VARIoT IoT vulnerabilities database

Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq. Dnsmasq is reported prone to multiple remote vulnerabilities. These issues can allow an attacker to exploit an off-by-one overflow condition and carry out DNS cache poisoning attacks. An attacker may leverage these issues to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks. A denial of service condition may occur due to the off-by-one overflow vulnerability. Although unconfirmed, there is a circumstantial possibility of remote code execution in the context of the server. Reportedly, exploitation of the cache-poisoning issue is not trivial as improvements were made to the application to mitigate cache-poisoning attacks. The off-by-one overflow issue affects Dnsmasq 2.14, 2.15, 2.16, 2.17, 2.18, 2.19 and 2.20. The cache-poisoning issue affects Dnsmasq 2.20 and prior. Due to a lack of details, further information is not available at the moment. This BID will be updated when more information becomes available. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Dnsmasq DHCP Lease File Denial of Service and DNS Cache Poisoning SECUNIA ADVISORY ID: SA14691 VERIFY ADVISORY: http://secunia.com/advisories/14691/ CRITICAL: Moderately critical IMPACT: Spoofing, Manipulation of data, DoS WHERE: >From remote SOFTWARE: Dnsmasq 2.x http://secunia.com/product/4837/ DESCRIPTION: Two vulnerabilities have been reported in Dnsmasq, which can be exploited by malicious people to cause a DoS (Denial of Service) or poison the DNS cache. 1) An off-by-one boundary error when reading the DHCP lease file can be exploited by a malicious DHCP client to cause a buffer overflow by supplying an overly long hostname and client-id. Successful exploitation crashes Dnsmasq the next time it is started. 2) When receiving DNS replies, only the 16-bit ID is checked against the current query. This can be exploited to poison the DNS cache if a valid ID (randomly generated) is guessed by e.g. sending a flood of DNS replies. SOLUTION: Update to version 2.21. http://www.thekelleys.org.uk/dnsmasq/ PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Rob Holland. 2) Reported by vendor. ORIGINAL ADVISORY: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Off-by-one buffer overflow in Dnsmasq before 2.21 may allow attackers to execute arbitrary code via the DHCP lease file. Dnsmasq is reported prone to multiple remote vulnerabilities. An attacker may leverage these issues to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks. A denial of service condition may occur due to the off-by-one overflow vulnerability. Although unconfirmed, there is a circumstantial possibility of remote code execution in the context of the server. Reportedly, exploitation of the cache-poisoning issue is not trivial as improvements were made to the application to mitigate cache-poisoning attacks. The off-by-one overflow issue affects Dnsmasq 2.14, 2.15, 2.16, 2.17, 2.18, 2.19 and 2.20. The cache-poisoning issue affects Dnsmasq 2.20 and prior. Due to a lack of details, further information is not available at the moment. This BID will be updated when more information becomes available. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Dnsmasq DHCP Lease File Denial of Service and DNS Cache Poisoning SECUNIA ADVISORY ID: SA14691 VERIFY ADVISORY: http://secunia.com/advisories/14691/ CRITICAL: Moderately critical IMPACT: Spoofing, Manipulation of data, DoS WHERE: >From remote SOFTWARE: Dnsmasq 2.x http://secunia.com/product/4837/ DESCRIPTION: Two vulnerabilities have been reported in Dnsmasq, which can be exploited by malicious people to cause a DoS (Denial of Service) or poison the DNS cache. Successful exploitation crashes Dnsmasq the next time it is started. 2) When receiving DNS replies, only the 16-bit ID is checked against the current query. This can be exploited to poison the DNS cache if a valid ID (randomly generated) is guessed by e.g. sending a flood of DNS replies. SOLUTION: Update to version 2.21. http://www.thekelleys.org.uk/dnsmasq/ PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Rob Holland. 2) Reported by vendor. ORIGINAL ADVISORY: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Nortel VPN client 5.01 stores the cleartext password in the memory of the Extranet.exe process, which could allow local users to obtain sensitive information. Credentials that are harvested through the exploitation of this weakness may then be used to aid in further attacks. This weakness is reported to affect Nortel Contivity VPN Client version 5.01 for Microsoft Windows, versions for the Linux platform are not reported to be vulnerable. Other versions might also be affected

