VARIoT IoT vulnerabilities database

Integer overflow in the searchfs system call in Mac OS X 10.3.9 and earlier allows local users to execute arbitrary code via crafted parameters. The issue occurs in the searchfs() code. The vulnerability exists due to an error in calculating size arguments derived from user-controlled integer values, which are then used in a user-land to kernel memory copy operation. The issue may be leveraged to corrupt kernel memory and ultimately execute arbitrary code with ring-0 privileges. The issue may also be exploited to trigger a denial of service condition from a kernel panic

The "at" commands on Mac OS X 10.3.7 and earlier do not properly drop privileges, which allows local users to (1) delete arbitrary files via atrm, (2) execute arbitrary programs via the -f argument to batch, or (3) read arbitrary files via the -f argument to batch, which generates a job file that is readable by the local user. The Mail application supplied with Apple's Mac OS X operating system identifies the system from which any electronic mail is sent. Apple's Mac OS X operating system contains a flaw in the handling of ICC color profiles, which may allow arbitrary code execution through a heap-based buffer overflow. These issues are due to a failure of the application to properly implement access controls on job schedule files. An attacker may leverage these issues to read and delete arbitrary files and execute applications on an affected computer with superuser privileges. Information revealed in this way may lead to further attacks. Mac OS X is a BSD-based operating system

NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to bypass the filters using hex encoded URLs, as demonstrated using a hex encoded file extension. NetGear FVS318 is reported prone to multiple vulnerabilities. These issues result from insufficient sanitization of user-supplied data and may allow an attacker to bypass URI filters and carry out cross-site scripting attacks. The following issues were identified: It is reported that an attacker can bypass URI filters of the device. The URI filter log viewer is reported prone to a cross-site scripting vulnerability. The research report specified that FVS318 devices with firmware 2.4 are vulnerable to these issues. FVS318 and FVS318v2 are shipped with firmware 2.4, however, it is possible that FVS318v3 and other firmware versions are affected as well. This BID will be updated when more information about affected packages is available. The Netgear FVS318 is a handy little router. A filter detection bypass vulnerability exists in Netgear FVS318 with firmware version 2.4. Remote attackers can use Hex-encoded URLs, such as HEX-encoded file extensions, to bypass detection

Cross-site scripting (XSS) vulnerability in the log viewer in NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via a blocked URL phrase. NetGear FVS318 is reported prone to multiple vulnerabilities. These issues result from insufficient sanitization of user-supplied data and may allow an attacker to bypass URI filters and carry out cross-site scripting attacks. The following issues were identified: It is reported that an attacker can bypass URI filters of the device. The URI filter log viewer is reported prone to a cross-site scripting vulnerability. The research report specified that FVS318 devices with firmware 2.4 are vulnerable to these issues. FVS318 and FVS318v2 are shipped with firmware 2.4, however, it is possible that FVS318v3 and other firmware versions are affected as well. This BID will be updated when more information about affected packages is available. Multiple Vulnerabilities in Netgear FVS318 Router ------------------------------------------------------------------------ SUMMARY The <http://www.netgear.com> Netgear FVS318 is "an easy to use, firewall/router designed for home users and small businesses". SecuriNews Research has found 2 vulnerabilities in the router, one allows bypassing the product's content filtering mechanism while the other allows injecting arbitrary HTML and/or JavaScript into the product's log files which can then be used to attack the administrator of the router. DETAILS Content Filtering Bypass: By using HEX encoded characters, it is possible to bypass the URL filter. For example, if the router administrator blocks the phrase ".exe"; a user can encode one or more characters in the URL phrase to bypass the filter. If we encode the 'x' in ".exe", the new phrase ".e%78e" will bypass the filter

