VARIoT IoT vulnerabilities database
| VAR-200711-0307 | CVE-2007-4680 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
CFNetwork in Apple Mac OS X 10.3.9 and 10.4 through 10.4.10 does not properly validate certificates, which allows remote attackers to spoof trusted SSL certificates via a man-in-the-middle attack. Apple Mac OS X of CFNetwork May be fraudulent due to incomplete certificate validation. SSL There is a vulnerability that is subject to man-in-the-middle attacks through certificates.A third party may be subjected to a man-in-the-middle attack, which may leak certificate and email information.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
| VAR-200711-0305 | CVE-2007-4678 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
AppleRAID in Apple Mac OS X 10.3.9 and 10.4 through 10.4.10 allows attackers to cause a denial of service (crash) via a crafted striped disk image, which triggers a NULL pointer dereference when it is mounted. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
| VAR-200711-0308 | CVE-2007-4681 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Buffer overflow in CoreFoundation in Apple Mac OS X 10.3.9 and 10.4 through 10.4.10 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted directory hierarchy. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk.
20) A boundary error exists when adding a new AppleTalk zone.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
| VAR-200711-0306 | CVE-2007-4679 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
CFFTP in CFNetwork for Apple Mac OS X 10.4 through 10.4.10 allows remote FTP servers to force clients to connect to other hosts via crafted responses to FTP PASV commands. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
III. This and
other updates are available via Apple Update or via Apple Downloads.
IV. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
| VAR-200711-0250 | CVE-2007-4269 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Integer overflow in the Networking component in Apple Mac OS X 10.4 through 10.4.10 allows local users to execute arbitrary code via a crafted AppleTalk Session Protocol (ASP) message on an AppleTalk socket, which triggers a heap-based buffer overflow. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues. Arbitrary instructions.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
For more information:
SA26676
11) An error in the handling of the current Mach thread port or
thread exception port in the Kernel can be exploited by a malicious,
local user to execute arbitrary code with root privileges.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk.
20) A boundary error exists when adding a new AppleTalk zone.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
AppleTalk, a set of networking protocols developed by Apple, was
originally implemented on early Mac operating systems. AppleTalk is compiled into the default kernel, but must be turned on
in order to be used.
ASP, as its name implies, is a Session Layer protocol that is used by
the AppleTalk File Sharing protocol to establish connections with a
peer. More information can be found at the following URL.
http://docs.info.apple.com/article.html?artnum=50039
II.
The vulnerability exists within a function responsible for sending an
ASP (AppleTalk Session Protocol) message on an AppleTalk socket. When
allocating a buffer, the kernel uses a user provided integer to perform
an arithmetic operation that calculates the number of bytes to allocate.
This calculation can overflow, leading to the allocation of a buffer of
insufficient size. This results in an exploitable heap based buffer
overflow within the kernel.
III. Exploitation has proven
to be non-trivial.
In order to reach the vulnerable code, a system would have to have
AppleTalk turned on. It would likely be used on a network consisting of
older Mac hosts since previous versions of Mac relied on it to implement
Apple File Sharing.
IV. Previous versions may also be
affected.
To determine if AppleTalk is running, the following command can be
executed on the command line.
$ appletalk -s
V. WORKAROUND
Disabling AppleTalk will prevent exploitation of this vulnerability.
Executing the following command will disable AppleTalk if it is
enabled.
# appletalk -d
VI. More information is available at the following URL.
http://docs.info.apple.com/article.html?artnum=307041
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4269 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/08/2007 Initial vendor notification
08/09/2007 Initial vendor response
11/14/2007 Public disclosure
IX. CREDIT
This vulnerability was discovered by Sean Larsson of VeriSign iDefense
Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
I. Further
details are available in the related vulnerability notes. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service. This and
other updates are available via Apple Update or via Apple Downloads. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
| VAR-200711-0288 | CVE-2007-3749 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
The kernel in Apple Mac OS X 10.4 through 10.4.10 does not reset the current Mach Thread Port or Thread Exception Port when executing a setuid program, which allows local users to execute arbitrary code by creating the port before launching the setuid program, then writing to the address space of the setuid process. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk. This can be exploited by malicious, local users to cause a
heap-based buffer overflow and to execute arbitrary code with system
privileges by sending a maliciously crafted ASP message on an
AppleTalk socket.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. More information can be found on the vendor's
site at the following URL.
http://developer.apple.com/documentation/Darwin/Conceptual/KernelProgramming/boundaries/chapter_14_section_4.html
II.
III. In a default install,
there are numerous binaries that meet these requirements.
IV. Previous versions may
also be affected.
V. WORKAROUND
iDefense is currently unaware of any workaround for this issue.
VI. More information is available at the following URL.
http://docs.info.apple.com/article.html?artnum=307041
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3749 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
09/07/2007 Initial vendor notification
09/10/2007 Initial vendor response
11/14/2007 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
I. Further
details are available in the related vulnerability notes. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service. This and
other updates are available via Apple Update or via Apple Downloads. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
| VAR-200711-0249 | CVE-2007-4268 | Apple Mac OS X CoreText uninitialized pointer vulnerability |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
Integer signedness error in the Networking component in Apple Mac OS X 10.4 through 10.4.10 allows local users to execute arbitrary code via a crafted AppleTalk message with a negative value, which satisfies a signed comparison during mbuf allocation but is later interpreted as an unsigned value, which triggers a heap-based buffer overflow. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
----------------------------------------------------------------------
2003: 2,700 advisories published
2004: 3,100 advisories published
2005: 4,600 advisories published
2006: 5,300 advisories published
How do you know which Secunia advisories are important to you?
The Secunia Vulnerability Intelligence Solutions allows you to filter
and structure all the information you need, so you can address issues
effectively.
1) Multiple errors within the Adobe Flash Player plug-in can be
exploited by malicious people to gain knowledge of sensitive
information or compromise a user's system.
For more information:
SA26027
2) A null-pointer dereference error exists within AppleRAID when
handling disk images. This can be exploited to cause a system
shutdown when a specially crafted disk image is mounted e.g.
automatically via Safari if the option "Open 'safe' files after
downloading" is enabled.
3) An error in BIND can be exploited by malicious people to poison
the DNS cache.
For more information:
SA26152
4) An error in bzip2 can be exploited to cause a DoS (Denial of
Service).
For more information:
SA15447
This also fixes a race condition when setting file permissions.
5) An unspecified error in the implementation of FTP of CFNetwork can
be exploited by a malicious FTP server to cause the client to connect
to other hosts by sending specially crafted replies to FTP PASV
(passive) commands.
6) An unspecified error exists in the validation of certificates
within CFNetwork. This can be exploited via a Man-in-the-Middle
(MitM) attack to spoof a web site with a trusted certificate.
7) A null pointer dereference error in the CFNetwork framework can
lead to an unexpected application termination when a vulnerable
application connects to a malicious server.
8) A boundary error in CoreFoundation can be exploited to cause a
one-byte buffer overflow when a user is enticed to read a specially
crafted directory hierarchy.
Successful exploitation allows execution of arbitrary code.
9) An error exists in CoreText due to the use of an uninitialised
pointer and can be exploited to execute arbitrary code when a user is
tricked into reading a specially crafted text.
10) Some vulnerabilities in Kerberos can be exploited by malicious
users and malicious people to compromise a vulnerable system.
Successful exploitation requires permission to execute a setuid
binary.
12) An unspecified error in the Kernel can be exploited to bypass
the chroot mechanism by changing the working directory using a
relative path.
