VARIoT IoT vulnerabilities database

Unspecified vulnerability in the SMB component in Apple Mac OS X 10.4.11 and 10.5.6 allows remote SMB servers to cause a denial of service (memory exhaustion and system shutdown) via a crafted file system name. An attacker who can trick an unsuspecting victim into connecting to a malicious SMB server may exploit this issue to cause the affected computer to shut down. NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. Successful exploitation of this vulnerability may allow execution of arbitrary code. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Pixlet codec in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted movie file that triggers memory corruption. (DoS) There are vulnerabilities that are put into a state.A remote attacker could execute arbitrary code or disrupt service (DoS) There is a possibility of being put into a state. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. Apple Mac OS X is prone to a code-execution issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Mac OS X 10.4.11 and 10.5.6 (both client and server). NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Race condition in AFP Server in Apple Mac OS X 10.5.6 allows local users to cause a denial of service (infinite loop) via unspecified vectors related to "file enumeration logic.". Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. This issue affects Mac OS X 10.5.6 (both client and server). 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creates tty devices with insecure world-writable permissions, which allows local users to write to the Xterm of another user. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. Local attackers may exploit this issue to gain elevated privileges; other attacks may also be possible. This issue affects Mac OS X 10.4.11 and 10.5.6. Other distributions that include XTerm and Luit may also be vulnerable, but this has not been confirmed. NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in the SMB component in Apple Mac OS X 10.5.6 allows remote SMB servers to cause a denial of service (system shutdown) or execute arbitrary code via a crafted SMB file system that triggers a heap-based buffer overflow. Apple Mac OS X is prone to a buffer-overflow vulnerability that occurs in the SMB component. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will facilitate in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. OS X 10.5.6 and OS X Server 10.5.6 are vulnerable. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. 4) Certificate Assistant handles temporary files in an insecure manner. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

servermgrd (Server Manager) in Apple Mac OS X 10.5.6 does not properly validate authentication credentials, which allows remote attackers to modify the system configuration. The advisory also contains security updates for 32 previously reported issues. Apple Mac OS X is prone to an authentication-bypass vulnerability. A remote attacker may exploit this issue to connect to the Server Manager without proper authorization. This will allow the attacker to alter the configuration of the affected system, which may aid in further attacks. The issue affects Mac OS X v10.5.6 and Mac OS X Server v10.5.6. NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in fseventsd in the FSEvents framework in Apple Mac OS X 10.5.6 allows local users to obtain sensitive information (filesystem activities and directory names) via unknown vectors related to "credential management.". The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. A local attacker may exploit this issue to gain potentially sensitive information that may aid in further attacks. This issue affects Mac OS X 10.5.6 (both client and server). 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Folder Manager in Apple Mac OS X 10.5.6 uses insecure default permissions when recreating a Downloads folder after it has been deleted, which allows local users to bypass intended access restrictions and read the Downloads folder. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. Apple Mac OS X is prone to a local information-disclosure vulnerability. A local attacker may exploit this issue to gain access to the Downloads folders of other users and potentially obtain sensitive information. This may aid in further attacks. This issue affects Mac OS X v10.5.6 and Mac OS X Server v10.5.6. NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

