VARIoT IoT vulnerabilities database

Apple Remote Desktop Client 1.2.4 executes a GUI application as root when it is started by an Apple Remote Desktop Administrator application, which allows remote authenticated users to execute arbitrary code when loginwindow is active via Fast User Switching. The issue is due to a design error that fails to activate applications with the correct privileges. This issue may allow a local attacker to gain superuser privileges on the affected computer. Vendor reports require Fast User Switching to be enabled to be affected by this vulnerability

It is reported that ZENworks for Desktops contains a local privilege escalation vulnerability. This vulnerability allows users with local interactive access to execute arbitrary application with administrative privileges. Version 4.0.1 of the application is reported to be vulnerable to this issue.

The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, which displays a management interface and information on established connections. HAR11A DSL routers are reported susceptible to an unauthenticated administrative console access vulnerability. This issue is due to a failure of the device to require authentication credentials prior to allowing administrative access to the devices CLI interface. Remote attackers may possibly be able to gain administrative access to affected devices. Due to code reuse among differing hardware, other devices may also be affected. This issue may also be related to BID 8855. The Hawking Technologies HAR11A is a small router. An attacker can connect to port 254 through the telnet tool, access without a password, and manage the router. It is possible that other routers have the same vulnerability

Java 2 Micro Edition is a Java technology implementation that supports mobile devices.  Java 2 Micro Edition has security issues. Remote attackers can use this vulnerability to build Java code to bypass the Java security mechanism.  Adam Gowdiak reports a flaw in the implementation of the Connected Limited Device Configuration (CLDC) in the K virtual machine bytecode checker. Remote users can bypass JAVA KVM 'sandbox' security mechanisms to access operating system functions and data.  For example, a remote attacker can establish a malicious JAVA code to obtain data (such as phone books and SMS messages) from a mobile phone, establish an Internet connection, write FLASH to the phone's memory, install software, and modify internal process communications of the operating system.  Nokia, Siemens, Panasonic, Samsung, Motorola and other phones are affected by this vulnerability.  For details, please refer to the following articles:  http://media.corporate-ir.net/media_files/NYS/NOK/Beijing/mestaranta.pdf

Nortel Contivity VPN Client 2.1.7, 3.00, 3.01, 4.91, and 5.01, when opening a VPN tunnel, does not check the gateway certificate until after a dialog box has been displayed to the user, which creates a race condition that allows remote attackers to perform a man-in-the-middle (MITM) attack. Nortel Contivity VPN Client is reported prone to a certificate check failure. The vulnerability is present because the VPN connection is established before the user permits the connection. This may allow the attacker to launch further attacks against the vulnerable computer. Nortel Contivity VPN Client is a VPN client. Remote attackers can exploit this vulnerability to further attack the target system. No detailed vulnerability details are currently available. Successful exploitation requires that an attacker is able to conduct a man-in-the-middle attack, thereby making the client connect to a malicious gateway. The vulnerability has been reported in version 4.91. Other versions may also be vulnerable. SOLUTION: Reportedly, this will be fixed in version 5.1 (expected to be released in the beginning of 2005). The vendor has not replied to any requests for comments on this issue. PROVIDED AND/OR DISCOVERED BY: Roger Sylvain from Solucom ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in Speedtouch USB driver before 1.3.1 allows local users to execute arbitrary code via (1) modem_run, (2) pppoa2, or (3) pppoa3. The problem occurs due to insufficient sanitization of user-supplied data. This vulnerability may be exploited in order to have arbitrary code executed with superuser privileges