14) An error exists in the handling of standard file descriptors
while executing setuid and setgid programs. This can be exploited by
malicious, local users to gain system privileges by executing setuid
programs with the standard file descriptors in an unexpected state.
15) An integer overflow exists in the Kernel when handling ioctl
requests. This can be exploited to execute arbitrary code with system
privileges by sending a specially crafted ioctl request.
16) The default configuration of tftpd allows clients to access any
path on the system.
17) An error in the Node Information Query mechanism may allow a
remote user to query for all addresses of a host, including
link-local addresses.
18) An integer overflow exists in the handling of ASP messages with
AppleTalk.
20) A boundary error exists when adding a new AppleTalk zone. This
can be exploited to cause a stack-based buffer overflow by sending a
maliciously crafted ioctl request to an AppleTalk socket and allows
execution of arbitrary code with system privileges.
21) An arithmetic error exists in AppleTalk when handling memory
allocations.
22) A double free error in NFS exists when processing an AUTH_UNIX
RPC call. This can be exploited by malicious people to execute
arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call
via TCP or UDP.
23) An unspecified case-sensitivity error exists in NSURL when
determining if a URL references the local file system.
24) A format string error in Safari can be exploited by malicious
people to execute arbitrary code when a user is tricked into opening
a .download file with a specially crafted name.
25) An implementation error exists in the tabbed browsing feature of
Safari. If HTTP authentication is used by a site being loaded in a
tab other than the active tab, an authentication sheet may be
displayed although the tab and its corresponding page are not
visible.
26) A person with physical access to a system may be able to bypass
the screen saver authentication dialog by sending keystrokes to a
process running behind the screen saver authentication dialog.
27) Safari does not block "file://" URLs when loading resources. This
can be exploited to view the content of local files by enticing a user
to visit a specially crafted web page.
28) An input validation error exists in WebCore when handling HTML
forms. This can be exploited to alter the values of form fields by
enticing a user to upload a specially crafted file.
29) A race condition error exists in Safari when handling page
transitions. This can be exploited to obtain information entered in
forms on other web sites by enticing a user to visit a malicious web
page.
30) An unspecified error exists in the handling of the browser's
history. This can be exploited to execute arbitrary code by enticing
a user to visit a specially crafted web page.
31) An error in Safari allows malicious websites to set Javascript
window properties of websites served from a different domain. This
can be exploited to get or set the window status and location of
pages served from other websites by enticing a user to visit a
specially crafted web page.
32) An error in Safari allows a malicious website to bypass the same
origin policy by hosting embedded objects with javascript URLs. This
can be exploited to execute arbitrary HTML and script code in context
of another site by enticing a user to visit a specially crafted web
page.
33) An error in Safari allows content served over HTTP to alter or
access content served over HTTPS in the same domain. This can be
exploited to execute Javascript code in context of HTTPS web pages in
that domain when a user visits a malicious web page.
34) An error in Safari in the handling of new browser windows can be
exploited to disclose the URL of an unrelated page.
For more information see vulnerability #2 in:
SA23893
35) An error in WebKit may allow unauthorised applications to access
private keys added to the keychain by Safari.
36) An unspecified error in Safari may allow a malicious website to
send remotely specified data to arbitrary TCP ports.
37) WebKit/Safari creates temporary files insecurely when previewing
a PDF file, which may allow a local user to access the file's
content.
5) The vendor credits Dr Bob Lopez PhD.
6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita
Zhuk of MK&C.
9) Will Dormann, CERT/CC
11) An anonymous person, reported via iDefense Labs.
12) The vendor credits Johan Henselmans and Jesper Skov.
13) The vendor credits RISE Security.
14) The vendor credits Ilja van Sprundel.
15) The vendor credits Tobias Klein, www.trapkit.de
16) The vendor credits James P. Javery, Stratus Data Systems
17) The vendor credits Arnaud Ebalard, EADS Innovation Works.
18, 21) Sean Larsson, iDefense Labs
19) The vendor credits Bhavesh Davda of VMware and Brian "chort"
Keefer of Tumbleweed Communications.
20) An anonymous person, reported via iDefense Labs.
22) The vendor credits Alan Newson of NGSSoftware, and Renaud
Deraison of Tenable Network Security, Inc.
25) The vendor credits Michael Roitzsch, Technical University
Dresden.
26) The vendor credits Faisal N. Jawdat
27) The vendor credits lixlpixel.
28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH.
29) The vendor credits Ryan Grisso, NetSuite.
30) The vendor credits David Bloom.
31, 32) The vendor credits Michal Zalewski, Google Inc.
33) The vendor credits Keigo Yamazaki of LAC Co.
36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm
Research and Spiros Antonatos, FORTH-ICS
37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH
Zurich.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=307041
US-CERT VU#498105:
http://www.kb.cert.org/vuls/id/498105
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628
OTHER REFERENCES:
SA15447:
http://secunia.com/advisories/15447/
SA23893:
http://secunia.com/advisories/23893/
SA26027:
http://secunia.com/advisories/26027/
SA26152:
http://secunia.com/advisories/26152/
SA26676:
http://secunia.com/advisories/26676/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I. Further
details are available in the related vulnerability notes. Impact
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service. This and
other updates are available via Apple Update or via Apple Downloads. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 15, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----
. BACKGROUND
AppleTalk, a set of networking protocols developed by Apple, was
originally implemented on early Mac operating systems. AppleTalk is compiled into the default kernel, but must be turned on
in order to be used. More information can be found at the following URL.
http://docs.info.apple.com/article.html?artnum=50039
II.
The vulnerability exists within a function responsible for allocating an
mbuf. mbufs are a BSD concept, long used by BSD kernels to allocate
buffers for storing network related data.
When allocating an mbuf buffer, the kernel performs a comparison using
two signed integers, one of which is controlled by the user, to
determine how many bytes to allocate. If a user passes a negative
value, a minimally sized buffer will be allocated due to the signed
comparison. The calling function will usually interpret the user
controlled value as an unsigned value, and this results in the
allocated buffer being overflowed.
III. Unsuccessful attempts
will likely crash the system. Exploitation has proven to be
non-trivial.
In order to exploit this vulnerability, a system would have to have
AppleTalk turned on. It would likely be used on a network consisting of
older Mac hosts since previous versions of Mac relied on it to implement
Apple File Sharing.
IV. Previous versions may also be
affected.
To determine if AppleTalk is running, the following command can be
executed on the command line.
$ appletalk -s
V. WORKAROUND
Disabling AppleTalk will prevent exploitation of this vulnerability.
Executing the following command will disable AppleTalk if it is
enabled.
# appletalk -d
VI. More information is available at the following URL.
http://docs.info.apple.com/article.html?artnum=307041
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-4268 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/08/2007 Initial vendor notification
08/09/2007 Initial vendor response
11/14/2007 Coordinated public disclosure
IX. CREDIT
This vulnerability was discovered by Sean Larsson of VeriSign iDefense
Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200503-0138 | CVE-2005-0943 |
Cisco VPN 3000 C Denial of service attack vulnerability
Related entries in the VARIoT exploits database: VAR-E-200503-0133 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco VPN 3000 series Concentrator running firmware 4.1.7.A and earlier allows remote attackers to cause a denial of service (device reload or drop user connection) via a crafted HTTPS packet. Cisco VPN 3000 Concentrator products are reported prone to a remote denial of service vulnerability.
A remote unauthenticated attacker may trigger this vulnerability to cause an affected device to reload or drop connections. Specifically, an attacker can target the HTTPS service running on a vulnerable device to trigger this vulnerability.