dscl in DS Tools in Apple Mac OS X 10.4.11 and 10.5.6 requires that passwords must be provided as command line arguments, which allows local users to gain privileges by listing process information. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. A local attacker may exploit this issue to gain information about user passwords. This may aid in further attacks. This issue affects Mac OS X 10.4.11 and 10.5.6 (both client and server). NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in CoreText in Apple Mac OS X 10.5.6 allows remote attackers to execute arbitrary code via a crafted Unicode string. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. An attacker can exploit this issue to execute arbitrary code in the context of the application using the component. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. Apple Mac OS X 10.5.6 and OS X Server 10.5.6 are vulnerable. There is a heap overflow in the handling of Unicode strings in CoreText. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Certificate Assistant in Apple Mac OS X 10.5.6 allows local users to overwrite arbitrary files via unknown vectors related to an "insecure file operation" on a temporary file. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. This issue affects Mac OS X 10.5.6 (both client and server). 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Remote Apple Events in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) or obtain sensitive information via unspecified vectors that trigger an out-of-bounds memory access. A remote attacker may exploit this issue to gain access to memory contents or to crash the affected process, causing a denial-of-service condition. The issue affects Mac OS X v10.4.11 and v10.5.6 (client and server). Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in CarbonCore in Apple Mac OS X 10.4.11 and 10.5.6 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted resource fork that triggers memory corruption. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. Apple Mac OS X is prone to a code-execution issue. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Mac OS X 10.4.11 and 10.5.6 (both client and server). NOTE: This issue was previously covered in BID 33759 (Apple Mac OS X 2009-001 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

csregprinter in the Printing component in Apple Mac OS X 10.4.11 and 10.5.6 does not properly handle error conditions, which allows local users to execute arbitrary code via unknown vectors that trigger a heap-based buffer overflow. Local attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges, which may facilitate a complete compromise of the affected computer. This issue affects Mac OS X v10.4.11 and v10.5.6 (client and server). Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. NOTE: The new issues have been covered in the following BIDs to better document them: 33806 Apple Mac OS X Pixlet Video Handling Remote Code Execution Vulnerability 33820 Apple Mac OS X Insecure Downloads Folder Permissions Information Disclosure Vulnerability 33815 Apple Mac OS X 'dscl' Local Information Disclosure Vulnerability 33816 Apple Mac OS X Remote Apple Events Uninitialized Buffer Information Disclosure Vulnerability 33814 Apple Mac OS X Remote Apple Events Out of Bounds Memory Access Security Vulnerability 33813 Apple Mac OS X Server Manager Authentication Bypass Security Vulnerability 33812 Apple Mac OS X AFP Server Remote Denial of Service Vulnerability 33810 Apple Mac OS X Certificate Assistant Insecure Temporary File Creation Vulnerability 33811 Apple Mac OS X 'csregprinter' Local Privilege Escalation Vulnerability 33808 Apple Mac OS X Resource Manager Remote Code Execution Vulnerability 33809 Apple Mac OS X CoreText Unicode String Handling Heap Based Buffer Overflow Vulnerability 33800 Apple Mac OS X SMB Component Unspecified Buffer Overflow Vulnerability 33798 Apple Mac OS X Xterm Local Privilege Escalation Vulnerability 33796 Apple Mac OS X SMB File System Remote Denial Of Service Vulnerability 33234 Apple Safari 'feed:' URI Multiple Input Validation Vulnerabilities 33821 Apple Mac OS X 'FSEvents' Local Information Disclosure Vulnerabilit. 