Integer overflow in pdftops filter in CUPS in Red Hat Enterprise Linux 3 and 4, when running on 64-bit platforms, allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this issue is due to an incomplete fix for CVE-2004-0888. The pdftops utility is reported prone to multiple integer-overflow vulnerabilities because it fails to properly ensure that user-supplied input doesn't result in the overflowing of integer values. This may result in data being copied past the end of a memory buffer. These overflows cause the application to allocate memory regions that are smaller than expected. Subsequent operations are likely to overwrite memory regions past the end of the allocated buffer, allowing attackers to overwrite critical memory control structures. This may allow attackers to control the flow of execution and potentially execute attacker-supplied code in the context of the affected application. Applications using embedded xpdf code may be vulnerable to these issues as well. Xpdf is an open source program for viewing PDF files. The \'\'pdftops/XRef.cc\'\' contained in Xpdf has a problem in processing the pageSize value. A remote attacker can use this vulnerability to construct a malicious PDF file, lure users to access it, and trigger an integer buffer overflow. CUPS contains a call to Xpdf and is therefore also affected by this vulnerability. No detailed vulnerability details are currently available. The vulnerability is caused due to an incomplete fix of CVE-2004-0888 on 64bit architectures. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Red Hat update for cups SECUNIA ADVISORY ID: SA29630 VERIFY ADVISORY: http://secunia.com/advisories/29630/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network OPERATING SYSTEM: RedHat Enterprise Linux AS 3 http://secunia.com/product/2534/ RedHat Enterprise Linux AS 4 http://secunia.com/product/4669/ RedHat Enterprise Linux WS 3 http://secunia.com/product/2536/ RedHat Enterprise Linux WS 4 http://secunia.com/product/4670/ RedHat Enterprise Linux ES 3 http://secunia.com/product/2535/ RedHat Enterprise Linux ES 4 http://secunia.com/product/4668/ DESCRIPTION: Red Hat has issued an update for cups. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a vulnerable system. For more information: SA29431 SOLUTION: Updated packages are available via Red Hat Network. http://rhn.redhat.com ORIGINAL ADVISORY: http://rhn.redhat.com/errata/RHSA-2008-0206.html OTHER REFERENCES: SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Safari 1.x to 1.2.4, and possibly other versions, allows inactive windows to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows, aka the "Dialog Box Spoofing Vulnerability," a different vulnerability than CVE-2004-1314. This issue may allow a remote attacker to carry out phishing style attacks as an attacker may exploit this vulnerability to spoof an interface of a trusted web site. Apple Safari 1.2.3 (v125.9) is reported vulnerable to this issue. It is likely that other versions are affected as well

3Com OfficeConnect ADSL Wireless 11g Firewall Router is affected by an authentication bypass vulnerability; This issue is due to a failure of the device to properly validate an authenticated administrator. An attacker could leverage this issue to gain administrative access to the affective device facilitating disclosure of administrator passwords, WEP encryption keys, configuration manipulation and denial of service. It should be noted that this issue was originally reported in vulnerability report '3Com OfficeConnect ADSL Wireless 11g Firewall Router Multiple Unspecified Vulnerabilities' (BID 11422). It has been assigned its own BID as more information has been made available.

Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. Many anti-virus vendors have problems when processing .zip files. Remote attackers can use this vulnerability to embed malicious code to bypass the inspection of anti-virus software. The problem lies in the analysis of the header field of the .zip file. The information stored in the compressed file in the .zip file format is divided into two parts, one is the local (local) header field, and the other is the global (global) header field. Local header field data exists before the compressed data file, while global fields exist at the end of the .zip file. Attackers can modify the uncompressed byte size value of the archive file in the local and global header field information without affecting the function, but many antivirus vendors' software cannot handle such archive files well. If the compressed payload contains malicious code, it cannot be detected

McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. A remote attacker can craft a malicious zip archive and send it a vulnerable user. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. McAfee Anti-Virus is an antivirus software

Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 allow remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. A remote attacker can craft a malicious zip archive and send it a vulnerable user. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue

3Com OfficeConnect ADSL Wireless 11g Firewall Router is reported prone to multiple unspecified vulnerabilities. The following issues were reported: An unspecified issue affects the DHCP service. Another issue is related to displaying two duplicate login IPs. An unspecified denial of service vulnerability may allow remote attackers to restart the device. This issue occurs due to insufficient boundary checks performed by the application. 3Com OfficeConnect ADSL Wireless 11g Firewall Router firmware versions prior to 1.27 are vulnerable to these issues. **UPDATE: it should be noted that the issue described as an error in displaying two duplicate IPs has been assigned it own BID as more information has become available. Please see '3Com OfficeConnect ADSL Wireless 11g Firewall Router Authentication Bypass Vulnerability' (BID 11438) for more information.

