VARIoT IoT vulnerabilities database

The x-man-page: URI handler for Apple Terminal 1.4.4 in Mac OS X 10.3.9 does not cleanse terminal escape sequences, which allows remote attackers to execute arbitrary commands. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have published advisories for 4 security vulnerabilities in Mac OS X that were addressed by Apple Security Update 2005-005, released today. <http://docs.info.apple.com/article.html?artnum=301528>. This email contains brief summaries of the problems. Full details can be found on my web site <http://remahl.se/david/vuln/>. Description: help: URI handler execution of JavaScripts with known paths vulnerability My name: DR004 <http://remahl.se/david/vuln/004/> CVE: CAN-2005-1337 [yes, cool, isn't it ;-)] Summary: The Help Viewer application allows JavaScript and is thus vulnerable to having scripts with arbitrary paths run with the privileges granted to file: protocol URIs. The files can be started with a URI on the form of help:///path/to/file.html. Combined with XMLHttpRequest's ability to disclose arbitrary files, this security bug becomes critcal. Description: Invisible characters in applescript: URL protocol messaging vulnerability My name: DR010 <http://remahl.se/david/vuln/010/> CVE: CAN-2005-1331 Summary: URL Protocol Messaging is a technique used by Script Editor to facilitate sharing of AppleScripts between users. By clicking a link (for example in a web forum), a user can create a new Script Editor document automatically, with text from the query string of the URI. This avoids problems with copying text from the web or manually typing code snippets. However, the technique can be used to trick users into running dangerous code (with embedded control characters), since insufficient input validation is performed. Using escape sequences and social engineering attacks it is in some cases possible to trick the user into performing arbitrary commands. I would like to acknowledge the willingness of Apple's Product Security team to cooperate with me in resolving these issues. CERT's assistance has also been helpful. / Regards, David Remahl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCd9mHFlFiDoclYIURAjgqAJ9mLbjrfJr17eenCK6qp5S6HXKzgACeIH+a PJwheHWkjnBAG4kNnAa/6QE= =iJNj -----END PGP SIGNATURE-----