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. For more information: SA26837 SA31305 14) An uninitialized memory access error in the Remote Apple events server can be exploited to disclose potentially sensitive memory contents via specially crafted Remote Apple events. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Remote Apple Events server in Apple Mac OS X 10.4.11 and 10.5.6 does not properly initialize a buffer, which allows remote attackers to read portions of memory. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-001. The security update addresses new vulnerabilities that affect the AFP server, movie playing, Resource Manager, Certificate Assistant, CoreText, 'dscl', Folder Manager, FSEvents, csregprinter, Remote Apple Event Viewer, Safari, Xterm, and SMB components of Mac OS X. The advisory also contains security updates for 32 previously reported issues. A remote attacker may exploit this issue to gain access to memory contents, which may aid in further attacks. The issue affects Mac OS X v10.4.11 and v10.5.6 (client and server). 1) A race condition error in the AFP Server can be exploited to trigger the execution of an infinite loop by sending a specially crafted file enumeration request. 2) An error in the handling of movie files using the Pixlet codec can be exploited to trigger a memory corruption. 3) An error in the Resource Manager related to CarbonCore can be exploited to trigger a memory corruption via a file containing a specially crafted resource fork. Successful exploitation of vulnerabilities #2 and #3 may allow execution of arbitrary code. 4) Certificate Assistant handles temporary files in an insecure manner. This can be exploited to overwrite arbitrary files with the privileges of the user running the application. 5) Two errors in ClamAV can be exploited to cause a crash or potentially execute arbitrary code. For more information: SA32663 SA32926 6) An error in CoreText when processing specially crafted Unicode strings can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted web page. Successful exploitation of this vulnerability may allow execution of arbitrary code. 7) The dscl program accepts passwords passed via command line arguments. This can be exploited by local users to obtain the received passwords via the process list. 8) Multiple errors in fetchmail can be exploited by malicious people to cause a crash via overly large e-mail headers. For more information: SA30742 9) Folder Manager creates the "Downloads" folder with global read permissions after a user deletes it. This can be exploited by unprivileged local users to gain access to the "Downloads" folder. 10) An error in the fseventsd program can be exploited to disclose normally restricted filesystem activity via the FSEvents framework. 11) An error in perl when processing Unicode characters can be exploited to trigger a memory corruption and potentially execute arbitrary code. This is related to: SA27546 12) An error handling problem in csregprinter can be exploited to cause a heap-based buffer overflow and potentially gain system privileges. 13) Multiple errors in python have an unknown impact or can be exploited to cause a crash or potentially compromise a vulnerable system. 15) An error in Server Manager while validating authentication credentials can be exploited to alter the system configuration. 16) An integer overflow in the SMB implementation can be exploited to cause a heap-based buffer overflow by tricking a user into connecting to a malicious SMB server. Successful exploitation of this vulnerability may allow execution of arbitrary code. 17) An error in the SMB implementation can be exploited to exhaust available memory resources and cause a system shutdown by tricking a user into connecting to a malicious SMB server. 