The Boa web server, as used in Samsung ADSL Modem SMDK8947v1.2 and possibly other products, allows remote attackers to read arbitrary files via a full pathname in the HTTP request. Multiple vulnerabilities are reported to exist in Samsung DSL modems. The first issue is an information disclosure issue due to a failure of the device to block access to potentially sensitive files. The second issue is a default backdoor account vulnerability. It is reported that multiple accounts exist on the modem by default, allowing remote attackers to gain administrative privileges on the modem. These vulnerabilities may allow remote attackers to gain access to potentially sensitive information, or to gain administrative access to the affected device. Samsung DSL modems running software version SMDK8947v1.2 are reported to be affected. Other devices and software versions are also likely affected. Samsung's DSL modem is a communication device used in broadband networks

Samsung ADSL Modem SMDK8947v1.2 uses default passwords for the (1) root, (2) admin, or (3) user users, which allows remote attackers to gain privileges via Telnet or an HTTP request to adsl.cgi. Multiple vulnerabilities are reported to exist in Samsung DSL modems. The first issue is an information disclosure issue due to a failure of the device to block access to potentially sensitive files. The second issue is a default backdoor account vulnerability. These vulnerabilities may allow remote attackers to gain access to potentially sensitive information, or to gain administrative access to the affected device. Samsung DSL modems running software version SMDK8947v1.2 are reported to be affected. Other devices and software versions are also likely affected. Samsung's DSL modem is a communication device used in broadband networks

Mac OS X before 10.3.8 users world-writable permissions for certain directories, which may allow local users to gain privileges, possibly via the receipt cache or ColorSync profiles. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. This BID will be updated and split into unique BIDs as soon as further information is available. The insecure permissions are on folders that contain the installer 'receipt cache' and 'system-level ColorSync profiles'. Mac OS X bundled by default in Core Foundation A buffer overflow vulnerability exists in the library that could allow an attacker to obtain root User rights

AFP Server in Mac OS X before 10.3.8 uses insecure permissions for "Drop Boxes," which allows local users to read the contents of a Drop Box. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. This BID will be updated and split into unique BIDs as soon as further information is available. The issue arises because file permissions are not properly validated. A buffer overflow vulnerability exists in the Core Foundation libraries bundled with Mac OS X by default, which could allow an attacker to gain root user privileges. The vulnerability is caused by improper handling of the CF_CHARSET_PATH environment variable. If a string larger than 1024 characters is passed through this variable, it may cause a stack overflow, allowing the attacker to control the program flow by overwriting the return address of the function on the stack. Some vulnerable setuid root binaries include su, pppd, and login

The Bluetooth Setup Assistant for Mac OS X before 10.3.8 can be launched without a keyboard or Bluetooth device, which allows local users to bypass access restrictions and gain privileges. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. This BID will be updated and split into unique BIDs as soon as further information is available. Exploitation could allow an attacker to bypass local security settings. The vulnerability is caused by improper handling of the CF_CHARSET_PATH environment variable. If a string larger than 1024 characters is passed through this variable, it may cause a stack overflow, allowing the attacker to control the program flow by overwriting the return address of the function on the stack. Some vulnerable setuid root binaries include su, pppd, and login

Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute arbitrary code via a long CF_CHARSET_PATH environment variable. Multiple security vulnerabilities are reported to affect Apple Mac OS X. These issues were disclosed in the referenced vendor advisory. Insecure permissions are reported to be set on certain Apple Mac OS X folders . It is reported that because of these insecure permissions local attackers may exploit race conditions. The CVE Mitre candidate ID CAN-2005-0712 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. Core Foundation is reported prone to a local buffer overflow vulnerability. It is reported that this issue may be exploited in any application that is linked against the Core Foundation Library. An attacker may exploit this vulnerability to execute arbitrary code with elevated privileges. The CVE Mitre candidate ID CAN-2005-0716 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The Bluetooth Setup Assistant application is reported prone to an unspecified security vulnerability. The CVE Mitre candidate ID CAN-2005-0713 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. The AFP server is reported prone to an information disclosure vulnerability. An attacker may exploit this issue to disclose the contents of Drop Boxes. The CVE Mitre candidate ID CAN-2005-0715 is assigned to this issue. This vulnerability is reported to affect Apple Mac OSX, and OSX Server version 10.3.8. Previous versions might also be affected. This BID will be updated and split into unique BIDs as soon as further information is available. More information is available at the following link: http://www.apple.com/macosx/ II. The vulnerability specifically exists due to improper handling of the CF_CHARSET_PATH environment variable. When a string greater than 1,024 characters is passed via this variable, a stack-based overflow occurs, allowing the attacker to control program flow by overwriting the function's return address on the stack. Some of the setuid root binaries that are vulnerable include su, pppd and login. III. ANALYSIS Successful exploitation of this vulnerability allows for root access. This vulnerability is difficult to workaround due to the fact that a large number of system binaries are linked against the vulnerable code. IV. V. WORKAROUND Restrict local access to trusted users only, as it is impossible to remove the setuid bit from the affected binaries without severely limiting the function of the system. VI. VENDOR RESPONSE This vulnerability is addressed in Apple Security Update 2005-003 available at: http://docs.info.apple.com/article.html?artnum=301061 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0716 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/04/2005 Initial vendor notification 02/04/2005 Initial vendor response 03/21/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Belkin 54G (F5D7130) wireless router allows remote attackers to access restricted resources by sniffing URIs from UPNP datagrams, then accessing those URIs, which do not require authentication. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported: It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. It is reported that SNMP support is enabled on the affected appliance under a default configuration. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users

Belkin 54G (F5D7130) wireless router enables SNMP by default in a manner that allows remote attackers to obtain sensitive information. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported: It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. It is reported that SNMP support is enabled on the affected appliance under a default configuration. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users

The SNMP service in the Belkin 54G (F5D7130) wireless router allows remote attackers to cause a denial of service via unknown vectors. The Belkin 54G (F5D7130) appliance is reported prone to multiple remote vulnerabilities. The following individual issues are reported: It is reported that the Belkin 54G appliance transmits UPNP datagrams to the connected private network at regular intervals. Reports indicate that these datagrams contain a URI, this URI may be accessed by local network users without requiring authentication. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. It is reported that SNMP support is enabled on the affected appliance under a default configuration. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to disclose sensitive information. Finally, it is reported that the SNMP service may be exploited to deny service for legitimate users. A remote attacker that resides on the local network segment connected to the affected appliance may exploit this vulnerability to deny service for legitimate users

