8 total posts
Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL Pointer Derefere
Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL Pointer Dereference
21 Dec. 2008
The kernel of Solaris contains a vulnerability in the code that handles SIOCGTUNPARAM IOCTL requests. Exploitation of this vulnerability can result in:
1) Local denial of service attacks (system crash due to a kernel panic), or
[ As all Solaris Zones (Containers) share the same kernel it is possible to crash the whole system (all Zones) even if the vulnerability is triggered in an unprivileged non-global zone. ]
2) Local execution of arbitrary code at the kernel level (complete system compromise) on x86 platforms
[ As all Solaris Zones (Containers) share the same kernel it is possible to escape from unprivileged non-global zones and compromise other non-global zones or the global zone. ]
The issue can be triggered by sending a specially crafted IOCTL request to the kernel.
The information has been provided by Tobias Klein.
The original article can be found at: http://www.trapkit.de/advisories/TKADV2008-015.txt
PHP APC Vulnerable to Local Attacks
21 Dec. 2008
PHP APC is an opcode cache for PHP, or, as the developers say: "APC is a free, open, and robust framework for caching and optimizing PHP intermediate code." A cross site scripting issue which comes into play when you have local users which are able to create files and cause those to be cached by the PHP APC, and a server admin later visits the apc.php web interface which comes with PHP APC.
The information has been provided by Moritz Naumann.
Fujitsu-Siemens WebTransactions Command Injection Vulnerabil
21 Dec. 2008
With WebTransactions openSEAS provides "a product which allows approved host applications to be used in new business processes and modern application scenarios. WebTransactions provides all possibilities to prepare existing host applications for new web based scenarios. Host applications and data can be used via Standard Web browser without need to change anything on the host side".
Fujitsu-Siemens WebTransactions is vulnerable to remote command injection due to insufficient input validation. Under certain conditions, WBPublish.exe passes unvalidated user input to the system() function when cleaning up temporary session data. This vulnerability allows an attacker to execute arbitrary commands on the affected system. The vulnerability does not require prior authentication and can be exploited from a web browser.
The information has been provided by Bernhard Mueller.
The original article can be found at: http://www.sec-consult.com/files/20081219-0_fujitsu-siemens_webta_cmdexec.txt
PHP mbstring Buffer Overflow Vulnerability
21 Dec. 2008
PHP is "a scripting language extensively used in web application development. The package contains a number of language extensions aside from the language core".
A heap buffer overflow was found in mbstring extension that is bundled in the standard distribution. mbstring extension provides a set of functions for the manipulation of multibyte / Unicode strings.
The vulnerability occurs in the part of the encoding conversion facility that decodes strings that contain HTML entities into Unicode strings. Due to the decoder's incorrect handling of error conditions, the bounds check for a heap-allocated buffer is effectively bypassed. An attacker can exploit this vulnerability to transfer arbitrary data to a specific region of the heap if he gains control over the input of the decoder.
The information has been provided by Moriyoshi Koizumi.
Trend Micro HouseCall ActiveX Control "notifyOnLoadNative()"
Trend Micro HouseCall ActiveX Control "notifyOnLoadNative()" Vulnerability
Release Date: 2008-12-21
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Trend Micro HouseCall ActiveX Control 6.x
Trend Micro HouseCall Server 6.x
Secunia Research has discovered a vulnerability in Trend Micro HouseCall, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a use-after-free error in the HouseCall ActiveX control (Housecall_ActiveX.dll). This can be exploited to dereference previously freed memory by tricking the user into opening a web page containing a specially crafted "notifyOnLoadNative()" callback function.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in versions 220.127.116.118 and 18.104.22.1688. Other versions may also be affected.
Remove the ActiveX control and install version 22.214.171.1245.
HouseCall Server Edition:
Apply hotfix B1285. Please see vendor's advisory for further details.
Provided and/or discovered by:
Alin Rad Pop, Secunia Research.
American Express bitten by XSS bugs (again)
Card accounts still naked
By Dan Goodin in San Francisco
The website for American Express has once again been bitten by security bugs that could expose its considerable base of customers to attacks that steal their login credentials.
The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.
It turns out that's not the case. The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.