18) An error in SquirrelMail can be exploited to inject and execute arbitrary HTML and script code via a specially crafted email. For more information: SA32143 19) Multiple errors in the X11 server can be exploited by malicious, local users to cause a DoS, disclose potentially sensitive information, or gain escalated privileges. For more information: SA30627 20) Multiple errors in FreeType can be exploited to cause a DoS or compromise an application using the library. For more information: SA20100 SA24768 SA30600 21) Multiple errors in LibX11 can be exploited by malicious, local users to disclose sensitive information, cause a DoS, and gain escalated privileges. For more information: SA24741 22) Xterm creates TTY devices accessible to all users, when used with "luit". This can be exploited to e.g. write data to another user's Xterm. SOLUTION: Apply Apple Security Update 2009-001. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 6) Rosyna of Unsanity 9) Graham Perrin of CENTRIM, University of Brighton 10) Mark Dalrymple 12) Lars Haulin ORIGINAL ADVISORY: http://support.apple.com/kb/HT3438 OTHER REFERENCES: SA20100: http://secunia.com/advisories/20100/ SA24741: http://secunia.com/advisories/24741/ SA24768: http://secunia.com/advisories/24768/ SA26837: http://secunia.com/advisories/26837/ SA27546: http://secunia.com/advisories/27546/ SA30600: http://secunia.com/advisories/30600/ SA30627: http://secunia.com/advisories/30627/ SA30742: http://secunia.com/advisories/30742/ SA31305: http://secunia.com/advisories/31305/ SA32143: http://secunia.com/advisories/32143/ SA32663: http://secunia.com/advisories/32663/ SA32926: http://secunia.com/advisories/32926/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

3Com OfficeConnect Wireless Cable/DSL is a small wireless router. The OfficeConnect Wireless Cable/DSL Router has a web console enabled by default for device management. Even if the http daemon does not allow access to HTML pages and web consoles without authentication, you can still call and execute existing CGI programs. System Tools-->Configuration-->Backup Configuration saves the actual configuration file to a plain text file called config.bin. Unauthenticated users can directly call the SaveCfgFile CGI program and download the configuration information, user, System configuration of sensitive information such as passwords and WIFI keys. This vulnerability can also be exploited remotely from the Internet if the Remote Administration option is enabled. The following is an example of sensitive content in the config.bin file: [...]pppoe_username=xxxxxxxxxxxxxxxpppoe_password=xxxxxxxxxpppoe_service_name=xxxxxxxxx[...]mradius_username=xxxxxxmradius_password=xxxxxxmradius_secret=xxxxxxx[...]http_username=xxxxxlogin_password=xxxxxhttp_passwd=xxxxx[.. .]AuthName=xxxxxxxAuthPassword=xxxxsnmpStatus=xxxxxxxsnmpRoCommunity=xxxxxxxxsnmpRwCommunity=xxxxxxxx[...]multi_dmz_wan_ip1=xxxxxxxxxx[...]lan_macaddr=xxxxxxxxxxxxx[...]. The 3Com OfficeConnect Wireless Cable/DSL Gateway is prone to an access-validation vulnerability because of a lack of authentication when users access specific administration applications. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. The 3Com OfficeConnect Wireless Cable/DSL Gateway firmware 1.2.0 is vulnerable; other versions may also be affected

Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. Wireshark is prone to multiple denial-of-service vulnerabilities. Exploiting these issues may allow attackers to crash the application, denying service to legitimate users. Attackers may be able to leverage some of these vulnerabilities to execute arbitrary code, but this has not been confirmed. These issues affect Wireshark 0.99.6 through 1.0.5. If the user is tricked into grabbing malicious packets from the network or opening a malicious packet capture file, it may cause Wireshark to crash. This fixes some vulnerabilities, which can be exploited by malicious people to potentially compromise a user's system. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200906-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Wireshark: Multiple vulnerabilities Date: June 30, 2009 Bugs: #242996, #248425, #258013, #264571, #271062 ID: 200906-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in Wireshark which allow for Denial of Service (application crash) or remote code execution. Background ========== Wireshark is a versatile network protocol analyzer. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/wireshark < 1.0.8 >= 1.0.8 Description =========== Multiple vulnerabilities have been discovered in Wireshark: * David Maciejak discovered a vulnerability in packet-usb.c in the USB dissector via a malformed USB Request Block (URB) (CVE-2008-4680). * Florent Drouin and David Maciejak reported an unspecified vulnerability in the Bluetooth RFCOMM dissector (CVE-2008-4681). * A malformed Tamos CommView capture file (aka .ncf file) with an "unknown/unexpected packet type" triggers a failed assertion in wtap.c (CVE-2008-4682). * An unchecked packet length parameter in the dissect_btacl() function in packet-bthci_acl.c in the Bluetooth ACL dissector causes an erroneous tvb_memcpy() call (CVE-2008-4683). * A vulnerability where packet-frame does not properly handle exceptions thrown by post dissectors caused by a certain series of packets (CVE-2008-4684). * Mike Davies reported a use-after-free vulnerability in the dissect_q931_cause_ie() function in packet-q931.c in the Q.931 dissector via certain packets that trigger an exception (CVE-2008-4685). * The Security Vulnerability Research Team of Bkis reported that the SMTP dissector could consume excessive amounts of CPU and memory (CVE-2008-5285). * The vendor reported that the WLCCP dissector could go into an infinite loop (CVE-2008-6472). * babi discovered a buffer overflow in wiretap/netscreen.c via a malformed NetScreen snoop file (CVE-2009-0599). * A specially crafted Tektronix K12 text capture file can cause an application crash (CVE-2009-0600). * An unspecified vulnerability with unknown impact and attack vectors (CVE-2009-1266). * Marty Adkins and Chris Maynard discovered a parsing error in the dissector for the Check Point High-Availability Protocol (CPHAP) (CVE-2009-1268). * Magnus Homann discovered a parsing error when loading a Tektronix .rf5 file (CVE-2009-1269). * The vendor reported that the PCNFSD dissector could crash (CVE-2009-1829). Impact ====== A remote attacker could exploit these vulnerabilities by sending specially crafted packets on a network being monitored by Wireshark or by enticing a user to read a malformed packet trace file which can trigger a Denial of Service (application crash or excessive CPU and memory usage) and possibly allow for the execution of arbitrary code with the privileges of the user running Wireshark. Workaround ========== There is no known workaround at this time. Resolution ========== All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.8" References ========== [ 1 ] CVE-2008-4680 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4680 [ 2 ] CVE-2008-4681 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4681 [ 3 ] CVE-2008-4682 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4682 [ 4 ] CVE-2008-4683 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4683 [ 5 ] CVE-2008-4684 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4684 [ 6 ] CVE-2008-4685 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4685 [ 7 ] CVE-2008-5285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5285 [ 8 ] CVE-2008-6472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6472 [ 9 ] CVE-2009-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0599 [ 10 ] CVE-2009-0600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0600 [ 11 ] CVE-2009-0601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0601 [ 12 ] CVE-2009-1210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1210 [ 13 ] CVE-2009-1266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1266 [ 14 ] CVE-2009-1268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1268 [ 15 ] CVE-2009-1269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1269 [ 16 ] CVE-2009-1829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1829 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200906-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0601 http://www.wireshark.org/security/wnpa-sec-2009-01.