Cisco VPN 3000 Concentrator products running software version 4.1.7.A and prior are affected by this issue
| VAR-200505-0521 | CVE-2005-0964 | Kerio Personal Firewall Local Network Access Restriction Bypass Vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Unknown vulnerability in Kerio Personal Firewall 4.1.2 and earlier allows local users to bypass firewall rules via a malicious process that impersonates a legitimate process that has fewer restrictions. This issue is due to a design error that causes the application to fail to properly validate the origin of network requests.
An attacker may leverage this issue to bypass network access restrictions, potentially leading administrators to a false sense of security
| VAR-200505-0455 | CVE-2005-0923 | Symantec Norton AntiVirus AutoProtect Module SmartScan Local Denial Of Service Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The SmartScan feature in the Auto-Protect module for Symantec Norton AntiVirus 2004 and 2005, as also used in Internet Security 2004/2005 and System Works 2004/2005, allows attackers to cause a denial of service (CPU consumption and system crash) by renaming a file on a network share. Symantec Norton AntiVirus may hang or crash when the Auto-Protect module scans certain files. It is reported that the issue manifests when an unspecified type of file is scanned by AutoProtect, the scan results in the device driver module failing leading to a subsequent kernel crash. The Symantec Norton AntiVirus AutoProtect SmartScan functionality is reported prone to a local denial of service vulnerability.
A local attacker may exploit this vulnerability to deny service for legitimate users.
PROVIDED AND/OR DISCOVERED BY:
Isamu Noguchi
ORIGINAL ADVISORY:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2005.03.28.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200505-0454 | CVE-2005-0922 | Symantec Norton AntiVirus AutoProtect Module Remote Denial Of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unknown vulnerability in the Auto-Protect module in Symantec Norton AntiVirus 2004 and 2005, as also used in Internet Security 2004/2005 and System Works 2004/2005, allows attackers to cause a denial of service (system hang or crash) by triggering a scan of a certain file type. It is reported that the issue manifests when an unspecified type of file is scanned by AutoProtect, the scan results in the device driver module failing leading to a subsequent kernel crash. The Symantec Norton AntiVirus AutoProtect SmartScan functionality is reported prone to a local denial of service vulnerability.
A local attacker may exploit this vulnerability to deny service for legitimate users. This type of file itself is not malicious, but an attacker may maliciously introduce the file from the outside through email or http, and an authorized user may also introduce the file from the inside to interrupt the service of the target system.
PROVIDED AND/OR DISCOVERED BY:
Isamu Noguchi
ORIGINAL ADVISORY:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2005.03.28.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200505-0162 | CVE-2005-0468 |
OpenSSL SSLv2 client code fails to properly check for NULL
Related entries in the VARIoT exploits database: VAR-E-200503-0240 |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated. A flaw in the OpenSSL library could allow a remote attacker to cause a denial of service on an affected application. The gzip program contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code or create a denial-of-service condition. Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures. Included with many products telnet Clients env_opt_add() There is a vulnerability that causes a buffer overflow when certain input data including escape characters is processed due to improper bounds checking in the function.Configured by a third party telnet Guided or crafted the target user to log in to the server Web By displaying the page, arbitrary code may be executed with the user's authority. Multiple vendors' Telnet client applications are reported prone to a remote buffer-overflow vulnerability. This vulnerability reportedly occurs in the 'env_opt_add()' function in the 'telnet.c' source file, which is apparently common source for all the affected vendors.
----------------------------------------------------------------------
Want to work within IT-Security?
Secunia is expanding its team of highly skilled security experts.
We will help with relocation and obtaining a work permit.
Currently the following type of positions are available:
http://secunia.com/quality_assurance_analyst/
http://secunia.com/web_application_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
----------------------------------------------------------------------
TITLE:
gzip Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA21996
VERIFY ADVISORY:
http://secunia.com/advisories/21996/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From remote
SOFTWARE:
gzip 1.x
http://secunia.com/product/4220/
DESCRIPTION:
Tavis Ormandy has reported some vulnerabilities in gzip, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially compromise a vulnerable system.
1) A boundary error within the "make_table()" function in unlzh.c can
be used to modify certain stack data. tricking
a user or automated system into unpacking a specially crafted archive
file. tricking a user or
automated system into unpacking a specially crafted "pack" archive
file.
3) A buffer overflow within the "make_table()" function of gzip's LZH
support can be exploited to cause a DoS and potentially to compromise
a vulnerable system by e.g. tricking a user or automated system into
unpacking an archive containing a specially crafted decoding table.
4) A NULL pointer dereference within the "huft_build()" function and
an infinite loop within the LZH handling can be exploited to cause a
DoS by e.g. tricking a user or automated system into unpacking a
specially crafted archive file.
The vulnerabilities have been reported in version 1.3.5. Other
versions may also be affected.
SOLUTION:
Do not unpack untrusted archive files.
PROVIDED AND/OR DISCOVERED BY:
Tavis Ormandy, Google Security Team
ORIGINAL ADVISORY:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676
OTHER REFERENCES:
US-CERT VU#554780:
http://www.kb.cert.org/vuls/id/554780
US-CERT VU#381508:
http://www.kb.cert.org/vuls/id/381508
US-CERT VU#773548:
http://www.kb.cert.org/vuls/id/773548
US-CERT VU#933712:
http://www.kb.cert.org/vuls/id/933712
US-CERT VU#596848
http://www.kb.cert.org/vuls/id/596848
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
The TELNET protocol allows virtual network terminals to be connected to
over the internet. The initial description of the telnet protocol was
given in RFC854 in May 1983. Since then there have been many extra
features added including encryption.
II.
The vulnerability specifically exists in the env_opt_add() function of
telnet.c. A buffer of a fixed size (256 bytes) is allocated to store the
result of the processing this function performs on network input. If
this buffer is not large enough to contain the string, the buffer is
expanded by a further 256 bytes. This size is sufficient for most well
formed input, as the buffer passed as input to the affected function is
limited to the same size. However, due to the way the telnet protocol
escapes certain characters, it is possible to increase the length of the
output by including a large run of characters which need escaping. This
can allow the 256 byte input buffer to expand to a maximum of 512 bytes
in the allocated storage buffer. If, after expanding the buffer by 256
bytes, the buffer is still not large enough to contain the input, a heap
based buffer overflow occurs, which is exploitable on at least some
affected platforms.
III. It may be
possible to automatically launch the telnet command from a webpage, for
example:
<html><body>
<iframe src='telnet://malicious.server/'>
</body>
On opening this page the telnet client may be launched and attempt to
connect to the host 'malicious.server'.
IV. DETECTION
iDEFENSE has confirmed the existance of the vulnerability in the telnet
client included in the Kerberos V5 Release 1.3.6 package and the client
included in the SUNWtnetc package of Solaris 5.9. It is suspected that
most BSD based telnet clients are affected by this vulnerability.
V. WORKAROUND
iDEFENSE is currently unaware of any effective workarounds for this
vulnerability.
VI. VENDOR RESPONSE
The following vendors have provided official responses related to this
vulnerability. Other vendors may be affected but have not provided an
official response.
Vulnerable:
- ALT Linux
All supported ALT Linux distributions include telnet client derived from
OpenBSD 3.0. The env_opt_add() buffer overflow vulnerability is present
in all our telnet clients. Updated packages with fixes for these issues
will be released on March 28, 2005.
http://lists.altlinux.ru/pipermail/security-announce/2005-March/000287.html
- Apple Computer, Inc.