The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file. Linux Kernel is reported prone to a local denial-of-service vulnerability. Reportedly, this issue presents itself when a user creates a large Virtual Memory Area (VMA) that overlaps with arg pages during the exec() system call. Successful exploitation will lead to a denial-of-service condition in a vulnerable computer. No further details are available at this time. This issue will be updated as more information becomes available. Linux Kernel is the kernel of the open source operating system Linux. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Debian update for kernel-source-2.4.17 SECUNIA ADVISORY ID: SA20338 VERIFY ADVISORY: http://secunia.com/advisories/20338/ CRITICAL: Moderately critical IMPACT: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Debian GNU/Linux 3.0 http://secunia.com/product/143/ DESCRIPTION: Debian has issued an update for kernel-source-2.4.17. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, cause a DoS (Denial of Service), gain escalated privileges, and by malicious people to cause a DoS, and disclose potentially sensitive information. -- Debian GNU/Linux 3.0 alias woody -- Source archives: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.5.dsc Size/MD5 checksum: 713 6ff55b14d3ae957c55bbed7fabf4c047 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.5.tar.gz Size/MD5 checksum: 30437486 86601103169da686167972e5e560e3d4 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-ia64_011226.18.dsc Size/MD5 checksum: 736 f97d95c6ecc26401f8f2fc2ead6cf421 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-ia64_011226.18.tar.gz Size/MD5 checksum: 25419305 9bc354f889edd4964840475400b088b7 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-s390/kernel-image-2.4.17-s390_2.4.17-2.woody.5.dsc Size/MD5 checksum: 800 d20db4ab99e311150734b70519cc31e9 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-s390/kernel-image-2.4.17-s390_2.4.17-2.woody.5.tar.gz Size/MD5 checksum: 12283 f51a7e01941baca7010fb8c2f0f67fe3 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-6.dsc Size/MD5 checksum: 694 2d48f4cfa4917904b6c1f806ecc1bdb4 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-6.tar.gz Size/MD5 checksum: 491935 94638c0c03b6b163f46319e777d4aa71 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody7.dsc Size/MD5 checksum: 805 b48cbc9c2cd59eee3a52f54cfa5356e0 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody7.tar.gz Size/MD5 checksum: 1150966 6748462e7bce7c917e066e0594d42571 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-s390/kernel-patch-2.4.17-s390_0.0.20020816-0.woody.4.dsc Size/MD5 checksum: 664 f49e9cba55a8a4b098e5dc522f2a07fc http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-s390/kernel-patch-2.4.17-s390_0.0.20020816-0.woody.4.tar.gz Size/MD5 checksum: 344642 3a488cc38ffc619bfff4bfbb75eff4cd http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4.dsc Size/MD5 checksum: 609 4e0f66c1811cfb9e926c21566e55b202 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4.tar.gz Size/MD5 checksum: 29768549 bc1f8eab880a33bfe2ebeb3ef8b6557a Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-source-2.4.17-hppa_32.5_all.deb Size/MD5 checksum: 24455128 ed5362b12c6327295cd89027ff8e80ab http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-source-2.4.17-ia64_011226.18_all.deb Size/MD5 checksum: 24735538 cf9ddb702811464ac2dd2231512053f9 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody7_all.deb Size/MD5 checksum: 1151866 6f2575f26e7800e1e7a7cafdaf02b3a6 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-s390/kernel-patch-2.4.17-s390_0.0.20020816-0.woody.4_all.deb Size/MD5 checksum: 300202 0f5db53cdab20024b4a3a75bd0799b1a http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-doc-2.4.17_2.4.17-1woody4_all.deb Size/MD5 checksum: 1708122 7d18878351662289ac0841e0ad8f10f4 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_all.deb Size/MD5 checksum: 23972270 a0bf4a2796a9b49c36579166e6a72d62 HP Precision architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-headers-2.4.17-hppa_32.5_hppa.deb Size/MD5 checksum: 3523044 63c790a70164e579c8bb3b8a08ea69b5 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32_32.5_hppa.deb Size/MD5 checksum: 2869994 e9e2be22d5fdf40f2e879570adc1132d http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32-smp_32.5_hppa.deb Size/MD5 checksum: 3006192 cf53ac718c6ed26a59802e74c5926f00 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64_32.5_hppa.deb Size/MD5 checksum: 3029436 d0e0fd747af9ff7a3633ee9cc6b1f1e6 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64-smp_32.5_hppa.deb Size/MD5 checksum: 3170356 ca408698a580463da3a547b2f87006e4 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_hppa.deb Size/MD5 checksum: 16886 437018078d9d01e25702cf1a20c23414 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-headers-2.4.17-ia64_011226.18_ia64.deb Size/MD5 checksum: 3638280 b6cd4e0d4129b6f4d0734253818cd828 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-itanium_011226.18_ia64.deb Size/MD5 checksum: 7026800 55e4cd610c06297c7132ce2aeb88d029 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-itanium-smp_011226.18_ia64.deb Size/MD5 checksum: 7172892 a66f94c18d8ee4354e9446655837c72a http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-mckinley_011226.18_ia64.deb Size/MD5 checksum: 7014470 d99cc0f293c747a295230de934328007 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-mckinley-smp_011226.18_ia64.deb Size/MD5 checksum: 7165570 997a9dbf17821067de6ceb65548e7c2b http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody4_ia64.deb Size/MD5 checksum: 21616 1eab80187061fbd304b6328533d7dc33 