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 2d591a5772317d3587434424b8dc4a1d 2008.1/i586/dumpcap-1.0.6-0.1mdv2008.1.i586.rpm bf65e163112b4dc5db4041c552823bcb 2008.1/i586/libwireshark0-1.0.6-0.1mdv2008.1.i586.rpm 80056b13d9146428645d6e67cb2ed8ea 2008.1/i586/libwireshark-devel-1.0.6-0.1mdv2008.1.i586.rpm 7923294ad925674ef116b6273835d8ef 2008.1/i586/rawshark-1.0.6-0.1mdv2008.1.i586.rpm bd5a15d402a367058d61fd8dd6a2dcf9 2008.1/i586/tshark-1.0.6-0.1mdv2008.1.i586.rpm 5c7b0422b12d2eade1ce997de3766c6c 2008.1/i586/wireshark-1.0.6-0.1mdv2008.1.i586.rpm d116f95d212119516dbca4bf1d353cf5 2008.1/i586/wireshark-tools-1.0.6-0.1mdv2008.1.i586.rpm 2a31aab490fe670da93830f464154a48 2008.1/SRPMS/wireshark-1.0.6-0.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: b7213fd4bf53ad0cb41b5cc5ab1057df 2008.1/x86_64/dumpcap-1.0.6-0.1mdv2008.1.x86_64.rpm 4e3f14a549d66f199171d6f91aa28c68 2008.1/x86_64/lib64wireshark0-1.0.6-0.1mdv2008.1.x86_64.rpm aa39e29909ed34d5df2f0c85ac560c8f 2008.1/x86_64/lib64wireshark-devel-1.0.6-0.1mdv2008.1.x86_64.rpm ef92c97f74a2811daf7d874755dd7777 2008.1/x86_64/rawshark-1.0.6-0.1mdv2008.1.x86_64.rpm ea555917cd20aba1f0b4114730ad9924 2008.1/x86_64/tshark-1.0.6-0.1mdv2008.1.x86_64.rpm c74402d6323f6a72188f214d2d002ef2 2008.1/x86_64/wireshark-1.0.6-0.1mdv2008.1.x86_64.rpm fa5e55f0a5934c2bae263e9151a40b16 2008.1/x86_64/wireshark-tools-1.0.6-0.1mdv2008.1.x86_64.rpm 2a31aab490fe670da93830f464154a48 2008.1/SRPMS/wireshark-1.0.6-0.1mdv2008.1.src.rpm Mandriva Linux 2009.0: c661639631224e605d41a2985af43c93 2009.0/i586/dumpcap-1.0.6-0.1mdv2009.0.i586.rpm bb633c409ddb95d2e6f6826b6fd2be3d 2009.0/i586/libwireshark0-1.0.6-0.1mdv2009.0.i586.rpm 5d2f7434a1dd322259907d14caf90e11 2009.0/i586/libwireshark-devel-1.0.6-0.1mdv2009.0.i586.rpm d32a3de9e13b83d991a2d6c8577f50c2 2009.0/i586/rawshark-1.0.6-0.1mdv2009.0.i586.rpm bcdf64d0e05d0bb964c946c83bdd5353 2009.0/i586/tshark-1.0.6-0.1mdv2009.0.i586.rpm 3537cea11294e8d1dff87c15b933c622 2009.0/i586/wireshark-1.0.6-0.1mdv2009.0.i586.rpm c5ef95f5eb5255e10ccc12bcb0c6d77a 2009.0/i586/wireshark-tools-1.0.6-0.1mdv2009.0.i586.rpm 3efca295d42d9e1686b46ca1c020f8a2 2009.0/SRPMS/wireshark-1.0.6-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 90cffab44fe29d55f527ab4b76b0a0d6 2009.0/x86_64/dumpcap-1.0.6-0.1mdv2009.0.x86_64.rpm 838159ecdc95655df014d17d04434297 2009.0/x86_64/lib64wireshark0-1.0.6-0.1mdv2009.0.x86_64.rpm d3dba0b501696a634627540517693b62 2009.0/x86_64/lib64wireshark-devel-1.0.6-0.1mdv2009.0.x86_64.rpm bf51f59064d3ce3dd2dafd6aaaa889df 2009.0/x86_64/rawshark-1.0.6-0.1mdv2009.0.x86_64.rpm 3e33480b37b90293e1fd77c33934b9d2 2009.0/x86_64/tshark-1.0.6-0.1mdv2009.0.x86_64.rpm 6a22be605ea9e2357c8c5f38a1d6cc78 2009.0/x86_64/wireshark-1.0.6-0.1mdv2009.0.x86_64.rpm a73dd1ee57fee0b886beb0542bdd3baa 2009.0/x86_64/wireshark-tools-1.0.6-0.1mdv2009.0.x86_64.rpm 3efca295d42d9e1686b46ca1c020f8a2 2009.0/SRPMS/wireshark-1.0.6-0.1mdv2009.0.src.rpm Corporate 4.0: cd40c4762bd0c4b5ffafc5023809ac04 corporate/4.0/i586/dumpcap-1.0.6-0.1.20060mlcs4.i586.rpm 629aa56a60730449858656e1ea062b84 corporate/4.0/i586/libwireshark0-1.0.6-0.1.20060mlcs4.i586.rpm e7674da06cff0db774a65d40c8407ce1 corporate/4.0/i586/libwireshark-devel-1.0.6-0.1.20060mlcs4.i586.rpm 76530bd71bb120b5325f9a09c39a2929 corporate/4.0/i586/rawshark-1.0.6-0.1.20060mlcs4.i586.rpm baa49a07548d639f2cb19a73c5e0df2f corporate/4.0/i586/tshark-1.0.6-0.1.20060mlcs4.i586.rpm c08beac1b46a39cbc0a46f0d360ccc40 corporate/4.0/i586/wireshark-1.0.6-0.1.20060mlcs4.i586.rpm 9e1170ca14c27d0a9b9279eb317743ad corporate/4.0/i586/wireshark-tools-1.0.6-0.1.20060mlcs4.i586.rpm dccd63a7f0c24d1ccbf5adac0374a460 corporate/4.0/SRPMS/wireshark-1.0.6-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 