora/1/updates/i386/arpwatch-2.1a11-8.fc1.3.legacy.i386.rpm
6e86c20a8af1fc607809c713d7ac00ab5e2f717c
fedora/1/updates/SRPMS/tcpdump-3.7.2-8.fc1.3.legacy.src.rpm
32d0dcf31fbe12225954cc32dad45dbcb6c5f5e4
fedora/2/updates/i386/tcpdump-3.8.2-6.FC2.3.legacy.i386.rpm
c84625e92600faa8566129c8229daa6c328dcee9
fedora/2/updates/i386/libpcap-0.8.3-6.FC2.3.legacy.i386.rpm
dbdcbed104a6d3985a0735aab55031a3be0e1a74
fedora/2/updates/i386/arpwatch-2.1a13-6.FC2.3.legacy.i386.rpm
bb98c4cd71507e4dec94da2c1c9f95ee9bbacde1
fedora/2/updates/SRPMS/tcpdump-3.8.2-6.FC2.3.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1280
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
--------------enig72CF56A4065A77499C855538
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEMxLYLMAs/0C4zNoRAk8xAJ4utHt2OOExJbd3DH8xtLyfe4YcyACeLsad
ZdMzjYDTapqXGKau0WRk570=
=BXab
-----END PGP SIGNATURE-----
--------------enig72CF56A4065A77499C855538--
.
----------------------------------------------------------------------
To improve our services to our customers, we have made a number of
additions to the Secunia Advisories and have started translating the
advisories to German.
The improvements will help our customers to get a better
understanding of how we reached our conclusions, how it was rated,
our thoughts on exploitation, attack vectors, and scenarios.
This includes:
* Reason for rating
* Extended description
* Extended solution
* Exploit code or links to exploit code
* Deep links
Read the full description:
http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information:
http://corporate.secunia.com/how_to_buy/15/?r=l
----------------------------------------------------------------------
TITLE:
Apple Airport Probe Response Kernel Memory Corruption Vulnerability
SECUNIA ADVISORY ID:
SA22679
VERIFY ADVISORY:
http://secunia.com/advisories/22679/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
H.D. Moore has reported a vulnerability in the Apple Airport driver,
which potentially can be exploited by malicious people to compromise
a vulnerable system.
The vulnerability is caused due to an error in the Airport driver
provided with Orinoco-based Airport cards when handling probe
response frames. This can be exploited to overwrite kernel memory and
potentially execute arbitrary code when the driver is running in
active scanning mode.
The vulnerability is reported in the driver on a PowerBook running
version 10.4.8. Other versions may also be affected.
SOLUTION:
Do not place the card into active scanning mode.
PROVIDED AND/OR DISCOVERED BY:
H D Moore
ORIGINAL ADVISORY:
http://projects.info-pull.com/mokb/MOKB-01-11-2006.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/tcpdump < 3.8.3-r2 >= 3.8.3-r2
Description
===========
TCPDump improperly handles and decodes ISIS, BGP, LDP (CAN-2005-1279)
and RSVP (CAN-2005-1280) packets. TCPDump might loop endlessly after
receiving malformed packets.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All TCPDump users should upgrade to the latest available version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-3.8.3-r2"
References
==========
[ 1 ] CAN-2005-1279
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1279
[ 2 ] CAN-2005-1280
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1280
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200505-06.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
VAR-200506-0234 | CVE-2005-1205 |
Microsoft Windows of Telnet Environment variable disclosure vulnerability in the client
Related entries in the VARIoT exploits database: VAR-E-200506-0356 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Remote attackers who exploit this issue IFRAME Tag and "TELNET://" Formal URI Etc., Web Malicious via page or email Telnet By guiding the target user to connect to the server, important information on the target system, such as the user name, executable file search path, and the location of important data, may be taken. Also some Linux Included with the distribution Kerberos Has been reported to be affected by this issue.Please refer to the “Overview” for the impact of this vulnerability. Telnet clients provided by multiple vendors are prone to a remote information-disclosure vulnerability.
Attackers can retrieve any information stored in the environment of clients using the affected telnet application. The contents of the environment variables may be sensitive in nature, allowing attackers to gain information that may aid them in further attacks. This can be exploited to gain knowledge of the session
variables for a user, who has an open connection to a malicious
Telnet server.
Successful exploitation requires that a user e.g. visits a malicious
web site or is tricked into clicking a specially crafted link.
SOLUTION:
Apply patches.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------