Component: Telnet
Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
This is fixed in Security Update 2005-003, which is available at
http://docs.info.apple.com/article.html?artnum=61798
- FreeBSD
FreeBSD-SA-05:01.telnet security advisory:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
- MIT (Kerberos)
This vulnerability is covered in the following upcoming advisory:
MITKRB5-SA-2005-001:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
patch against krb5-1.4:
http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt
- Openwall Project
The bugs are fixed starting with telnet package version 3.0-owl2.
http://www.openwall.com/Owl/CHANGES-current.shtml
- Red Hat, Inc.
Red Hat Enterprise Linux ship with telnet and krb5 packages vulnerable
to this issue. New telnet and krb5 packages are now available along
with our advisory at the URLs below and by using the Red Hat Network
'up2date' tool.
Red Hat Enterprise Linux - telnet
http://rhn.redhat.com/errata/RHSA-2005-330.html
Red Hat Enterprise Linux - krb5
http://rhn.redhat.com/errata/RHSA-2005-327.html
- Sun Microsystems Inc.
Sun confirms that the telnet(1) vulnerabilities do affect all
currently supported versions of Solaris:
Solaris 7, 8, 9 and 10
Sun has released a Sun Alert which describes a workaround until patches
are available at:
http://sunsolve.sun.com
Sun Alert #57755
The Sun Alert will be updated with the patch information once it becomes
available. Sun patches are available from:
http://sunsolve.sun.com/securitypatch
Not Vulnerable:
- CyberSafe Limited
The CyberSafe TrustBroker products, version 3.0 or later, are not
vulnerable.
- Hewlett-Packard Development Company, L.P.
HP-UX and HP Tru64 UNIX are not vulnerable.
- InterSoft International, Inc.
InterSoft International, Inc. products NetTerm, SecureNetTerm and
SNetTerm are not affected by the env_opt_add() buffer overflow
conditions.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0468 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
02/18/2005 Initial vendor notifications
03/28/2005 Coordinated public disclosure
IX. CREDIT
Ga\xebl Delalleau credited with this discovery.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright \xa9 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All telnet-bsd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/telnet-bsd-1.0-r1"
References
==========
[ 1 ] CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
[ 2 ] IDEF0867
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
[ 3 ] CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
[ 4 ] IDEF0866
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200504-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : telnet client multiple issues
Advisory number: SCOSA-2005.21
Issue date: 2005 April 08
Cross reference: sr893210 fz531446 erg712801 CAN-2005-0469 CAN-2005-0468
______________________________________________________________________________
1. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21
4.2 Verification
MD5 (erg712801.714.pkg.Z) = bf53673ea12a1c25e3606a5b879adbc4
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712801.714.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712801.714.pkg.Z
# pkgadd -d /var/spool/pkg/erg712801.714.pkg
5. UnixWare 7.1.3
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21
5.2 Verification
MD5 (erg712801.713.pkg.Z) = e876b261afbecb41c18c26d6ec11e71d
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712801.713.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712801.713.pkg.Z
# pkgadd -d /var/spool/pkg/erg712801.713.pkg
6. UnixWare 7.1.1
6.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21
6.2 Verification
MD5 (erg712801.711.pkg.Z) = f3099416a793c1f731bc7e377fe0e4a2
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
6.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712801.711.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712801.711.pkg.Z
# pkgadd -d /var/spool/pkg/erg712801.711.pkg
7. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr893210 fz531446
erg712801. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products. Additional user interaction may not be required if the
attacker can get the user to view HTML containing an IFRAME tag
containing a "telnet:" URL pointing to a malicious server.
FIXES
=====
* WORKAROUND: Disable handling of "telnet:" URLs in web browsers,
email readers, etc., or remove execute permissions from the telnet
client program.
* The upcoming krb5-1.4.1 patch release will contain fixes for this
problem.
* Apply the patch found at:
http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt.asc
The patch was generated against the krb5-1.4 release. It may apply
against earlier releases with some offset.
DETAILS
=======
The slc_add_reply() function in telnet.c performs inadequate length
checking.
The env_opt_add() function in telnet.c performs inadequate length
checking.
For the stable distribution (woody) these problems have been fixed in
version 1.2.4-5woody8.
For the unstable distribution (sid) these problems have been fixed in
version 1.3.6-1.
We recommend that you upgrade your krb5 package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody8.dsc
Size/MD5 checksum: 750 51c3ea6dcf74a9d82bef016509870c3d
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody8.diff.gz
Size/MD5 checksum: 83173 97d5ce1eeec763cc67d56b0758891a0f
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4.orig.tar.gz
Size/MD5 checksum: 5443051 663add9b5942be74a86fa860a3fa4167
Architecture independent components:
http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody8_all.deb
Size/MD5 checksum: 512968 88dea0dcf727a6fe03457485e6c98ea4
Alpha architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 253798 4124ad89c3d6698ae5ce09cc0a810e77
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 217536 02bdd8e928ce65cfc415de890106cde7
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 63072 9aa2b092cc3d4729f6d309160b27117c
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 252162 0f2b0638347b34b07ab919c05b7a404a
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 76452 4eab68ade26bdd00dc733183f673cf7e
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 59106 4c00e1ad73ba0be9631ed3b20846cf31
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 207478 f94b1e493f4a35a9244ab0a71f714f61
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 83948 b4870cfb49811f9e9bfc182004d6e72a
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 633440 f794455df495082bd8c40b2f0a6e0f22
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 367446 248fced4d354d47649deaa0c5d349354
ARM architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 197342 11591d7d943ee2d38f0117b53ec59026
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 160678 f4118cf6266830f7db9553329dcc1532
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 48830 dc4986db69fc9fa3aacd9487a1a57004
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 198672 6e11c792134a4d9bd602a7461895c42c
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 63738 01cee2e685f3bc973f7cce7e5ec08f56
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 49406 03755be7fa950f05c099aff6dc847e7d
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 166018 b8000d9c82076d7134aacf28a3ae7a98
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 73626 3070b54d29b8174b78886e37bc25c112
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 493632 b74a2e03c250019f25ff58387792d666
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 295230 bd4ccc64814aeebd0071b68dc964080d
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 179362 e38dffa6b1e44da9c05ab5569283141b
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 152348 eb2d37aca6f5aeb2ecd3dc7a66b351fc
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 46370 dda52cc0f381955716025f4f3f210630
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 178578 3d9e28bc8bbd83161cd8c9781db99e76
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 61358 846936ed49d43dddf11c8239e7ecb74f
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 46652 4b12ff1ef17b81aadec2cf27c249b263
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 156624 2a626d8694742a825242085d83efb40f
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 72022 678e924f12886c54cb3ca9bdee6a8da4
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 433960 9a90e0a4c79b81f2d00945fb7bdf84da
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 293706 be17bc6de25438a34466e7a47c5e4a0f
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 322390 bd8deae9fe5e2fd0d0e304d93c676c95
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 266614 fa5fedbcc5ce19cf0fd6e0f019988aaa
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 73742 3b21c0fd054d80e979808c47bef49b15
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 322348 b893958f43de292d927b49cd9dda434b
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 92050 2c1a3cf4ae7311dc95a696bf919148e9
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 70700 38b66040685eb5421abcb92cdcb682df
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 256278 5440c691dcc69e168105b60a4433332d
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 107650 0b12f0212a2e8ee31654a605e7b74219