IBM S/390 architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-s390/kernel-headers-2.4.17_2.4.17-2.woody.5_s390.deb Size/MD5 checksum: 3379418 74817217abf90896eb63d6c6792839fe http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-s390/kernel-image-2.4.17-s390_2.4.17-2.woody.5_s390.deb Size/MD5 checksum: 1346190 39433c757763336b6c14bf0d00652596 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_s390.deb Size/MD5 checksum: 16404 9cfcf10a2a2ef99bbb009a650cddd227 PowerPC architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-headers-2.4.17-apus_2.4.17-6_powerpc.deb Size/MD5 checksum: 3409712 698750e3998ee3792db43f445a8a8d96 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-2.4.17-apus_2.4.17-6_powerpc.deb Size/MD5 checksum: 2211146 103890e43508a5913a10ff8be80e9cdc http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-apus_2.4.17-6_powerpc.deb Size/MD5 checksum: 4602 31ef3f45675fc13836337dee97486e20 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-6_powerpc.deb Size/MD5 checksum: 490842 799441a4e49b88f780353d7aff9f29d2 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_powerpc.deb Size/MD5 checksum: 16280 4e54c040bc83523d8122287bab6df7a5 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody7_mips.deb Size/MD5 checksum: 3523520 45f001c255a3a66f22148d84d035abb1 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-ip22_2.4.17-0.020226.2.woody7_mips.deb Size/MD5 checksum: 2045436 c840c6ff8c9e3ab455d38021d09a391d http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r5k-ip22_2.4.17-0.020226.2.woody7_mips.deb Size/MD5 checksum: 2045226 709ccbc6754644fa448c93058f0df504 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_mips.deb Size/MD5 checksum: 16556 019623b1dbc75bff84d7f056435dc6db Little endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody7_mipsel.deb Size/MD5 checksum: 3522422 2118440d1658730fd93f47867848573c http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r3k-kn02_2.4.17-0.020226.2.woody7_mipsel.deb Size/MD5 checksum: 2200968 63bc732deee6df19b83f10a50485a476 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-kn04_2.4.17-0.020226.2.woody7_mipsel.deb Size/MD5 checksum: 2195278 697eb9b05f765c332eca175284eb24b8 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/mips-tools_2.4.17-0.020226.2.woody7_mipsel.deb Size/MD5 checksum: 17836 61df1f292dccb4e64cb956a629f729fc http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_mipsel.deb Size/MD5 checksum: 16558 f8382b01aca2c535988b5ab5709dae90 Alpha architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_alpha.deb Size/MD5 checksum: 17180 7d1cf8fb24431c01f45fadf7becb6d2e ARM architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_arm.deb Size/MD5 checksum: 15878 fcf97ed103c205699fb5396c3a49e293 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_i386.deb Size/MD5 checksum: 15518 2e7d50090a469a84ef7f3ae8aa97b85f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_m68k.deb Size/MD5 checksum: 15368 41a11620bf7ea34b15742ccf59ff6895 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_sparc.deb Size/MD5 checksum: 18356 71b076d3eeff837bfb54a7f538b11b58 ORIGINAL ADVISORY: http://www.us.debian.org/security/2006/dsa-1082 OTHER REFERENCES: SA10533: http://secunia.com/advisories/10533/ SA11464: http://secunia.com/advisories/11464/ SA11861: http://secunia.com/advisories/11861/ SA11943: http://secunia.com/advisories/11943/ SA13232: http://secunia.com/advisories/13232/ SA13469: http://secunia.com/advisories/13469/ SA13126: http://secunia.com/advisories/13126/ SA13308: http://secunia.com/advisories/13308/ SA13627: http://secunia.com/advisories/13627/ SA13756: http://secunia.com/advisories/13756/ SA13493: http://secunia.com/advisories/13493/ SA13822: http://secunia.com/advisories/13822/ SA14295: http://secunia.com/advisories/14295/ SA14570: http://secunia.com/advisories/14570/ SA13784: http://secunia.com/advisories/13784/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files. This issue is exposed when the application parses 'm3u' and 'pls' playlist files. As these files may originate from an external source, this issue is considered remotely exploitable. If the vulnerability is successfully exploited, it will result in execution of arbitrary code in the context of the user running the application. Apple iTunes is a media player program. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-01-11 iTunes 4.7.1 iTunes 4.7.1 is now available and delivers the following security enhancement: CVE-ID: CAN-2005-0043 Impact: Malicious playlists can cause iTunes to crash and could execute arbitrary code Description: iTunes supports several common playlist formats. Credit to Sean de Regge (seanderegge[at]hotmail.com) for discovering this issue, and to iDEFENSE Labs for reporting it to us. Available for: Mac OS X, Microsoft Windows XP, Microsoft Windows 2000 iTunes 4.7.1 may be obtained from the Software Update pane in System Preferences, or Apple's iTunes download site: http://www.apple.com/itunes/download/ The download file is named: "iTunes4.7.1.dmg" Its SHA-1 digest is: 2ae8c815f18756c24dfbc1ac7d837b75b828b92a Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQeQviJyw5owIz4TQAQIMrgf/fYmI5LZy5DM5a61kbXgnzq5OpQQPaidH disRa8UbjGrr+sSvEytQaxgO5vbDsZWgDGYeeaHTUeyiBdznO/b7X9moUC0uXEtC /a/CC2219AYeoQLJCMWhiIbrkL3OQ8QHoV3KaMlcg98tHgsrZKg1ssqEZszkjNrV Jj1dm3hYn2/DHPqzhGy2+l4Lp/8Bdg2VwXJjCLrqD6cgcSAX0HVdVq+CM2VQ1DGH O9PjkspNxoTR2iV0VbJdc+q/Mi1HXlouNaURgR01oBYGqZoQ2mxYGMLIthgVoyri E/c5iyPq4lwDnhyjii4fajLO/3BW6MY7RVoNWv2ipYjVi1RPQ6d6iQ== =SryY -----END PGP SIGNATURE----- -- David Mirza Ahmad Symantec PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12

Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3) MKD, and (4) RNFR commands. WS FTP Server is prone to a denial-of-service vulnerability. WS_FTP is an FTP server software. Multiple buffer overflow vulnerabilities exist in WS_FTP server 5.03 2004.10.14

Cisco CNS Network Registrar Central Configuration Management (CCM) server 6.0 through 6.1.1.3 allows remote attackers to cause a denial of service (CPU consumption) by ending a connection after sending a certain sequence of packets. CNS Network Registrar is prone to a denial-of-service vulnerability. Cisco CNS Registrar is a full-featured DNS/DHCP system

The Smc.exe process in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before invoking help, which allows local users to gain privileges. My Firewall Plus is prone to a local security vulnerability

Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor. Linux Kernel of (1) load_elf_library() function, (2) binfmt_aout() Functions include brk There is a flaw in the handling of the segment that causes a race condition.root You may get permission. Linux kernel is reported prone to a local privilege-escalation vulnerability. This issue arises in the 'uselib()' functions of the Linux binary-format loader as a result of a race condition. Successful exploitation of this vulnerability can allow a local attacker to gain elevated privileges on a vulnerable computer. The ELF and a.out loaders are reportedly affected by this vulnerability. The Linux kernel provides a binary format loader layer to load programs in different formats such as ELF or a.out or others, and the kernel also provides the sys_uselib() function to load corresponding binary programs. From the analysis of the uselib function of load_elf_library() in the binfmt_elf.c file, there is a problem in the processing of the BRK segment (VMA) of the library. This segment is established through current->mm->mmap_sem. When modifying the memory layout of the calling process\ '\' semaphore \'\' (semaphore) is not maintained, this can be used to mess with memory management and elevate privileges. Part of the source code fs/binfmt_elf.c is as follows: static int load_elf_library(struct file *file) { [904] down_write(¤t->mm->mmap_sem); error = do_mmap(file, ELF_PAGESTART(elf_phdata->p_vaddr), ( elf_phdata- > p_filesz + ELF_PAGEOFFSET(elf_phdata- > p_vaddr)), PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE, (elf_phdata- > p_offset - ELF_PAGEOFFSET(elf_phdata- > p_vaddr))); >mmap_sem); if (error != ELF_PAGESTART(elf_phdata->p_vaddr)) goto out_free_ph;. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Debian update for kernel-source-2.4.17 SECUNIA ADVISORY ID: SA20338 VERIFY ADVISORY: http://secunia.com/advisories/20338/ CRITICAL: Moderately critical IMPACT: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Debian GNU/Linux 3.0 http://secunia.com/product/143/ DESCRIPTION: Debian has issued an update for kernel-source-2.4.17. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, cause a DoS (Denial of Service), gain escalated privileges, and by malicious people to cause a DoS, and disclose potentially sensitive information. For more information: SA10533 SA11464 SA11861 SA11943 SA13232 SA13469 SA13126 SA13308 SA13627 SA13756 SA13493 SA13822 SA14295 SA14570 SA13784 SOLUTION: Apply updated packages. -- Debian GNU/Linux 3.0 alias woody -- Source archives: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.5.dsc Size/MD5 checksum: 713 6ff55b14d3ae957c55bbed7fabf4c047 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.5.tar.gz Size/MD5 checksum: 30437486 86601103169da686167972e5e560e3d4 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-ia64_011226.18.dsc Size/MD5 checksum: 736 f97d95c6ecc26401f8f2fc2ead6cf421 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-ia64_011226.18.tar.gz Size/MD5 checksum: 25419305 9bc354f889edd4964840475400b088b7 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-s390/kernel-image-2.4.17-s390_2.4.17-2.woody.5.dsc Size/MD5 checksum: 800 d20db4ab99e311150734b70519cc31e9 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-s390/kernel-image-2.4.17-s390_2.4.17-2.woody.5.tar.gz Size/MD5 checksum: 12283 f51a7e01941baca7010fb8c2f0f67fe3 