Apple Terminal 1.4.4 allows attackers to execute arbitrary commands via terminal escape sequences. Apple Mac OS X Terminal is reported prone to an input validation vulnerability. A vulnerability exists in Apple Mac OS X's handling of AppleScript links, which could be exploited by remote attackers to lure users into executing malicious code. <http://docs.info.apple.com/article.html?artnum=301528>. This email contains brief summaries of the problems. Full details can be found on my web site <http://remahl.se/david/vuln/>. Description: help: URI handler execution of JavaScripts with known paths vulnerability My name: DR004 <http://remahl.se/david/vuln/004/> CVE: CAN-2005-1337 [yes, cool, isn't it ;-)] Summary: The Help Viewer application allows JavaScript and is thus vulnerable to having scripts with arbitrary paths run with the privileges granted to file: protocol URIs. The files can be started with a URI on the form of help:///path/to/file.html. Combined with XMLHttpRequest's ability to disclose arbitrary files, this security bug becomes critcal. Description: Invisible characters in applescript: URL protocol messaging vulnerability My name: DR010 <http://remahl.se/david/vuln/010/> CVE: CAN-2005-1331 Summary: URL Protocol Messaging is a technique used by Script Editor to facilitate sharing of AppleScripts between users. By clicking a link (for example in a web forum), a user can create a new Script Editor document automatically, with text from the query string of the URI. This avoids problems with copying text from the web or manually typing code snippets. However, the technique can be used to trick users into running dangerous code (with embedded control characters), since insufficient input validation is performed. Description: Mac OS X terminal emulators allow reading and writing of window title through escape sequences My name: DR012 <http://remahl.se/david/vuln/012/> CVE: CAN-2005-1341 Summary: Apple Terminal (often referred to as Terminal.app) and xterm which both ship with current versions of Mac OS X are vulnerable to a well-known type of attack when displaying untrusted content. I would like to acknowledge the willingness of Apple's Product Security team to cooperate with me in resolving these issues. CERT's assistance has also been helpful. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Impacts of other vulnerabilities addressed by the update include disclosure of information and denial of service. I. (CAN-2005-1342) VU#882750 - libXpm image library vulnerable to buffer overflow libXpm image parsing code contains a buffer-overflow vulnerability that may allow a remote attacker execute arbitrary code or cause a denial-of-service condition. (CAN-2004-0687) VU#125598 - LibTIFF vulnerable to integer overflow via corrupted directory entry count An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. (CAN-2004-1308) VU#539110 - LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. (CAN-2004-1307) VU#537878 - libXpm library contains multiple integer overflow vulnerabilities libXpm contains multiple integer-overflow vulnerabilities that may allow a remote attacker execute arbitrary code or cause a denial-of-service condition. (CAN-2004-0688) VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly validate external programs Mac OS X Directory Service utilities do not properly validate code paths to external programs, potentially allowing a local attacker to execute arbitrary code. (CAN-2004-1335) VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer overflow via incorrect handling of an environmental variable A buffer overflow in Mac OS X's Foundation Framework's processing of environment variables may lead to elevated privileges. (CAN-2004-1332) VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate command line parameters Apple Mac OS X Server NeST tool contains a vulnerability in the processing of command line arguments that could allow a local attacker to execute arbitrary code. (CAN-2004-0594) Please note that Apple Security Update 2005-005 addresses additional vulnerabilities not described above. As further information becomes available, we will publish individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary, for information about specific impacts please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, disclosure of sensitive information, and denial of service. III. Solution Install an Update Install the update as described in Apple Security Update 2005-005. Appendix A. References * US-CERT Vulnerability Note VU#582934 - <http://www.kb.cert.org/vuls/id/582934> * US-CERT Vulnerability Note VU#258390 - <http://www.kb.cert.org/vuls/id/258390> * US-CERT Vulnerability Note VU#331694 - <http://www.kb.cert.org/vuls/id/331694> * US-CERT Vulnerability Note VU#706838 - <http://www.kb.cert.org/vuls/id/706838> * US-CERT Vulnerability Note VU#539110 - <http://www.kb.cert.org/vuls/id/539110> * US-CERT Vulnerability Note VU#354486 - <http://www.kb.cert.org/vuls/id/354486> * US-CERT Vulnerability Note VU#882750 - <http://www.kb.cert.org/vuls/id/882750> * US-CERT Vulnerability Note VU#537878 - <http://www.kb.cert.org/vuls/id/537878> * US-CERT Vulnerability Note VU#125598 - <http://www.kb.cert.org/vuls/id/125598> * US-CERT Vulnerability Note VU#356070 - <http://www.kb.cert.org/vuls/id/356070> * Apple Security Update 2005-005 - <http://docs.info.apple.com/article.html?artnum=301528> _________________________________________________________________ These vulnerabilities were discovered by several people and reported in Apple Security Update 2005-005. Please see the Vulnerability Notes for individual reporter acknowledgements. _________________________________________________________________ Feedback can be directed to the authors: Jeffrey Gennari and Jason Rafail. _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use Revision History May 16, 2005: Initial release Last updated May 16, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQojwRBhoSezw4YfQAQKb1gf/a7XQAZQR+t5+FpzRoUrJyVIg3Mf1IISP yS5GLgfwC+4GuDEd/BA51+591OhNAWa1hO2JAUQwJ799VL7vAY6vbDW84c+S0eQ+ J+FHgddUsuvRtmsXCg2Fin1JRG4hCqBQ9q2S0h4+fM7yWSdLOY7xeAAwPOwG+bsU AVjDMNiPACHxw7CNQ8qpPXFfo3qrV+oj55F62TbR0fujtil6yQR3lE9wSeiuLs/i KgQFZlHMEoAwQnghwLk7eQLkzGD9eAZ+pZ7Ny0AvF7avhGflh2nFNe2acFoJ2Iw7 /gMXj/uN/ZpDssS37y38LIvyA3kIQrSlEW7iKf1wi2eQ3ntjyv/9NA== =uqBU -----END PGP SIGNATURE-----