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 705942 9dc21d18876a435f5ecbae3c1fa90fac
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 475034 072e1682115dd9c556d2eca5c65780af
HP Precision architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 214666 50a69b51ec610a919c00e13dad97c237
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 189950 ed974a7360091fe4ea8a5dee5f310a93
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 54064 87d03aa246e3a8bed874ea20aab5c90c
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 214092 fdb3544036609131e218f1293d59ab62
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 68802 6476e62e8872de28da85a6d7ff6a91a8
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 55892 ae903fa8671838a64061748b150503ae
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 183066 bde3354927006d85aed74b4ce67f379b
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 85122 160ea9c72f59ee814853092ba414f37e
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 558094 4b5f91e312a31a075cf0ee5f5abb28f4
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 362152 bf33b679c8e3023f1baa81dedc1c9e32
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 164376 695f5090f6f02ef5ffcdb94994923d1d
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 144904 f03b67ac31422c20cd2024a7f530f077
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 44522 7bb04f7623ecb06934e615790364744e
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 164106 460978cf8ba185277681491f91269bd3
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 57054 8bcee8e9061c204cc1d53f310603f647
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 44838 c57524e8c13e8f007451617b6c99374f
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 146184 ef14d19fd5d0d4bb4a4ee88287e556cd
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 70032 1bccace886d6c662ab3b10b0cfaa29d9
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 409054 be8e8f2a4573bb15ec6024f00a1c4087
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 277330 c78d56b08e2e4c37bc7d9d1aae9272f6
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 206742 9881404c18f586f88b60322f6ac46e11
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 191334 637743e42bdcbd990a8a8eaec03f04e6
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 53510 c194be0f6dedfbaa82f3f7f51bbafe48
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 209794 7ad1a3ae1a623910446a89d44f4d7c0a
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 66606 0921f3d4930ad9501eba05cb48c86093
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 55072 22603859834a0c66169b9c6b3438296b
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 175416 edcbd96200fec2b725a64df310856287
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 72292 afa180a53f462b42ada57f4183e481b2
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 541350 be00fa435c03a2474310c03b3aadb3d0
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 308518 db69345f0ad3df1e0b3b70310ffa6ed6
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 210850 d7831efe581155af02fbf4cd4b298577
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 190990 facf8459bd0684335304e2a9af7b8ec1
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 53694 cbae172d0491dd9f259b31f502d3f0ef
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 213350 9b2e3742c660d42556e790503cfa73c2
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 66918 cf9b408405283ea6cda2dc7d79dc5187
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 54936 13d0e562fea89e39cecffe02caa5184f
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 177270 6e92b594956acc65452e8c351222fb53
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 72106 54a3fbae7e86134d48ee49befcb00c99
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 540884 a93fd74e3cfce1d61e81dc15adeede7d
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 307184 e725f0ab101cf33b1eb127eb3d18df81
PowerPC architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 188456 1605cd80b08025be71477d33bae41d53
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 164152 0e3d09352a72b78dce03519b297a87c3
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 49372 9289fc6a3d9a4a1e35e55a8f536b2762
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 189546 cee053d38c1f38de08966f6957ed914a
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 62728 e6f98290ed591d955d5c80eb58d9f6dd
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 49338 bf451f9b226dd16dac16ee9c59d97783
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 162762 2edc9dee6e7672c838626cd391820de9
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 74060 5c6ce5c10f005fa31786354fd60c4616
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 490920 1a5ee5de494c46f5c00598b2ef5dff3d
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 303574 0972361a36370e77050b37e46aeaed66
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 189308 1b5d39163a97cb6ea829810afb1a648c
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 166440 0709eaf98f958d5190afbe956a277995
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 50302 f8721e09d7b159a5e16b293a8999d43c
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 190628 cd1c66f7eaa63239aee8fbb4a26bed76
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 67096 a191f8826271cfe94a8aef0d8e6aece1
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 50278 b0fccd0d25256f8357e8f32e815bf6f6
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 164334 ce022c07d1815b0df8b5f9a46e8c2ed8
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 76638 4aa46656e9c0293fb5e28e56391e77bc
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 453482 b52bf2d4a664c52c350f80c1593ea5c2
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 319656 7b7d0c4b136d99b9dfaf798d4f94d0c9
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 183454 aa907094cbdaac57da2f0eca9b8eb5bd
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 173036 7f173f3267bcab3e66922ea6d40b9108
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 49792 ce46cc950c54a24025647cec765c6e6b
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 184358 1ae257a74f7e385a2e4e186a26e86da6
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 64400 6429cb02f6d8c3948ef94176ee077c9e
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 49780 dc7690038fd1b4125179157411f96396
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 159528 4c9938799737182f5fd4455f7ba08508
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 73406 83f33192e1d069af16c155136117b331
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 463024 94916989bafb9975e1d973cc0210b1d0
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 301464 ebf61bee3343e02ea2d64066a6713424
These files will probably be moved into the stable distribution on
its next update.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-333A
Apple Releases Security Update to Address Multiple Vulnerabilities
Original release date: November 29, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X version 10.3.x and 10.4.x
* Apple Mac OS X Server version 10.3.x and 10.4.x
* Apple Safari web browser
These vulnerabilities affect both Intel-based and PowerPC-based Apple
systems. Vulnerabilities in OpenSSL, gzip, and other products are also
addressed.
I. Further details are available in the related vulnerability
notes.
This security update also addresses previously known vulnerabilities
in PHP, Perl, OpenSSL, and gzip, which are shipped with Mac OS X. The
OpenSSL vulnerabilities are documented in multiple vulnerability
notes. Information is also available through the OpenSSL
vulnerabilities page. Information about the vulnerabilities in gzip is
available in a series of vulnerability notes. Impact
The impacts of these vulnerabilities vary. For specific details, see
the appropriate vulnerability notes. Solution
Install updates
Install Apple Security Update 2006-007. References
* Vulnerability Notes for Apple Security Update 2006-007 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-007>
* Vulnerability Notes for OpenSSL Security Advisory [28th September
2006] -
<http://www.kb.cert.org/vuls/byid?searchview&query=openssl_secadv_20060928>
* Vulnerability Note VU#845620 -
<http://www.kb.cert.org/vuls/id/845620>
* Vulnerability Note VU#933712 -
<http://www.kb.cert.org/vuls/id/933712>
* Vulnerability Note VU#381508 -
<http://www.kb.cert.org/vuls/id/381508>
* Vulnerability Note VU#554780 -
<http://www.kb.cert.org/vuls/id/554780>
* Vulnerability Note VU#596848 -
<http://www.kb.cert.org/vuls/id/596848>
* Vulnerability Note VU#773548 -
<http://www.kb.cert.org/vuls/id/773548>
* About the security content of Security Update 2006-007 -
<http://docs.info.apple.com/article.html?artnum=304829>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Apple Downloads - <http://www.apple.com/support/downloads/>
* OpenSSL: OpenSSL vulnerabilities -
<http://www.openssl.org/news/vulnerabilities.html>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-333A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-333A Feedback VU#191336" in the
subject.