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-6.dsc Size/MD5 checksum: 694 2d48f4cfa4917904b6c1f806ecc1bdb4 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-6.tar.gz Size/MD5 checksum: 491935 94638c0c03b6b163f46319e777d4aa71 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody7.dsc Size/MD5 checksum: 805 b48cbc9c2cd59eee3a52f54cfa5356e0 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody7.tar.gz Size/MD5 checksum: 1150966 6748462e7bce7c917e066e0594d42571 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-s390/kernel-patch-2.4.17-s390_0.0.20020816-0.woody.4.dsc Size/MD5 checksum: 664 f49e9cba55a8a4b098e5dc522f2a07fc http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-s390/kernel-patch-2.4.17-s390_0.0.20020816-0.woody.4.tar.gz Size/MD5 checksum: 344642 3a488cc38ffc619bfff4bfbb75eff4cd http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4.dsc Size/MD5 checksum: 609 4e0f66c1811cfb9e926c21566e55b202 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4.tar.gz Size/MD5 checksum: 29768549 bc1f8eab880a33bfe2ebeb3ef8b6557a Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-source-2.4.17-hppa_32.5_all.deb Size/MD5 checksum: 24455128 ed5362b12c6327295cd89027ff8e80ab http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-source-2.4.17-ia64_011226.18_all.deb Size/MD5 checksum: 24735538 cf9ddb702811464ac2dd2231512053f9 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody7_all.deb Size/MD5 checksum: 1151866 6f2575f26e7800e1e7a7cafdaf02b3a6 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-s390/kernel-patch-2.4.17-s390_0.0.20020816-0.woody.4_all.deb Size/MD5 checksum: 300202 0f5db53cdab20024b4a3a75bd0799b1a http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-doc-2.4.17_2.4.17-1woody4_all.deb Size/MD5 checksum: 1708122 7d18878351662289ac0841e0ad8f10f4 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_all.deb Size/MD5 checksum: 23972270 a0bf4a2796a9b49c36579166e6a72d62 HP Precision architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-headers-2.4.17-hppa_32.5_hppa.deb Size/MD5 checksum: 3523044 63c790a70164e579c8bb3b8a08ea69b5 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32_32.5_hppa.deb Size/MD5 checksum: 2869994 e9e2be22d5fdf40f2e879570adc1132d http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32-smp_32.5_hppa.deb Size/MD5 checksum: 3006192 cf53ac718c6ed26a59802e74c5926f00 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64_32.5_hppa.deb Size/MD5 checksum: 3029436 d0e0fd747af9ff7a3633ee9cc6b1f1e6 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64-smp_32.5_hppa.deb Size/MD5 checksum: 3170356 ca408698a580463da3a547b2f87006e4 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_hppa.deb Size/MD5 checksum: 16886 437018078d9d01e25702cf1a20c23414 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-headers-2.4.17-ia64_011226.18_ia64.deb Size/MD5 checksum: 3638280 b6cd4e0d4129b6f4d0734253818cd828 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-itanium_011226.18_ia64.deb Size/MD5 checksum: 7026800 55e4cd610c06297c7132ce2aeb88d029 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-itanium-smp_011226.18_ia64.deb Size/MD5 checksum: 7172892 a66f94c18d8ee4354e9446655837c72a http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-mckinley_011226.18_ia64.deb Size/MD5 checksum: 7014470 d99cc0f293c747a295230de934328007 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-mckinley-smp_011226.18_ia64.deb Size/MD5 checksum: 7165570 997a9dbf17821067de6ceb65548e7c2b http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody4_ia64.deb Size/MD5 checksum: 21616 1eab80187061fbd304b6328533d7dc33 IBM S/390 architecture: http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-s390/kernel-headers-2.4.17_2.4.17-2.woody.5_s390.deb Size/MD5 checksum: 3379418 74817217abf90896eb63d6c6792839fe http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-s390/kernel-image-2.4.17-s390_2.4.17-2.woody.5_s390.deb Size/MD5 checksum: 1346190 39433c757763336b6c14bf0d00652596 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_s390.deb Size/MD5 checksum: 16404 9cfcf10a2a2ef99bbb009a650cddd227 PowerPC architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-headers-2.4.17-apus_2.4.17-6_powerpc.deb