Eset Anti-Virus before 1.020 (16th September 2004) allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. Eset Anti-Virus is an anti-virus software

Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. Kaspersky is a well-known antivirus software. Kaspersky 3.x and 4.x versions have issues when processing .zip files, resulting in a vulnerability to bypass antivirus checks. II. DESCRIPTION Remote exploitation of an exceptional condition error in multiple vendors' anti-virus software allows attackers to bypass security protections by evading virus detection. The .zip file format stores information about compressed files in two locations - a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. This has been confirmed with both WinZip and Microsoft Compressed Folders. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero. III. ANALYSIS Successful exploitation allows remote attackers to pass malicious payloads within a compressed archive to a target without being detected. Most anti-virus engines have the ability to scan content packaged with compressed archives. As such, users with up-to-date anti-virus software are more likely to open attachments and files if they are under the false impression that the archive was already scanned and found to not contain a virus. IV. The Vendor Responses section of this advisory contains details on the status of specific vendor fixes for this issue. V. WORKAROUND Filter all compressed file archives (.zip) at border gateways, regardless of content. VI. VENDOR RESPONSES McAfee "The McAfee scan engine has always been a market leader in detection of viruses, worms and Trojans within compressed and archived file formats. As such the mechanism used for the detection of such payloads has been designed to ensure all archive files are thoroughly scanned at each nested level in the file to ensure that all appropriate parts of the file are scanned. McAfee is aware of a proof of concept exploitation in Zip archive payloads where information in the local header part of the archive is modified. The local header exists just before the compressed data of each file. It is possible to modify the uncompressed size of archived files in the local header without affecting functionality. Consequently there is the potential for a malicious payload to be hidden and avoid anti-virus detection by modifying the uncompressed size within the local headers to zero. The techniques used by McAfee to analyze Zip archives have allowed a comprehensive solution for the Zip file format vulnerability to be provided to protect customers. The latest update for the current 4320 McAfee Anti-Virus Engine DATS drivers (Version 4398 released on Oct 13th 2004) further enhances the protection afforded to McAfee customers against such potential exploits. A DATS Driver update issued in Version 4397 (October 6th 2004) provided early protection for the same potential exploit targeted specifically for Gateway and Command line scanning. If a detection of this type of exploit is found it will trigger the message "Found the Exploit-Zip Trojan!" to be displayed. Updates for the DAT files mentioned above can be located at the following links: Home (Retail) Users: http://download.mcafee.com/uk/updates/updates.asp Business (Enterprise) Users: http://www.mcafeesecurity.com/uk/downloads/updates/dat.asp?id=1 It should be noted that whilst McAfee take the potential for this exploit to be used maliciously seriously, to date no evidence of such an exploit has been discovered. McAfee has provided additional protection through the DATS driver update however with usage of the comprehensive suite of anti-virus protection strategies provided by McAfee products, MacAfee are confident that this exploit presented no additional threat to its customers. It should be noted