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
November 29, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRW33NuxOF3G+ig+rAQJtiggApJKRh7x+z8vp0xb26sE16RUOD3epcrk6
lJZ4rXnqVqoFacAt0Ucb8T43/Uc4N85UMa695YbFspYZum3hcGZo+WnNPolGUeRz
iN/4bfKgzekfpbHxf6T3YvQYp+PVMRfHPUcxfaZDYXhu2813N4SSQpM59KRL5BD7
xr+5VvB09biVKlzpEdgtk2EHcqc+sMF5+o3cCgDJCnJNL+NG4J6d/hsyNP15ekTf
8m0W4rJonUe2gR2Bp7F1Y47KgRr3BT1aH2gxUSim9qEJpPdP/CkmGoFp+BfrFP9q
A580LOrqFK8HIly1fbPKb26p2theUUESnQqM9Ob8xolkCDLy6h7ssg==
=f7N+
-----END PGP SIGNATURE-----
| VAR-200505-0163 | CVE-2005-0469 | Multiple Telnet Clients vulnerable to buffer overflow via the env_opt_add() function in telnet.c |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands. Multiple Telnet clients contain a data length validation flaw which may allow a server to induce arbitrary code execution on the client host. A remote buffer-overflow vulnerability affects multiple vendors' Telnet client. This issue is due to the application's failure to properly validate the length of user-supplied strings before copying them into static process buffers.
An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.
----------------------------------------------------------------------
Want a new IT Security job?
Vacant positions at Secunia:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Sun SEAM Telnet Client Buffer Overflow Vulnerabilities
SECUNIA ADVISORY ID:
SA15030
VERIFY ADVISORY:
http://secunia.com/advisories/15030/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Sun SEAM 1.x
http://secunia.com/product/1006/
DESCRIPTION:
Sun has acknowledged some vulnerabilities in SEAM, which can be
exploited by malicious people to compromise a vulnerable system.
For more information:
SA14745
SOLUTION:
The vendor suggests removing the execute permissions from
"/usr/krb5/bin/telnet".
ORIGINAL ADVISORY:
Sun Microsystems:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57761-1
OTHER REFERENCES:
SA14745:
http://secunia.com/advisories/14745/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Heimdal, a free implementation
of Kerberos 5, also contains such a client. BACKGROUND
The TELNET protocol allows virtual network terminals to be connected to
over the internet. The initial description of the protocol was given in
RFC854 in May 1983. Since then there have been many extra features added
including encryption.
II.
The vulnerability specifically exists in the handling of the LINEMODE
suboptions, in that there is no size check made on the output, which is
stored in a fixed length buffer.
III. It may be
possible to automatically launch the telnet command from a webpage, for
example:
<html><body>
<iframe src='telnet://malicious.server/'>
</body>
On opening this page the telnet client may be launched and attempt to
connect to the host 'malicious.server'.
IV. DETECTION
iDEFENSE has confirmed the existence of the vulnerability in the telnet
client included in the Kerberos V5 Release 1.3.6 package and the client
included in the SUNWtnetc package of Solaris 5.9.
V. WORKAROUND
iDEFENSE is currently unaware of any effective workarounds for this
vulnerability.
VI. VENDOR RESPONSE
The following vendors have provided official responses related to this
vulnerability. Other vendors may be affected but have not provided an
official response.
Vulnerable:
- ALT Linux
All supported ALT Linux distributions include telnet client derived from
OpenBSD 3.0. Updated packages with fixes for
these issues will be released on March 28, 2005.
http://lists.altlinux.ru/pipermail/security-announce/2005-March/000287.html
- Apple Computer, Inc.
Component: Telnet
Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
This is fixed in Security Update 2005-003, which is available at
http://docs.info.apple.com/article.html?artnum=61798
- FreeBSD
FreeBSD-SA-05:01.telnet security advisory:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:01.telnet.asc
- MIT (Kerberos)
This vulnerability is covered in the following upcoming advisory:
MITKRB5-SA-2005-001:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt
patch against krb5-1.4:
http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt
- Openwall Project
The bugs are fixed starting with telnet package version 3.0-owl2.
http://www.openwall.com/Owl/CHANGES-current.shtml
- Red Hat, Inc.
Red Hat Enterprise Linux ships with telnet and krb5 packages vulnerable
to this issue. New telnet and krb5 packages are now available along
with our advisory at the URLs below and by using the Red Hat Network
'up2date' tool.
Red Hat Enterprise Linux - telnet
http://rhn.redhat.com/errata/RHSA-2005-330.html
Red Hat Enterprise Linux - krb5
http://rhn.redhat.com/errata/RHSA-2005-327.html
- Sun Microsystems Inc.
Sun confirms that the telnet(1) vulnerabilities do affect all
currently supported versions of Solaris:
Solaris 7, 8, 9 and 10
Sun has released a Sun Alert which describes a workaround until patches
are available at:
http://sunsolve.sun.com
Sun Alert #57755
The Sun Alert will be updated with the patch information once it becomes
available. Sun patches are available from:
http://sunsolve.sun.com/securitypatch
Not Vulnerable:
- CyberSafe Limited
The CyberSafe TrustBroker products, version 3.0 or later, are not vulnerable.
- Hewlett-Packard Development Company, L.P.
HP-UX and HP Tru64 UNIX are not vulnerable.
- InterSoft International, Inc.
InterSoft International, Inc. products NetTerm, SecureNetTerm and
SNetTerm are not affected by the slc_add_reply() buffer overflow
conditions.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0469 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
02/18/2005 Initial vendor notification
03/28/2005 Coordinated public disclosure
IX. CREDIT
Ga\xebl Delalleau credited with this discovery.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright \xa9 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
http://creativecommons.org/licenses/by-sa/2.0
. This is a multi-part message in MIME format.
Background
==========
netkit-telnetd provides standard Linux telnet client and server.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All netkit-telnetd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/netkit-telnetd-0.17-r6"
References
==========
[ 1 ] CAN-2005-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
[ 2 ] iDEFENSE Advisory 03-28-05
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200503-36.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
--------------enig5AB53435F202A7CF12E5E13A
Content-Type: application/pgp-signature;
name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: OpenPGP digital signature
Content-Disposition: attachment;
filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCS97/vcL1obalX08RAqPTAJ0U96lQ6ItuSV4jrDU16XhgSX4fnwCeJ2kS
RMB/LUN0B0tNRKR3DBoB0YE=
=0wgI
-----END PGP SIGNATURE-----
--------------enig5AB53435F202A7CF12E5E13A--
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 703-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 1st, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : krb5
Vulnerability : buffer overflows
Problem-Type : remote
Debian-specific: no
CVE IDs : CAN-2005-0468 CAN-2005-0469
CERT advisories: VU#341908 VU#291924
Several problems have been discovered in telnet clients that could be
exploited by malicious daemons the client connects to. This can lead to the
execution of arbitrary code when connected to a malicious server.
For the stable distribution (woody) these problems have been fixed in
version 1.2.4-5woody8.
For the unstable distribution (sid) these problems have been fixed in
version 1.3.6-1.