Size/MD5 checksum: 3409712 698750e3998ee3792db43f445a8a8d96 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-2.4.17-apus_2.4.17-6_powerpc.deb Size/MD5 checksum: 2211146 103890e43508a5913a10ff8be80e9cdc http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-apus_2.4.17-6_powerpc.deb Size/MD5 checksum: 4602 31ef3f45675fc13836337dee97486e20 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-6_powerpc.deb Size/MD5 checksum: 490842 799441a4e49b88f780353d7aff9f29d2 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_powerpc.deb Size/MD5 checksum: 16280 4e54c040bc83523d8122287bab6df7a5 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody7_mips.deb Size/MD5 checksum: 3523520 45f001c255a3a66f22148d84d035abb1 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-ip22_2.4.17-0.020226.2.woody7_mips.deb Size/MD5 checksum: 2045436 c840c6ff8c9e3ab455d38021d09a391d http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r5k-ip22_2.4.17-0.020226.2.woody7_mips.deb Size/MD5 checksum: 2045226 709ccbc6754644fa448c93058f0df504 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_mips.deb Size/MD5 checksum: 16556 019623b1dbc75bff84d7f056435dc6db Little endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody7_mipsel.deb Size/MD5 checksum: 3522422 2118440d1658730fd93f47867848573c http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r3k-kn02_2.4.17-0.020226.2.woody7_mipsel.deb Size/MD5 checksum: 2200968 63bc732deee6df19b83f10a50485a476 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-kn04_2.4.17-0.020226.2.woody7_mipsel.deb Size/MD5 checksum: 2195278 697eb9b05f765c332eca175284eb24b8 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/mips-tools_2.4.17-0.020226.2.woody7_mipsel.deb Size/MD5 checksum: 17836 61df1f292dccb4e64cb956a629f729fc http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_mipsel.deb Size/MD5 checksum: 16558 f8382b01aca2c535988b5ab5709dae90 Alpha architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_alpha.deb Size/MD5 checksum: 17180 7d1cf8fb24431c01f45fadf7becb6d2e ARM architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_arm.deb Size/MD5 checksum: 15878 fcf97ed103c205699fb5396c3a49e293 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_i386.deb Size/MD5 checksum: 15518 2e7d50090a469a84ef7f3ae8aa97b85f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_m68k.deb Size/MD5 checksum: 15368 41a11620bf7ea34b15742ccf59ff6895 Sun Sparc architecture: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/mkcramfs_2.4.17-1woody3_sparc.deb Size/MD5 checksum: 18356 71b076d3eeff837bfb54a7f538b11b58 ORIGINAL ADVISORY: http://www.us.debian.org/security/2006/dsa-1082 OTHER REFERENCES: SA10533: http://secunia.com/advisories/10533/ SA11464: http://secunia.com/advisories/11464/ SA11861: http://secunia.com/advisories/11861/ SA11943: http://secunia.com/advisories/11943/ SA13232: http://secunia.com/advisories/13232/ SA13469: http://secunia.com/advisories/13469/ SA13126: http://secunia.com/advisories/13126/ SA13308: http://secunia.com/advisories/13308/ SA13627: http://secunia.com/advisories/13627/ SA13756: http://secunia.com/advisories/13756/ SA13493: http://secunia.com/advisories/13493/ SA13822: http://secunia.com/advisories/13822/ SA14295: http://secunia.com/advisories/14295/ SA14570: http://secunia.com/advisories/14570/ SA13784: http://secunia.com/advisories/13784/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs. This issue could allow a remote attacker to cause the base station to stop processing traffic. This can be exploited to cause a vulnerable device to stop responding by sending certain data via UDP on port 161. SOLUTION: Apply updated firmwares. -- Airport Express -- Update to firmware version 6.1.1. Mac OS X: http://www.apple.com/support/downloads/airportexpressfirmware611formacosx.html Windows: http://www.apple.com/support/downloads/airportexpressfirmware611forwindows.html -- Airport Extreme -- Update to firmware version 5.5.1. Mac OS X: http://www.apple.com/support/downloads/airportextremefirmware551formacosx.html Windows: http://www.apple.com/support/downloads/airportextremefirmware551forwindows.html PROVIDED AND/OR DISCOVERED BY: Dylan Griffiths ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