The AppleScript Editor in Mac OS X 10.3.9 does not properly display script code for an applescript: URI, which can result in code that is different than the actual code that would be run, which could allow remote attackers to trick users into executing malicious code via certain URI characters such as NULL, control characters, and homographs. Mac OS X AppleScript editor is prone to a code obfuscation vulnerability. This issue was initially reported in BID 13480 (Apple Mac OS X Multiple Vulnerabilities). Due to the availability of more information, this issue is being assigned a new BID. <http://docs.info.apple.com/article.html?artnum=301528>. This email contains brief summaries of the problems. Full details can be found on my web site <http://remahl.se/david/vuln/>. Description: help: URI handler execution of JavaScripts with known paths vulnerability My name: DR004 <http://remahl.se/david/vuln/004/> CVE: CAN-2005-1337 [yes, cool, isn't it ;-)] Summary: The Help Viewer application allows JavaScript and is thus vulnerable to having scripts with arbitrary paths run with the privileges granted to file: protocol URIs. The files can be started with a URI on the form of help:///path/to/file.html. Combined with XMLHttpRequest's ability to disclose arbitrary files, this security bug becomes critcal. Description: Invisible characters in applescript: URL protocol messaging vulnerability My name: DR010 <http://remahl.se/david/vuln/010/> CVE: CAN-2005-1331 Summary: URL Protocol Messaging is a technique used by Script Editor to facilitate sharing of AppleScripts between users. By clicking a link (for example in a web forum), a user can create a new Script Editor document automatically, with text from the query string of the URI. This avoids problems with copying text from the web or manually typing code snippets. However, the technique can be used to trick users into running dangerous code (with embedded control characters), since insufficient input validation is performed. This can lead to execution of arbitrary commands, aided by some of the escape sequences that Terminal supports. Description: Mac OS X terminal emulators allow reading and writing of window title through escape sequences My name: DR012 <http://remahl.se/david/vuln/012/> CVE: CAN-2005-1341 Summary: Apple Terminal (often referred to as Terminal.app) and xterm which both ship with current versions of Mac OS X are vulnerable to a well-known type of attack when displaying untrusted content. Using escape sequences and social engineering attacks it is in some cases possible to trick the user into performing arbitrary commands. I would like to acknowledge the willingness of Apple's Product Security team to cooperate with me in resolving these issues. CERT's assistance has also been helpful. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Impacts of other vulnerabilities addressed by the update include disclosure of information and denial of service. I. Further details are available in the following Vulnerability Notes: VU#356070 - Apple Terminal fails to properly sanitize input for x-man-page URI Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing a remote attacker to execute arbitrary commands. (CAN-2005-1342) VU#882750 - libXpm image library vulnerable to buffer overflow libXpm image parsing code contains a buffer-overflow vulnerability that may allow a remote attacker execute arbitrary code or cause a denial-of-service condition. (CAN-2004-0687) VU#125598 - LibTIFF vulnerable to integer overflow via corrupted directory entry count An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. (CAN-2004-1308) VU#539110 - LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code. (CAN-2004-1307) VU#537878 - libXpm library contains multiple integer overflow vulnerabilities libXpm contains multiple integer-overflow vulnerabilities that may allow a remote attacker execute arbitrary code or cause a denial-of-service condition. (CAN-2004-0688) VU#331694 - Apple Mac OS X chpass/chfn/chsh utilities do not properly validate external programs Mac OS X Directory Service utilities do not properly validate code paths to external programs, potentially allowing a local attacker to execute arbitrary code. (CAN-2004-1335) VU#582934 - Apple Mac OS X Foundation framework vulnerable to buffer overflow via incorrect handling of an environmental variable A buffer overflow in Mac OS X's Foundation Framework's processing of environment variables may lead to elevated privileges. (CAN-2004-1332) VU#354486 - Apple Mac OS X Server Netinfo Setup Tool fails to validate command line parameters Apple Mac OS X Server NeST tool contains a vulnerability in the processing of command line arguments that could allow a local attacker to execute arbitrary code. (CAN-2004-0594) Please note that Apple Security Update 2005-005 addresses additional vulnerabilities not described above. As further information becomes available, we will publish individual Vulnerability Notes. II. Impact The impacts of these vulnerabilities vary, for information about specific impacts please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands, disclosure of sensitive information, and denial of service. III. Solution Install an Update Install the update as described in Apple Security Update 2005-005. Appendix A. References * US-CERT Vulnerability Note VU#582934 - <http://www.kb.cert.org/vuls/id/582934> * US-CERT Vulnerability Note VU#258390 - <http://www.kb.cert.org/vuls/id/258390> * US-CERT Vulnerability Note VU#331694 - <http://www.kb.cert.org/vuls/id/331694> * US-CERT Vulnerability Note VU#706838 - <http://www.kb.cert.org/vuls/id/706838> * US-CERT Vulnerability Note VU#539110 - <http://www.kb.cert.org/vuls/id/539110> * US-CERT Vulnerability Note VU#354486 - <http://www.kb.cert.org/vuls/id/354486> * US-CERT Vulnerability Note VU#882750 - <http://www.kb.cert.org/vuls/id/882750> * US-CERT Vulnerability Note VU#537878 - <http://www.kb.cert.org/vuls/id/537878> * US-CERT Vulnerability Note VU#125598 - <http://www.kb.cert.org/vuls/id/125598> * US-CERT Vulnerability Note VU#356070 - <http://www.kb.cert.org/vuls/id/356070> * Apple Security Update 2005-005 - <http://docs.info.apple.com/article.html?artnum=301528> _________________________________________________________________ These vulnerabilities were discovered by several people and reported in Apple Security Update 2005-005. Please see the Vulnerability Notes for individual reporter acknowledgements. _________________________________________________________________ Feedback can be directed to the authors: Jeffrey Gennari and Jason Rafail. _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use Revision History May 16, 2005: Initial release Last updated May 16, 2005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQojwRBhoSezw4YfQAQKb1gf/a7XQAZQR+t5+FpzRoUrJyVIg3Mf1IISP yS5GLgfwC+4GuDEd/BA51+591OhNAWa1hO2JAUQwJ799VL7vAY6vbDW84c+S0eQ+ J+FHgddUsuvRtmsXCg2Fin1JRG4hCqBQ9q2S0h4+fM7yWSdLOY7xeAAwPOwG+bsU AVjDMNiPACHxw7CNQ8qpPXFfo3qrV+oj55F62TbR0fujtil6yQR3lE9wSeiuLs/i KgQFZlHMEoAwQnghwLk7eQLkzGD9eAZ+pZ7Ny0AvF7avhGflh2nFNe2acFoJ2Iw7 /gMXj/uN/ZpDssS37y38LIvyA3kIQrSlEW7iKf1wi2eQ3ntjyv/9NA== =uqBU -----END PGP SIGNATURE-----