that with McAfee on-access scanning active, such modification for malicious purposes to hide payloads only delays eventual detection - McAfee on-access detection will detect any payload with malicious intent as malware. McAfee continues to focus on ensuring that customers receive maximum protection and provide a rapid response to all potential vulnerabilities thus ensuring customer satisfaction." Computer Associates "With the assistance of iDEFENSE, Computer Associates has identified a medium-risk vulnerability in a shared component of eTrust Antivirus which may allow a specially crafted .ZIP file to bypass virus detection. A number of CA products embed this technology including solutions from eTrust, Brightstor and others. Customers are encouraged to visit the CA support web site below for more information about this vulnerability, a list of products and platforms that are effected, and remediation procedures. http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp. At Computer Associates, every reported exposure is handled with the utmost urgency. We strive to ensure that no customer is left in a vulnerable situation." Kaspersky (09/24/2004) "...this bug for scanners based on 3.x-4.x engines will be fixed in next (not current) cumulative update. For scanners based on new 5.0 engine we recommend you waiting for the release of our next maintenance pack. We are going to release it in October." Sophos "A vulnerability has been discovered in Sophos's handling of Zip archive files, whereby a Zip file can be deliberately altered to prevent accurate scanning by Sophos anti-virus products of its contents. Although theoretically a risk, Sophos has not seen any examples of malware attempting to employ this vulnerability. Furthermore, The vulnerability does not prevent Sophos's desktop on-access scanner from correctly detecting viruses (and preventing actual infection) which manage to bypass the email gateway software, so the risks of infection are very small. Sophos has enhanced its scan engine to deal with malformed Zip files. Version 3.87.0 of Sophos Anti-Virus on all operating system platforms except Windows 95/98/Me includes this fix and customers will be automatically updated to this version via EM Library from Wednesday 20 October 2004. Additionally, a version of the software will be available for download from the Sophos website from Friday 22 October 2004. Sophos Anti-Virus for Windows 95/98/Me customers will be updated with the fix from version 3.88.0 (available from 24 November 2004). Sophos thanks iDEFENSE for their assistance in identifying this vulnerability." Eset "The vulnerability was caused by the fact that some archive compression/decompression software (including Winzip) incorrectly handles compressed files with deliberately damaged header fields, thus, in-fact, allowing creation of the damaged archive files, that could be automatically repaired on the victims computer without notifying the user. Eset has made appropriate modifications to archive-scanning code to handle such kind of archives immediately after receiving notification from iDEFENSE. These changes are contained in archive-support module version 1.020, released on 16th September 2004 at 21:00 CET. The update was available for all clients with Automatic Virus-Signatures Update set." RAV No vendor response VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues: CAN-2004-0932 - McAfee CAN-2004-0933 - Computer Associates CAN-2004-0934 - Kaspersky CAN-2004-0937 - Sophos CAN-2004-0935 - Eset CAN-2004-0936 - RAV These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/16/2004 Initial vendor notification 09/16/2004 iDEFENSE clients notified 10/18/2004 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright © 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

RAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. RAV is an antivirus software. Due to a problem with the processing of zip files in RAV, zip files can bypass antivirus detection

Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. libtiff of tif_next.c , tif_thunder.c , tif_luv.c In RLE In the process of decompressing a compressed file, a buffer overflow vulnerability exists due to improper bounds checking.Crafted by a third party TIFF Format image files LibTIFF Interpretation via applications and components that use the library will cause the application to crash and cause denial of service (DoS) It may be possible to run into arbitrary code with the privileges of the target user. LibTIFF is affected by multiple buffer-overflow vulnerabilities because the software fails to properly perform boundary checks before copying user-supplied strings into finite process buffers. An attacker may leverage these issues to execute arbitrary code on a vulnerable computer with the privileges of the user running a vulnerable application, facilitating unauthorized access. The attacker may also leverage these issues to crash the affected application. libtiff is an application library responsible for encoding/decoding TIFF image format. kfax is a small tool for displaying FAX files, using the libtiff library. There is a problem with libtiff when processing fax files. kfax calls the libtiff library to process .g3 files. Attackers can build malformed .g3 files and entice users to process them, which can lead to buffer overflows. Carefully constructed file data may execute arbitrary instructions with user process privileges. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 567-1 security@debian.org http://www.debian.org/security/ Martin Schulze October 15th, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : tiff Vulnerability : heap overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 Several problems have been discovered in libtiff, the Tag Image File Format library for processing TIFF graphics files. CAN-2004-0804 Matthias Clasen discovered a division by zero through an integer overflow. CAN-2004-0886 Dmitry V. Levin discovered several integer overflows that caused malloc issues which can result to either plain crash or memory corruption. For the stable distribution (woody) these problems have been fixed in version 3.5.5-6woody1. For the unstable distribution (sid) these problems have been fixed in version 3.6.1-2. We recommend that you upgrade your libtiff package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6woody1.dsc Size/MD5 checksum: 635 11a374e916d818c05a373feb04cab6a0 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6woody1.diff.gz Size/MD5 checksum: 36717 6f4d137f7c935d57757313a610dbd389 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8 Alpha architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 141424 18b6e6b621178c1419de8a13a0a62366 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 105148 875257fb73ba05a575d06650c130a545 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 423194 9796f3e82553cedb237f1b574570f143 ARM architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_arm.deb Size/MD5 checksum: 116928 5ed91b9586d830e8da9a5086fc5a6e76 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_arm.deb Size/MD5 checksum: 90466 f04c381a418fd33602d1ba30158597d3 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_arm.deb Size/MD5 checksum: 404262 30f13bfdf54cfca30ee5ca0f6c6d0e4e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_i386.deb Size/MD5 checksum: 112068 d15dfdf84f010be08799d456726e1d9d http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_i386.deb Size/MD5 checksum: 81054 293f5c99f0a589917257ec7fee0b92fe http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_i386.deb Size/MD5 checksum: 387052 9606adb1668decf5ac1ee02a94298e85 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 158774 80c1b7ad68ecc78091ea95414125e81c http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 135386 b17f87aa0ad98fc50aa8c137a6f5089c http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 446496 757f3b6cc9d3f1ec5a2dfb1c3485caf3 HP Precision architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 128298 46dece015f0282bca0af7f6e740e9d31 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 106788 b837005b41c54c341cbd61e8fdb581ff http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 420346 3a2b91ee22af99eec3ab42d81cf9d59f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 107302 0c702a3e5c2ad7ad7bd96dae64fa2d61 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 79770 d67f4347d35bf898a6ab1914cb53a42f http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 380218 42e6f07cf2e70de01ca40ac4a97254bf Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_mips.deb Size/MD5 checksum: 124048 85d8c8cbb62cc62c876bf4ed721027cf http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_mips.deb Size/MD5 checksum: 87840 5f3312f22b0f345c7eae434f5b871993 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_mips.deb Size/MD5 checksum: 410770 be817ddffa91c423b55fda3388d7ce48 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 123558 42594e9270de16ff802c11eccf7a0efb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 88198 a8f0abe9205431caf94dce77d11ac477 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 410860 68a12ef6d37fc575105c4ceb9b766949 PowerPC architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 116042 2258da94549ae05ffae643bc40790487 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 89424 c8d782561a299ffb65ea84b59d88117a http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 402372 1eca24adda52b40c7a8d789fdeb3cb2e IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_s390.deb Size/MD5 checksum: 116870 dcddc86a0d96296c07076391adc9d754 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_s390.deb Size/MD5 checksum: 91742 40c1de704b191e4abb65af8a4b7fd75d http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_s390.deb Size/MD5 checksum: 395332 86d351b75f1f146ddad6d562ca77005c Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 132888 9ed9db78d727ba8bfbb25c1e68b03bf2 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 88556 a4069600bd9295a27d4eb6e9e0995495 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 397026 149e12055c5711129552fa938b5af431 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBcA4UW5ql+IAeqTIRAgMFAKC3Kbs2MxW5XlOa3aK9oo76W8wt9gCfXzyA fD+15yHAK6bw15bB4ejaGV8= =KPqY -----END PGP SIGNATURE-----

Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. Apple Mac OS X with Bluetooth support may unintentionally allow files to be exchanged with other systems by default. Apple Mac OS X Directory Service utilities use external programs insecurely, potentially allowing an attacker to execute arbitrary code. Multiple integer overflows in the LibTIFF library may allow an attacker to execute arbitrary code. Multiple integer overflows in the LibTIFF library may allow an attacker to execute arbitrary code. LibTIFF is affected by multiple buffer-overflow vulnerabilities because the software fails to properly perform boundary checks before copying user-supplied strings into finite process buffers. An attacker may leverage these issues to execute arbitrary code on a vulnerable computer with the privileges of the user running a vulnerable application, facilitating unauthorized access. The attacker may also leverage these issues to crash the affected application. libtiff is an application library responsible for encoding/decoding the TIFF image format. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA15227 VERIFY ADVISORY: http://secunia.com/advisories/15227/ CRITICAL: Highly critical IMPACT: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes various vulnerabilities. 1) A boundary error in htdigest can be exploited to cause a buffer overflow by passing an overly long realm argument. NOTE: htdigest is by default only locally accessible and not setuid / setgid. 2) An integer overflow error in the AppKit component when processing TIFF files can be exploited by malicious people to compromise a user's system. For more information: SA13607 3) An error in the AppKit component when parsing certain TIFF images can result in an invalid call to the "NXSeek()" function, which will crash an affected Cocoa application. 4) An error within the handling of AppleScript can be exploited to display code to a user that is different than the code, which will actually run. 5) An error in the Bluetooth support may cause Bluetooth-enabled systems to share files via the Bluetooth file exchange service without notifying the user properly. 6) An input validation error can be exploited to access arbitrary files on a Bluetooth-enabled system using directory traversal attacks via the Bluetooth file and object exchange services. 7) The chfn, chpass, and chsh utilities invoke certain external helper programs insecurely, which can be exploited by malicious, local users to gain escalated privileges. 8) A vulnerability in Finder can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges due to insecure creation of ".DS_Store" files. For more information: SA14188 9) A boundary error within the Foundation framework when handling environment variables can be exploited to cause a buffer overflow and may allow execution of arbitrary code. 10) An error in Help Viewer can be exploited to run JavaScript without the normally imposed security restrictions. 11) A security issue in the LDAP functionality may under certain circumstances result in passwords initially being stored in plain text. 12) Errors within the parsing of XPM files can potentially be exploited by malicious people to compromise a vulnerable system. For more information: SA12549 13) An error in lukemftpd can be exploited by malicious users to bypass chroot restrictions. In order to restrict users to their home directory, both their full name and short name must be listed in the "/etc/ftpchroot" file. However, the problem is that users can change their full name and thereby bypass this restriction. 15) When enabling the HTTP proxy service in Server Admin, it is by default possible for everyone (including users on the Internet) to use the proxy service. 16) A vulnerability in sudo within the environment clearing can be exploited by malicious, local users to gain escalated privileges. For more information: SA13199 17) An error in the Terminal utility can be exploited to inject data via malicious input containing escape sequences in window titles. 18) An error in the Terminal utility can be exploited to inject commands into a user's Terminal session via malicious input containing escape characters in x-man-path URIs. SOLUTION: Apply Security Update 2005-005. Security Update 2005-005 (Client): http://www.apple.com/support/downloads/securityupdate2005005client.html Security Update 2005-005 (Server): http://www.apple.com/support/downloads/securityupdate2005005server.html PROVIDED AND/OR DISCOVERED BY: 1) JxT 3) Henrik Dalgaard 4) David Remahl 5) Kevin Finisterre, digitalmunition.com. 6) Kevin Finisterre, digitalmunition.com. 10) David Remahl 13) Rob Griffiths 14) Nico 17) David Remahl 18) David Remahl 19) Pieter de Boer ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=301528 David Remahl: http://remahl.se/david/vuln/004/ http://remahl.se/david/vuln/010/ http://remahl.se/david/vuln/011/ http://remahl.se/david/vuln/012/ digitalmunition.com: http://www.digitalmunition.com/DMA[2005-0502a].txt iDEFENSE: http://www.idefense.com/application/poi/display?id=239&type=vulnerabilities OTHER REFERENCES: SA12549: http://secunia.com/advisories/12549/ SA13199: http://secunia.com/advisories/13199/ SA13607: http://secunia.com/advisories/13607/ SA14188: http://secunia.com/advisories/14188/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 567-1 security@debian.org http://www.debian.org/security/ Martin Schulze October 15th, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : tiff Vulnerability : heap overflows Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 Several problems have been discovered in libtiff, the Tag Image File Format library for processing TIFF graphics files. The Common Vulnerabilities and Exposures Project has identified the following problems: CAN-2004-0803 Chris Evans discovered several problems in the RLE (run length encoding) decoders that could lead to arbitrary code execution. CAN-2004-0804 Matthias Clasen discovered a division by zero through an integer overflow. CAN-2004-0886 Dmitry V. For the stable distribution (woody) these problems have been fixed in version 3.5.5-6woody1. For the unstable distribution (sid) these problems have been fixed in version 3.6.1-2. We recommend that you upgrade your libtiff package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6woody1.dsc Size/MD5 checksum: 635 11a374e916d818c05a373feb04cab6a0 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-6woody1.diff.gz Size/MD5 checksum: 36717 6f4d137f7c935d57757313a610dbd389 http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8 Alpha architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 141424 18b6e6b621178c1419de8a13a0a62366 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 105148 875257fb73ba05a575d06650c130a545 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_alpha.deb Size/MD5 checksum: 423194 9796f3e82553cedb237f1b574570f143 ARM architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_arm.deb Size/MD5 checksum: 116928 5ed91b9586d830e8da9a5086fc5a6e76 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_arm.deb Size/MD5 checksum: 90466 f04c381a418fd33602d1ba30158597d3 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_arm.deb Size/MD5 checksum: 404262 30f13bfdf54cfca30ee5ca0f6c6d0e4e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_i386.deb Size/MD5 checksum: 112068 d15dfdf84f010be08799d456726e1d9d http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_i386.deb Size/MD5 checksum: 81054 293f5c99f0a589917257ec7fee0b92fe http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_i386.deb Size/MD5 checksum: 387052 9606adb1668decf5ac1ee02a94298e85 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 158774 80c1b7ad68ecc78091ea95414125e81c http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 135386 b17f87aa0ad98fc50aa8c137a6f5089c http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_ia64.deb Size/MD5 checksum: 446496 757f3b6cc9d3f1ec5a2dfb1c3485caf3 HP Precision architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 128298 46dece015f0282bca0af7f6e740e9d31 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 106788 b837005b41c54c341cbd61e8fdb581ff http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_hppa.deb Size/MD5 checksum: 420346 3a2b91ee22af99eec3ab42d81cf9d59f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 107302 0c702a3e5c2ad7ad7bd96dae64fa2d61 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 79770 d67f4347d35bf898a6ab1914cb53a42f http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_m68k.deb Size/MD5 checksum: 380218 42e6f07cf2e70de01ca40ac4a97254bf Big endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_mips.deb Size/MD5 checksum: 124048 85d8c8cbb62cc62c876bf4ed721027cf http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_mips.deb Size/MD5 checksum: 87840 5f3312f22b0f345c7eae434f5b871993 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_mips.deb Size/MD5 checksum: 410770 be817ddffa91c423b55fda3388d7ce48 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 123558 42594e9270de16ff802c11eccf7a0efb http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 88198 a8f0abe9205431caf94dce77d11ac477 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_mipsel.deb Size/MD5 checksum: 410860 68a12ef6d37fc575105c4ceb9b766949 PowerPC architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 116042 2258da94549ae05ffae643bc40790487 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 89424 c8d782561a299ffb65ea84b59d88117a http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_powerpc.deb Size/MD5 checksum: 402372 1eca24adda52b40c7a8d789fdeb3cb2e IBM S/390 architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_s390.deb Size/MD5 checksum: 116870 dcddc86a0d96296c07076391adc9d754 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_s390.deb Size/MD5 checksum: 91742 40c1de704b191e4abb65af8a4b7fd75d http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_s390.deb Size/MD5 checksum: 395332 86d351b75f1f146ddad6d562ca77005c Sun Sparc architecture: http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 132888 9ed9db78d727ba8bfbb25c1e68b03bf2 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 88556 a4069600bd9295a27d4eb6e9e0995495 http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-6woody1_sparc.deb Size/MD5 checksum: 397026 149e12055c5711129552fa938b5af431 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBcA4UW5ql+IAeqTIRAgMFAKC3Kbs2MxW5XlOa3aK9oo76W8wt9gCfXzyA fD+15yHAK6bw15bB4ejaGV8= =KPqY -----END PGP SIGNATURE-----