PeerSec MatrixSSL before 1.1 does not implement RSA blinding, which allows context-dependent attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal), a related issue to CVE-2003-0147. MatrixSSL is prone to a cross-site scripting vulnerability

The H.323 protocol agent in StoneSoft firewall engine 2.2.8 and earlier allows remote attackers to cause a denial of service (crash) via crafted H.323 packets. stonesoft of firewall engine Exists in unspecified vulnerabilities.None. There are vulnerabilities in the H.323 proxy protocol of StoneSoft Firewall Engine 2.2.8 and earlier versions

PeerSec MatrixSSL before 1.1 caches session keys for an indefinitely long time, which might make it easier for remote attackers to hijack a session. MatrixSSL is prone to a cross-site scripting vulnerability

The web management interface in Edimax AR-6004 ADSL Routers uses a default administrator name and password, which also appear as the default login text for the management interface, which allows remote attackers to gain access. Full Rate Adsl Router is prone to a remote security vulnerability. A remote attacker could exploit this vulnerability to gain access

F-Secure Anti-Virus 5.41 and 5.42 on Windows, Client Security 5.50 and 5.52, 4.60 for Samba Servers, and 4.52 and earlier for Linux does not properly detect certain viruses in a PKZip archive, which allows viruses such as Sober.D and Sober.G to bypass initial detection

SQL injection vulnerability in 4nGuestbook 0.92 for PHP-Nuke 6.5 through 6.9 allows remote attackers to modify SQL statements via the entry parameter to modules.php, which can also facilitate cross-site scripting (XSS) attacks when MySQL errors are triggered. 4Nguestbook is prone to a cross-site scripting vulnerability. A SQL injection vulnerability exists in 4nGuestbook 0.92 of PHP-Nuke 6.5 and 6.9 versions

Buffer overflow in multiple F-Secure Anti-Virus products, including F-Secure Anti-Virus 5.42 and earlier, allows remote attackers to bypass scanning or cause a denial of service (crash or module restart), depending on the product, via a malformed LHA archive. F-Secure Anti-Virus is prone to a denial-of-service vulnerability. Several F-Secure Anti-Virus products, including F-Secure Anti-Virus 5.42 and earlier versions, have buffer overflow vulnerabilities

Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to obtain sensitive information via direct requests to (1) admin/getparam.cgi, (2) admin/systemlog.cgi, (3) admin/serverreport.cgi, and (4) admin/paramlist.cgi, modify system information via (5) setparam.cgi and (6) factorydefault.cgi, or (7) cause a denial of service (reboot) via restart.cgi. 2420 Video Server is prone to a denial-of-service vulnerability

Unspecified vulnerability in 3Com SuperStack 3 4400 switches with firmware version before 3.31 allows remote attackers to cause a denial of service (device reset) via a crafted request to the web management interface. NOTE: the provenance of this information is unknown; details are obtained from third party reports. 3C17210-Us is prone to a denial-of-service vulnerability. 3Com SuperStack 3 4400 switches with firewall versions prior to 3.31 have an unspecified vulnerability