PHP-Nuke 6.x through 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) index.php with the forum_admin parameter set, (2) the Surveys module, or (3) the Your_Account module, which reveals the path in a PHP error message. PHP-Nuke is prone to a information disclosure vulnerability

The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to quickly obtain passwords that are 5 characters or less via brute force methods. Personal Firewall is prone to a remote security vulnerability

HTTP Response Splitting vulnerability in the Surveys module in PHP-Nuke 7.6 allows remote attackers to spoof web content and poison web caches via hex-encoded CRLF ("%0d%0a") sequences in the forwarder parameter. PHP-Nuke is prone to a remote security vulnerability. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: PHP-Nuke "forwarder" Parameter HTTP Response Splitting SECUNIA ADVISORY ID: SA14965 VERIFY ADVISORY: http://secunia.com/advisories/14965/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Diabolic Crab has reported a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "forwarder" parameter is not properly sanitised. This can be exploited to inject malicious characters into HTTP headers and may allow execution of arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been confirmed in version 7.5. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Diabolic Crab ORIGINAL ADVISORY: http://www.digitalparadox.org/advisories/pnuke.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple Symantec AntiVirus products, including Norton AntiVirus 2005 11.0.0, Web Security Web Security 3.0.1.72, Mail Security for SMTP 4.0.5.66, AntiVirus Scan Engine 4.3.7.27, SAV/Filter for Domino NT 3.1.1.87, and Mail Security for Exchange 4.5.4.743, when running on Windows, allows remote attackers to cause a denial of service (component crash) and avoid detection via a crafted RAR file. Web Security is prone to a denial-of-service vulnerability

Zyxel P310, P314, P324 and Netgear RT311, RT314 running the latest firmware, allows remote attackers on the WAN to obtain the IP address of the LAN side interface by pinging a valid LAN IP address, which generates an ARP reply from the WAN address side that maps the LAN IP address to the WAN's MAC address. of netgear rt311 Unspecified vulnerabilities exist in products from multiple vendors.None. Rt311 is prone to a remote security vulnerability

Heap-based buffer overflow in multiple F-Secure Anti-Virus and Internet Security products allows remote attackers to execute arbitrary code via a crafted ARJ archive. f-secure anti-virus , F-Secure Internet Security , f-secure personal express There are unspecified vulnerabilities in multiple F-Secure products such asNone. F-Secure Anti-Virus is prone to a remote security vulnerability

Barracuda Spam Firewall 3.1.10 and earlier does not restrict the domains that white-listed domains can send mail to, which allows members of white-listed domains to use Barracuda as an open mail relay for spam. Barracuda Spam Firewall is prone to a remote security vulnerability