Smc.exe in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before launching the Log Viewer export functionality, which allows local users to corrupt arbitrary files by saving log files. A local insecure file creation vulnerability affects Webroot My Firewall. This issue is due to an access validation issue that allows an unprivileged user to create files with escalated privileges. This issue may be exploited by a local attacker to corrupt arbitrary files on an affected computer with SYSTEM privileges. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: My Firewall Plus Arbitrary File Corruption Vulnerability SECUNIA ADVISORY ID: SA13577 VERIFY ADVISORY: http://secunia.com/advisories/13577/ CRITICAL: Not critical IMPACT: Manipulation of data, DoS WHERE: Local system SOFTWARE: My Firewall Plus 5.x http://secunia.com/product/4276/ DESCRIPTION: Secunia Research has discovered a vulnerability in My Firewall Plus, which can be exploited by malicious, local users to manipulate the content of arbitrary files on a vulnerable system. Successful exploitation requires that the user has access to the Log Viewer (all users by default). The vulnerability has been confirmed in version 5.0 (build 1117). Other versions may also be affected. NOTE: This vulnerability has been rated "Not critical" as only trusted users should have access to the configuration and logging functionality. SOLUTION: Update to version 5.0 (build 1119) or apply patch. Patch: http://www.webroot.com/services/mfp_patch.exe Use the "Password Protection" feature to restrict access to the configuration and logging functionality. PROVIDED AND/OR DISCOVERED BY: Carsten Eiram, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2004-20/ Webroot: http://www.webroot.com/services/mfp_advisory.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unknown vulnerability in the DNSd proxy, as used in Symantec Gateway Security 5400 2.x and 5300 1.x, Enterprise Firewall 7.0.x and 8.x, and VelociRaptor 1100/1200/1300 1.5, allows remote attackers to poison the DNS cache and redirect users to malicious sites. The underlying issue causing this vulnerability is currently unknown. An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, or denial of service attacks. The vulnerability is caused due to an unspecified error in the DNS proxy (DNSd) when functioning as a DNS caching server or primary DNS server and can be exploited to poison the DNS cache. SOLUTION: The vendor has issued hotfixes. http://www.symantec.com/techsupp ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html http://service1.symantec.com/support/ent-gate.nsf/docid/2005030417285454 OTHER REFERENCES: SA11888: http://secunia.com/advisories/11888/ Internet Storm Center: http://www.isc.sans.org/diary.php?date=2005-03-04 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the IMAP daemon (IMAP4d32.exe) for Ipswitch Collaboration Suite (ICS) before 8.15 Hotfix 1 allows remote authenticated users to execute arbitrary code via a long EXAMINE command. The Ipswitch Collaboration Suite IMail IMAP service is reported prone to a buffer overflow vulnerability. The issue exists due to a lack of sufficient boundary checks performed on arguments that are passed to the EXAMINE command. It is conjectured that a remote authenticated attacker may exploit this vulnerability to execute arbitrary code in the context of the affected service. Immediate consequences of a failed exploit attempt would be a denial of service due to the application crashing on an access violation. IMail Server version 8.13 an earlier are reported prone to this vulnerability. ---------------------------------------------------------------------- Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=l ---------------------------------------------------------------------- TITLE: Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow SECUNIA ADVISORY ID: SA14546 VERIFY ADVISORY: http://secunia.com/advisories/14546/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Ipswitch Collaboration Suite (ICS) 1.x http://secunia.com/product/4773/ IMail Server 8.x http://secunia.com/product/3048/ DESCRIPTION: Nico Steinhardt has reported a vulnerability in Ipswitch Collaboration Suite, which can be exploited by malicious users to compromise a vulnerable system. SOLUTION: Apply IMail Server 8.15 Hotfix 1: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM815HF1.exe PROVIDED AND/OR DISCOVERED BY: Nico Steinhardt ORIGINAL ADVISORY: iDEFENSE: http://www.idefense.com/application/poi/display?id=216&type=vulnerabilities ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . BACKGROUND Ipswitch Collaboration Suite (ICS) is a comprehensive communication and collaboration solution for Microsoft Windows with a customer base of over 53 million users. More information is available on the vendor's website: http://www.ipswitch.com/products/IMail_Server/index.html II. The EXAMINE command selects a mailbox so that messages within the mailbox may be accessed with read-only privileges. EXAMINE requests with malformed mailbox names of 259 bytes will overwrite the saved stack frame pointer, resulting in potential process execution control. It should be noted that IMAP will append a '/' character to your supplied mailbox name so the most significant byte of the frame pointer will be 0x2e. The output below shows successful control of the frame pointer. (668.f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000006 ebx=008943b0 ecx=42424242 edx=00c8fad4 esi=008943b0 edi=00000013 eip=0078626d esp=00c9fd20 ebp=2e434343 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 0078626d ?? ??? Frame pointer overwrites may allow attackers to redirect program flow when the current function returns. It should be noted that the IMAP EXAMINE command is only available after successful authentication. III. The EXAMINE IMAP command is only valid after authentication has occurred, however due to the nature of IMAP servers serving a large user base, this requirement only slightly reduces exposure to the vulnerability. IV. DETECTION iDEFENSE has confirmed that the IMAP4 daemon (IMAP4d32.exe ver. IMail Server is now packaged as part of Ipswitch Collaboration Suite. V. WORKAROUND Use application level content filtering on overly long IMAP commands. VI. VENDOR RESPONSE This vulnerability is addressed in IMail Server 8.15 Hotfix 1 (February 3, 2005), which is available for download at: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM815HF1.exe VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0707 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/02/2005 Initial vendor notification 03/08/2005 Initial vendor response 03/10/2005 Public disclosure IX. CREDIT Nico Steinhardt is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