7d416c1d4b061a7af12eb8ddff174685 corporate/4.0/x86_64/dumpcap-1.0.6-0.1.20060mlcs4.x86_64.rpm 2c08582bff18197181d7021f471235cc corporate/4.0/x86_64/lib64wireshark0-1.0.6-0.1.20060mlcs4.x86_64.rpm 7128168a02a6dd0065d051a23992cdbe corporate/4.0/x86_64/lib64wireshark-devel-1.0.6-0.1.20060mlcs4.x86_64.rpm fee1072986b3bbbcacbe84a5def3513d corporate/4.0/x86_64/rawshark-1.0.6-0.1.20060mlcs4.x86_64.rpm c5a1394098d7c20613c51948b613ea2c corporate/4.0/x86_64/tshark-1.0.6-0.1.20060mlcs4.x86_64.rpm 279ada1e7a929b5df0a2e0813ee37d38 corporate/4.0/x86_64/wireshark-1.0.6-0.1.20060mlcs4.x86_64.rpm f28beac01c20e5d108d3390c07583918 corporate/4.0/x86_64/wireshark-tools-1.0.6-0.1.20060mlcs4.x86_64.rpm dccd63a7f0c24d1ccbf5adac0374a460 corporate/4.0/SRPMS/wireshark-1.0.6-0.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJpxmTmqjQ0CJFipgRAvn+AKDefbliY7WKwLriDdVzrbgoh3FkFQCfUqov /+8NwA5cFnOJqNNg+MVuADw= =fAWE -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Wireshark NetScreen Snoop Capture File Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA33872 VERIFY ADVISORY: http://secunia.com/advisories/33872/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Wireshark 1.x http://secunia.com/advisories/product/18083/ Wireshark (formerly Ethereal) 0.x http://secunia.com/advisories/product/1228/ DESCRIPTION: A vulnerability has been reported in Wireshark, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a boundary error in the processing of NetScreen Snoop capture files and can be exploited to cause a stack-based buffer overflow. Successful exploitation may allow execution of arbitrary code depending on the allocation of stack variables. The vulnerability is reported in versions 0.99.7 through 1.0.5. SOLUTION: Update to version 1.0.6. PROVIDED AND/OR DISCOVERED BY: Reported by babi in a Wireshark bug report. ORIGINAL ADVISORY: http://www.wireshark.org/security/wnpa-sec-2009-01.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

cgi-bin/welcome/VPN_only in the web interface in Netgear SSL312 allows remote attackers to cause a denial of service (device crash) via a crafted query string, as demonstrated using directory traversal sequences. NetGear SSL312 is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. NetGear SSL312 is an SSL VPN product manufactured by Netgear that meets the remote access needs of small and medium-sized enterprises

Cross-site scripting (XSS) vulnerability in topic.php in Camera Life 2.6.2b4 allows remote attackers to inject arbitrary web script or HTML via the name parameter. Camera Life is an open source PHP-based photo management and organization plugin

Cross-site request forgery (CSRF) vulnerability in the HTTP server in Cisco IOS 12.4(23) allows remote attackers to execute arbitrary commands, as demonstrated by executing the hostname command with a level/15/configure/-/hostname request. IOS is prone to a cross-site request forgery vulnerability. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Cisco IOS Cross-Site Scripting and Cross-Site Request Forgery SECUNIA ADVISORY ID: SA33844 VERIFY ADVISORY: http://secunia.com/advisories/33844/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Cisco IOS 12.x http://secunia.com/advisories/product/182/ Cisco IOS R12.x http://secunia.com/advisories/product/50/ DESCRIPTION: Zloss has reported some vulnerabilities in Cisco IOS, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed via the URL when executing commands is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) The device allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to potentially alter the configuration of the device by tricking the user into visiting a malicious web site. The vulnerabilities are reported in Cisco IOS firmware version 12.4(23). Other versions may also be affected. SOLUTION: Filter malicious characters and character sequences in a proxy. Do not visit untrusted websites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Zloss ORIGINAL ADVISORY: http://packetstormsecurity.org/0902-exploits/cisco12423-xss.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------