Gigafast router (aka CompUSA router) allows remote attackers to gain sensitive information and bypass the login page via a direct request to backup.cfg, which reveals the administrator password in plaintext. Gigafast Router is prone to a information disclosure vulnerability

The Web_Links module for PHP-Nuke 7.6 allows remote attackers to obtain sensitive information via an invalid show parameter, which triggers a division by zero PHP error that leaks the full pathname of the server. PHP-Nuke is prone to a information disclosure vulnerability

PHP-Nuke 7.6 allows remote attackers to obtain sensitive information via direct requests to (1) the Surveys module with the file parameter set to comments or (2) 3D-Fantasy/theme.php, which leaks the full pathname of the web server in a PHP error message. PHP-Nuke is prone to a information disclosure vulnerability. The full pathname of the server

Buffer overflow in the login functions in IMAP server (imapd) in Ipswitch IMail 5.0 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long user name or (2) a long password. IMail is prone to a denial-of-service vulnerability

PictureViewer in QuickTime for Windows 6.5.2 allows remote attackers to cause a denial of service (application crash) via a GIF image with the maximum depth start value, possibly triggering an integer overflow. Quicktime Pictureviewer is prone to a denial-of-service vulnerability

Apple Safari 1.2.4 does not obey the Content-type field in the HTTP header and renders text as HTML, which allows remote attackers to inject arbitrary web script or HTML and perform cross-site scripting (XSS) attacks. Safari is prone to a cross-site scripting vulnerability

Mac OS X 10.3.9 and earlier allows users to install, create, and execute setuid/setgid scripts, contrary to the intended design, which may allow attackers to conduct unauthorized activities with escalated privileges via vulnerable scripts. Mac OS X is prone to a remote security vulnerability. An attacker could take advantage of elevated privileges to perform unauthorized actions through a vulnerable script

The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to cause a denial of service (CPU consumption) via certain attacks that force the product to "compute unexpected conditions" and "perform cryptographic operations.". Various Kerio products are vulnerable to a denial of service vulnerability with regards to the administration port. This issue is due to a failure of the application to properly handle exceptional conditions with regards to specifically malformed data. A remote attacker may leverage these issues, without requiring authentication, to exhaust resources on an affected computer, effectively denying service for legitimate users. The vendor has addressed this issue in Kerio MailServer 6.0.9, Kerio WinRoute Firewall 6.0.11, and Kerio Personal Firewall 4.1.3; earlier versions of these products are reported vulnerable. Kerio WinRoute Firewall is an enterprise-level firewall of American Kerio Company, which provides functions such as Internet sharing, virus protection and transparent proxy