We recommend that you upgrade your krb5 package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody8.dsc
Size/MD5 checksum: 750 51c3ea6dcf74a9d82bef016509870c3d
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody8.diff.gz
Size/MD5 checksum: 83173 97d5ce1eeec763cc67d56b0758891a0f
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4.orig.tar.gz
Size/MD5 checksum: 5443051 663add9b5942be74a86fa860a3fa4167
Architecture independent components:
http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody8_all.deb
Size/MD5 checksum: 512968 88dea0dcf727a6fe03457485e6c98ea4
Alpha architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 253798 4124ad89c3d6698ae5ce09cc0a810e77
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 217536 02bdd8e928ce65cfc415de890106cde7
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 63072 9aa2b092cc3d4729f6d309160b27117c
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 252162 0f2b0638347b34b07ab919c05b7a404a
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 76452 4eab68ade26bdd00dc733183f673cf7e
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 59106 4c00e1ad73ba0be9631ed3b20846cf31
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 207478 f94b1e493f4a35a9244ab0a71f714f61
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 83948 b4870cfb49811f9e9bfc182004d6e72a
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 633440 f794455df495082bd8c40b2f0a6e0f22
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_alpha.deb
Size/MD5 checksum: 367446 248fced4d354d47649deaa0c5d349354
ARM architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 197342 11591d7d943ee2d38f0117b53ec59026
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 160678 f4118cf6266830f7db9553329dcc1532
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 48830 dc4986db69fc9fa3aacd9487a1a57004
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 198672 6e11c792134a4d9bd602a7461895c42c
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 63738 01cee2e685f3bc973f7cce7e5ec08f56
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 49406 03755be7fa950f05c099aff6dc847e7d
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 166018 b8000d9c82076d7134aacf28a3ae7a98
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 73626 3070b54d29b8174b78886e37bc25c112
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 493632 b74a2e03c250019f25ff58387792d666
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_arm.deb
Size/MD5 checksum: 295230 bd4ccc64814aeebd0071b68dc964080d
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 179362 e38dffa6b1e44da9c05ab5569283141b
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 152348 eb2d37aca6f5aeb2ecd3dc7a66b351fc
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 46370 dda52cc0f381955716025f4f3f210630
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 178578 3d9e28bc8bbd83161cd8c9781db99e76
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 61358 846936ed49d43dddf11c8239e7ecb74f
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 46652 4b12ff1ef17b81aadec2cf27c249b263
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 156624 2a626d8694742a825242085d83efb40f
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 72022 678e924f12886c54cb3ca9bdee6a8da4
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 433960 9a90e0a4c79b81f2d00945fb7bdf84da
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_i386.deb
Size/MD5 checksum: 293706 be17bc6de25438a34466e7a47c5e4a0f
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 322390 bd8deae9fe5e2fd0d0e304d93c676c95
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 266614 fa5fedbcc5ce19cf0fd6e0f019988aaa
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 73742 3b21c0fd054d80e979808c47bef49b15
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 322348 b893958f43de292d927b49cd9dda434b
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 92050 2c1a3cf4ae7311dc95a696bf919148e9
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 70700 38b66040685eb5421abcb92cdcb682df
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 256278 5440c691dcc69e168105b60a4433332d
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 107650 0b12f0212a2e8ee31654a605e7b74219
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 705942 9dc21d18876a435f5ecbae3c1fa90fac
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_ia64.deb
Size/MD5 checksum: 475034 072e1682115dd9c556d2eca5c65780af
HP Precision architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 214666 50a69b51ec610a919c00e13dad97c237
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 189950 ed974a7360091fe4ea8a5dee5f310a93
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 54064 87d03aa246e3a8bed874ea20aab5c90c
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 214092 fdb3544036609131e218f1293d59ab62
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 68802 6476e62e8872de28da85a6d7ff6a91a8
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 55892 ae903fa8671838a64061748b150503ae
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 183066 bde3354927006d85aed74b4ce67f379b
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 85122 160ea9c72f59ee814853092ba414f37e
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 558094 4b5f91e312a31a075cf0ee5f5abb28f4
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_hppa.deb
Size/MD5 checksum: 362152 bf33b679c8e3023f1baa81dedc1c9e32
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 164376 695f5090f6f02ef5ffcdb94994923d1d
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 144904 f03b67ac31422c20cd2024a7f530f077
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 44522 7bb04f7623ecb06934e615790364744e
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 164106 460978cf8ba185277681491f91269bd3
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 57054 8bcee8e9061c204cc1d53f310603f647
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 44838 c57524e8c13e8f007451617b6c99374f
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 146184 ef14d19fd5d0d4bb4a4ee88287e556cd
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 70032 1bccace886d6c662ab3b10b0cfaa29d9
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 409054 be8e8f2a4573bb15ec6024f00a1c4087
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_m68k.deb
Size/MD5 checksum: 277330 c78d56b08e2e4c37bc7d9d1aae9272f6
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 206742 9881404c18f586f88b60322f6ac46e11
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 191334 637743e42bdcbd990a8a8eaec03f04e6
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 53510 c194be0f6dedfbaa82f3f7f51bbafe48
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 209794 7ad1a3ae1a623910446a89d44f4d7c0a
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 66606 0921f3d4930ad9501eba05cb48c86093
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 55072 22603859834a0c66169b9c6b3438296b
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 175416 edcbd96200fec2b725a64df310856287
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 72292 afa180a53f462b42ada57f4183e481b2
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 541350 be00fa435c03a2474310c03b3aadb3d0
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_mips.deb
Size/MD5 checksum: 308518 db69345f0ad3df1e0b3b70310ffa6ed6
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 210850 d7831efe581155af02fbf4cd4b298577
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 190990 facf8459bd0684335304e2a9af7b8ec1
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 53694 cbae172d0491dd9f259b31f502d3f0ef
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 213350 9b2e3742c660d42556e790503cfa73c2
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 66918 cf9b408405283ea6cda2dc7d79dc5187
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 54936 13d0e562fea89e39cecffe02caa5184f
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 177270 6e92b594956acc65452e8c351222fb53
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 72106 54a3fbae7e86134d48ee49befcb00c99
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 540884 a93fd74e3cfce1d61e81dc15adeede7d
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_mipsel.deb
Size/MD5 checksum: 307184 e725f0ab101cf33b1eb127eb3d18df81
PowerPC architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 188456 1605cd80b08025be71477d33bae41d53
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 164152 0e3d09352a72b78dce03519b297a87c3
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 49372 9289fc6a3d9a4a1e35e55a8f536b2762
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 189546 cee053d38c1f38de08966f6957ed914a
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 62728 e6f98290ed591d955d5c80eb58d9f6dd
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 49338 bf451f9b226dd16dac16ee9c59d97783
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 162762 2edc9dee6e7672c838626cd391820de9
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 74060 5c6ce5c10f005fa31786354fd60c4616
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 490920 1a5ee5de494c46f5c00598b2ef5dff3d
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_powerpc.deb
Size/MD5 checksum: 303574 0972361a36370e77050b37e46aeaed66
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 189308 1b5d39163a97cb6ea829810afb1a648c
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 166440 0709eaf98f958d5190afbe956a277995
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 50302 f8721e09d7b159a5e16b293a8999d43c
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 190628 cd1c66f7eaa63239aee8fbb4a26bed76
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 67096 a191f8826271cfe94a8aef0d8e6aece1
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 50278 b0fccd0d25256f8357e8f32e815bf6f6
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 164334 ce022c07d1815b0df8b5f9a46e8c2ed8
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 76638 4aa46656e9c0293fb5e28e56391e77bc
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 453482 b52bf2d4a664c52c350f80c1593ea5c2
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_s390.deb
Size/MD5 checksum: 319656 7b7d0c4b136d99b9dfaf798d4f94d0c9
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 183454 aa907094cbdaac57da2f0eca9b8eb5bd
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 173036 7f173f3267bcab3e66922ea6d40b9108
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 49792 ce46cc950c54a24025647cec765c6e6b
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 184358 1ae257a74f7e385a2e4e186a26e86da6
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 64400 6429cb02f6d8c3948ef94176ee077c9e
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 49780 dc7690038fd1b4125179157411f96396
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 159528 4c9938799737182f5fd4455f7ba08508
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 73406 83f33192e1d069af16c155136117b331
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 463024 94916989bafb9975e1d973cc0210b1d0
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody8_sparc.deb
Size/MD5 checksum: 301464 ebf61bee3343e02ea2d64066a6713424
These files will probably be moved into the stable distribution on
its next update
| VAR-200505-0440 | CVE-2005-0903 | QuickTime deformity JPEG Buffer overflow vulnerability |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Buffer overflow in QuickTime PictureViewer 6.5.1 allows remote attackers to cause a denial of service (application crash) via a JPEG file with crafted Huffman Table (marker DHT) data. Apple QuickTime is reportedly prone to a buffer overflow when viewing malformed image files.