The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes. Microsoft XML Parser is prone to a remote denial of service vulnerability when handling malformed requests. The vulnerability can be exploited through the WebDAV XML message handler of Microsoft IIS server. It is reported that this issue requires a remote attacker to create specially crafted WebDAV requests and send them to a vulnerable server over TCP port 80. There is a possibility of increased CPU resource and memory consumption as the IIS server attempts to process these requests. This can eventually lead to a denial of service condition in the server. A reboot is required to restore normal functionality. This vulnerability can also be exposed through other applications that rely on Microsoft XML Parser to process XML messages

MySQL MaxDB before 7.5.00.18 allows remote attackers to cause a denial of service (crash) via an HTTP request to webdbm with high ASCII values in the Server field, which triggers an assert error in the IsAscii7 function. A remotely exploitable denial of service vulnerability exists in MaxDB. This will reportedly trigger an exception due to an assert directive failing, resulting in a denial of service condition in the web agent. This issue was reportedly tested on Windows and Linux versions. Other versions could also be affected. MySQL MaxDB Web Agent WebDBM Server Name Denial of Service Vulnerability iDEFENSE Security Advisory 10.06.04a: www.idefense.com/application/poi/display?id=150&type=vulnerabilities October 6, 2004 I. BACKGROUND MaxDB by MySQL is a re-branded and enhanced version of SAP DB, SAP AG's open source database. MaxDB is a heavy-duty, SAP-certified open source database that offers high availability, scalability and a comprehensive feature set. MaxDB complements the MySQL database server, targeted for large mySAP ERP environments and other applications that require maximum enterprise-level database functionality. II. The problem specifically exists due to improper input validation of a user-supplied variable in the IsAscii7() function. wahttp: ToolsCommon/Tools_DynamicUTF8String.hpp:249: Tools_DynamicUTF8String::Tools_DynamicUTF8String(const SAPDB_Char *) Assertion `IsAscii7(src)' failed. Program received signal SIGABRT, Aborted. [Switching to Thread 10251 (LWP 12706)] 0x40429781 in kill () from /lib/libc.so.6 III. IV. DETECTION iDEFENSE has confirmed that SAP DB version 7.5 for both Linux and Windows is vulnerable. V. WORKAROUND Use of an ingress perimeter firewall filter can help detect and mitigate the risk of attack. VI. VENDOR RESPONSE "A solution for the issue is available with MaxDB 7.5.00.18." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0931 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/16/2004 Initial vendor notification 08/16/2004 iDEFENSE clients notified 08/19/2004 Initial vendor response 10/06/2004 Coordinated public disclosure IX. CREDIT Patrik Karlsson (cqure.net) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html