The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. A buffer overflow in certain Apple AirPort drivers may allow an attacker to execute arbitrary code with system privileges, or create a denial-of-service condition. Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ tcpdump Is a management tool for capturing network traffic and supports multiple protocols. The issue occurs because of the way tcpdump decodes Resource ReSerVation Protocol (RSVP) packets. This issue affects tcpdump 3.9.x/CVS and earlier. This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig72CF56A4065A77499C855538 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated tcpdump packages fix security issues Advisory ID: FLSA:156139 Issue date: 2006-04-04 Product: Red Hat Linux, Fedora Core Keywords: Bugfix, Security CVE Names: CVE-2005-1267, CVE-2005-1278, CVE-2005-1279, CVE-2005-1280 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated tcpdump packages that fix several security issues are now available. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Several denial of service bugs were found in the way tcpdump processes certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-1267, CVE-2005-1278, CVE-2005-1279, and CVE-2005-1280 to these issues. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D156139 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tcpdump-3.7.2-7.9= =2E4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/tcpdump-3.7.2-7.9.= 4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/libpcap-0.7.2-7.9.= 4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/arpwatch-2.1a11-7.= 9.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tcpdump-3.7.2-8.f= c1.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/tcpdump-3.7.2-8.fc= 1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/libpcap-0.7.2-8.fc= 1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/arpwatch-2.1a11-8.= fc1.3.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tcpdump-3.8.2-6.F= C2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/tcpdump-3.8.2-6.FC= 2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/libpcap-0.8.3-6.FC= 2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/arpwatch-2.1a13-6.= FC2.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 0beccb4a6dd929174bc2d70d680a2e3c4a094391 redhat/9/updates/i386/tcpdump-3.7.2-7.9.4.legacy.i386.rpm 71e1ffc2c4dbf2a5c754630e198f17af94000e66 redhat/9/updates/i386/libpcap-0.7.2-7.9.4.legacy.i386.rpm 843a832974f531413a8e406491f6c91d09bda24d redhat/9/updates/i386/arpwatch-2.1a11-7.9.4.legacy.i386.rpm 192fa5bbebe8039f3c23b8aa26804d1c4b788412 redhat/9/updates/SRPMS/tcpdump-3.7.2-7.9.4.legacy.src.rpm 1a426b6225718dbd325fbe0c6d54f8904b710103 fedora/1/updates/i386/tcpdump-3.7.2-8.fc1.3.legacy.i386.rpm 45cffdb7d98c2eb03da004d89b776a7050ff5c40 fedora/1/updates/i386/libpcap-0.7.2-8.fc1.3.legacy.i386.rpm 75e263aa296969c873d0475cc1c0785c30ea24d6 fedora/1/updates/i386/arpwatch-2.1a11-8.fc1.3.legacy.i386.rpm 6e86c20a8af1fc607809c713d7ac00ab5e2f717c fedora/1/updates/SRPMS/tcpdump-3.7.2-8.fc1.3.legacy.src.rpm 32d0dcf31fbe12225954cc32dad45dbcb6c5f5e4 fedora/2/updates/i386/tcpdump-3.8.2-6.FC2.3.legacy.i386.rpm c84625e92600faa8566129c8229daa6c328dcee9 fedora/2/updates/i386/libpcap-0.8.3-6.FC2.3.legacy.i386.rpm dbdcbed104a6d3985a0735aab55031a3be0e1a74 fedora/2/updates/i386/arpwatch-2.1a13-6.FC2.3.legacy.i386.rpm bb98c4cd71507e4dec94da2c1c9f95ee9bbacde1 fedora/2/updates/SRPMS/tcpdump-3.8.2-6.FC2.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1278 http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1279 http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-1280 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- --------------enig72CF56A4065A77499C855538 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEMxLYLMAs/0C4zNoRAk8xAJ4utHt2OOExJbd3DH8xtLyfe4YcyACeLsad ZdMzjYDTapqXGKau0WRk570= =BXab -----END PGP SIGNATURE----- --------------enig72CF56A4065A77499C855538-- . ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Apple Airport Probe Response Kernel Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA22679 VERIFY ADVISORY: http://secunia.com/advisories/22679/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: H.D. Moore has reported a vulnerability in the Apple Airport driver, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the Airport driver provided with Orinoco-based Airport cards when handling probe response frames. This can be exploited to overwrite kernel memory and potentially execute arbitrary code when the driver is running in active scanning mode. The vulnerability is reported in the driver on a PowerBook running version 10.4.8. Other versions may also be affected. SOLUTION: Do not place the card into active scanning mode. PROVIDED AND/OR DISCOVERED BY: H D Moore ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-01-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/tcpdump < 3.8.3-r2 >= 3.8.3-r2 Description =========== TCPDump improperly handles and decodes ISIS, BGP, LDP (CAN-2005-1279) and RSVP (CAN-2005-1280) packets. TCPDump might loop endlessly after receiving malformed packets. Workaround ========== There is no known workaround at this time. Resolution ========== All TCPDump users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-3.8.3-r2" References ========== [ 1 ] CAN-2005-1279 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1279 [ 2 ] CAN-2005-1280 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1280 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0

The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Remote attackers who exploit this issue IFRAME Tag and "TELNET://" Formal URI Etc., Web Malicious via page or email Telnet By guiding the target user to connect to the server, important information on the target system, such as the user name, executable file search path, and the location of important data, may be taken. Also some Linux Included with the distribution Kerberos Has been reported to be affected by this issue.Please refer to the “Overview” for the impact of this vulnerability. Telnet clients provided by multiple vendors are prone to a remote information-disclosure vulnerability. Attackers can retrieve any information stored in the environment of clients using the affected telnet application. The contents of the environment variables may be sensitive in nature, allowing attackers to gain information that may aid them in further attacks. This can be exploited to gain knowledge of the session variables for a user, who has an open connection to a malicious Telnet server. Successful exploitation requires that a user e.g. visits a malicious web site or is tricked into clicking a specially crafted link. SOLUTION: Apply patches. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------