The SMTP binding function in Symantec Firewall/VPN Appliance 200/200R firmware after 1.5Z and before 1.68, Gateway Security 360/360R and 460/460R firmware before vuild 858, and Nexland Pro800turbo, when configured for load balancing between two WANs, might send SMTP traffic to a trusted network through an untrusted network. Symantec Gateway Security is reported prone to a vulnerability that may result in the leakage of potentially sensitive SMTP data. It is reported that this issue manifests when an affected appliance is configured to load-balance two WAN network connections and SMTP binding is configured for a single WAN interface. This may result in SMTP data leakage in deployments where one WAN interface is trusted and the other is not. SMTP traffic bound to the trusted WAN interface is load-balanced onto the untrusted WAN. ---------------------------------------------------------------------- Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=l ---------------------------------------------------------------------- TITLE: Symantec Firewall Devices SMTP Binding Configuration Bypass SECUNIA ADVISORY ID: SA14428 VERIFY ADVISORY: http://secunia.com/advisories/14428/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: Symantec Firewall/VPN Appliance 100/200/200R http://secunia.com/product/552/ Symantec Gateway Security 2.x http://secunia.com/product/3104/ Symantec Nexland Firewall Appliances 1.x http://secunia.com/product/4466/ DESCRIPTION: Arthur Hagen has reported a security issue in various Symantec firewall devices, which may disclose sensitive information to malicious people. The problem is caused due to an error in the SMTP binding functionality of certain devices with ISP load-balancing capabilities. The security issue has been reported in the following versions: * Symantec Firewall/VPN Appliance 200/200R (firmware builds prior to build 1.68 and later than 1.5Z) * Symantec Gateway Security 360/360R (firmware builds prior to build 858) * Symantec Gateway Security 460/460R (firmware builds prior to build 858) * Nexland Pro800turbo (firmware builds prior to build 1.6X and later than 1.5Z) SOLUTION: The vendor has issued updated firmware releases. http://www.symantec.com/techsupp Symantec Firewall/VPN Appliance models 200 and 200R: Update to build 1.68. Symantec Gateway Security Appliance 300 and 400 series: Update to build 858. Nexland Pro800turbo: Update to build 1.6X. PROVIDED AND/OR DISCOVERED BY: Arthur Hagen ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2005.02.28.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, or 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (CPU consumption) via malformed IP packets. This issue is due to a failure of the affected software to properly handle malformed network data. Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device

Cisco devices running Application and Content Networking System (ACNS) 5.0 before 5.0.17.6 and 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (process restart) via a "crafted TCP connection.". This issue is due to a failure of the affected software to properly handle malformed network data. Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device

Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, 5.1, or 5.2 use a default password when the setup dialog has not been run, which allows remote attackers to gain access. A vulnerability in Cisco ACNS may allow a remote attacker to cause a denial of service on an affected device. This issue is due to a failure of the affected software to properly handle malformed network data. Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device

The RealServer RealSubscriber on Cisco devices running Application and Content Networking System (ACNS) 5.1 allow remote attackers to cause a denial of service (CPU consumption) via malformed packets. This issue is due to a failure of the affected software to properly handle malformed network data. Specifically, multiple denial of service vulnerabilities and a single default administrator password issues were reported. The default password issue may allow an unauthorized user to gain administrator access to an affected device. ACNS is a Cisco digital media delivery solution that optimizes the delivery quality of video traffic from the data center to branch offices over the WAN