This issue was reported to exist in QuickTime 6.5.1 for Windows. Other versions may also be affected.
This issue may be related to BID 11553. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more
| VAR-200505-0479 | CVE-2005-0877 | Dnsmasq Multiple Remote Vulnerabilities |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq. Dnsmasq is reported prone to multiple remote vulnerabilities. These issues can allow an attacker to exploit an off-by-one overflow condition and carry out DNS cache poisoning attacks.
An attacker may leverage these issues to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks.
A denial of service condition may occur due to the off-by-one overflow vulnerability. Although unconfirmed, there is a circumstantial possibility of remote code execution in the context of the server.
Reportedly, exploitation of the cache-poisoning issue is not trivial as improvements were made to the application to mitigate cache-poisoning attacks.
The off-by-one overflow issue affects Dnsmasq 2.14, 2.15, 2.16, 2.17, 2.18, 2.19 and 2.20. The cache-poisoning issue affects Dnsmasq 2.20 and prior.
Due to a lack of details, further information is not available at the moment. This BID will be updated when more information becomes available.
----------------------------------------------------------------------
Want a new IT Security job?
Vacant positions at Secunia:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Dnsmasq DHCP Lease File Denial of Service and DNS Cache Poisoning
SECUNIA ADVISORY ID:
SA14691
VERIFY ADVISORY:
http://secunia.com/advisories/14691/
CRITICAL:
Moderately critical
IMPACT:
Spoofing, Manipulation of data, DoS
WHERE:
>From remote
SOFTWARE:
Dnsmasq 2.x
http://secunia.com/product/4837/
DESCRIPTION:
Two vulnerabilities have been reported in Dnsmasq, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
poison the DNS cache.
1) An off-by-one boundary error when reading the DHCP lease file can
be exploited by a malicious DHCP client to cause a buffer overflow by
supplying an overly long hostname and client-id.
Successful exploitation crashes Dnsmasq the next time it is started.
2) When receiving DNS replies, only the 16-bit ID is checked against
the current query. This can be exploited to poison the DNS cache if a
valid ID (randomly generated) is guessed by e.g. sending a flood of
DNS replies.
SOLUTION:
Update to version 2.21.
http://www.thekelleys.org.uk/dnsmasq/
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Rob Holland.
2) Reported by vendor.
ORIGINAL ADVISORY:
http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200505-0478 | CVE-2005-0876 | Dnsmasq Multiple Remote Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Off-by-one buffer overflow in Dnsmasq before 2.21 may allow attackers to execute arbitrary code via the DHCP lease file. Dnsmasq is reported prone to multiple remote vulnerabilities.
An attacker may leverage these issues to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks.
A denial of service condition may occur due to the off-by-one overflow vulnerability. Although unconfirmed, there is a circumstantial possibility of remote code execution in the context of the server.
Reportedly, exploitation of the cache-poisoning issue is not trivial as improvements were made to the application to mitigate cache-poisoning attacks.
The off-by-one overflow issue affects Dnsmasq 2.14, 2.15, 2.16, 2.17, 2.18, 2.19 and 2.20. The cache-poisoning issue affects Dnsmasq 2.20 and prior.
Due to a lack of details, further information is not available at the moment. This BID will be updated when more information becomes available.
----------------------------------------------------------------------
Want a new IT Security job?
Vacant positions at Secunia:
http://secunia.com/secunia_vacancies/
----------------------------------------------------------------------
TITLE:
Dnsmasq DHCP Lease File Denial of Service and DNS Cache Poisoning
SECUNIA ADVISORY ID:
SA14691
VERIFY ADVISORY:
http://secunia.com/advisories/14691/
CRITICAL:
Moderately critical
IMPACT:
Spoofing, Manipulation of data, DoS
WHERE:
>From remote
SOFTWARE:
Dnsmasq 2.x
http://secunia.com/product/4837/
DESCRIPTION:
Two vulnerabilities have been reported in Dnsmasq, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
poison the DNS cache.
Successful exploitation crashes Dnsmasq the next time it is started.
2) When receiving DNS replies, only the 16-bit ID is checked against
the current query. This can be exploited to poison the DNS cache if a
valid ID (randomly generated) is guessed by e.g. sending a flood of
DNS replies.
SOLUTION:
Update to version 2.21.
http://www.thekelleys.org.uk/dnsmasq/
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Rob Holland.
2) Reported by vendor.
ORIGINAL ADVISORY:
http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200505-0417 | CVE-2005-0844 | Nortel VPN Client Password leak vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Nortel VPN client 5.01 stores the cleartext password in the memory of the Extranet.exe process, which could allow local users to obtain sensitive information.
Credentials that are harvested through the exploitation of this weakness may then be used to aid in further attacks.
This weakness is reported to affect Nortel Contivity VPN Client version 5.01 for Microsoft Windows, versions for the Linux platform are not reported to be vulnerable. Other versions might also be affected
| VAR-200505-0466 | CVE-2005-0864 | DSL Modem multiple remote security vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Boa web server, as used in Samsung ADSL Modem SMDK8947v1.2 and possibly other products, allows remote attackers to read arbitrary files via a full pathname in the HTTP request. Multiple vulnerabilities are reported to exist in Samsung DSL modems.
The first issue is an information disclosure issue due to a failure of the device to block access to potentially sensitive files.
The second issue is a default backdoor account vulnerability. It is reported that multiple accounts exist on the modem by default, allowing remote attackers to gain administrative privileges on the modem.
These vulnerabilities may allow remote attackers to gain access to potentially sensitive information, or to gain administrative access to the affected device.
Samsung DSL modems running software version SMDK8947v1.2 are reported to be affected. Other devices and software versions are also likely affected. Samsung's DSL modem is a communication device used in broadband networks
| VAR-200505-0467 | CVE-2005-0865 | DSL Modem multiple remote security vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Samsung ADSL Modem SMDK8947v1.2 uses default passwords for the (1) root, (2) admin, or (3) user users, which allows remote attackers to gain privileges via Telnet or an HTTP request to adsl.cgi. Multiple vulnerabilities are reported to exist in Samsung DSL modems.
The first issue is an information disclosure issue due to a failure of the device to block access to potentially sensitive files.
The second issue is a default backdoor account vulnerability.
These vulnerabilities may allow remote attackers to gain access to potentially sensitive information, or to gain administrative access to the affected device.
Samsung DSL modems running software version SMDK8947v1.2 are reported to be affected. Other devices and software versions are also likely affected. Samsung's DSL modem is a communication device used in broadband networks
| VAR-200505-0081 | CVE-2005-0712 | Mac OS X CF_CHARSET_PATH Environment Variable Handling Buffer Overflow Vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Mac OS X before 10.3.8 users world-writable permissions for certain directories, which may allow local users to gain privileges, possibly via the receipt cache or ColorSync profiles. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory.
Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue.
This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected.
This BID will be updated and split into unique BIDs as soon as further information is available. The insecure permissions are on folders that contain the installer 'receipt cache' and 'system-level ColorSync profiles'. Mac OS X bundled by default in Core Foundation A buffer overflow vulnerability exists in the library that could allow an attacker to obtain root User rights