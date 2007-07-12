Thread display:
Symantec Client Security Denial of Service and Privilege Esc
Symantec Client Security Denial of Service and Privilege Escalation Vulnerabilities
Advisory ID : FrSIRT/ADV-2007-2506
CVE ID : CVE-2006-3456
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
Two vulnerabilities have been identified in Symantec Client Security and AntiVirus Corporate Edition, which could be exploited by local attackers to cause a denial of service or obtain elevated privileges.
The first issue is caused by a stack overflow error within the E-mail Auto-Protect feature when processing an outgoing email with an overly long (more than 951 bytes) "To:", "From:" or "Subject:" field, which could be exploited by malicious users to cause the Internet E-mail real-time protection service to crash and stop scanning outgoing SMTP email messages, creating a denial of service condition.
The second vulnerability is caused by an error in the Real-Time scanner (RTVScan) component that displays the Notification Message window without dropping privileges, which could be exploited by local attackers to execute arbitrary code with SYSTEM privileges.
Affected Products
Symantec AntiVirus Corporate Edition 9.x
Symantec AntiVirus Corporate Edition 10.x
Symantec Client Security 2.x
Symantec Client Security 3.x
Solution
Apply patches :
https://fileconnect.symantec.com/
References
http://www.frsirt.com/english/advisories/2007/2506
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11b.html
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11c.html
Credits
Vulnerabilities reported by Jordi Corrales and Ali Rhabar (Sysdream).
Symantec Products "SYMTDI.SYS" Device Driver Privilege Escal
Symantec Products "SYMTDI.SYS" Device Driver Privilege Escalation Vulnerability
Advisory ID : FrSIRT/ADV-2007-2507
CVE ID : CVE-2007-3673
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
A vulnerability has been identified in various Symantec products, which could be exploited by local attackers to obtain elevated privileges. This issue is caused due to improper address space validation within the "SYMTDI.SYS" device driver when processing IOCTL 0x83022323, which could be exploited by malicious users to overwrite arbitrary memory addresses and execute code with elevated privileges.
Affected Products
Symantec Norton AntiSpam 2005
Symantec Norton AntiVirus 2005
Symantec Norton AntiVirus 2006
Symantec Norton Internet Security 2005
Symantec Norton Internet Security 2006
Symantec Norton Personal Firewall 2005
Symantec Norton Personal Firewall 2006
Symantec Norton System Works 2005
Symantec Norton System Works 2006
Symantec AntiVirus Corporate Edition 9.x
Symantec AntiVirus Corporate Edition 10.x
Symantec Client Security 2.x
Symantec Client Security 3.x
Solution
Apply patches :
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11d.html
References
http://www.frsirt.com/english/advisories/2007/2507
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11d.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=554
Credits
Vulnerability reported by Zohiartze Herce and iDefense Labs.
Symantec Products RAR and CAB Handling Code Execution and Do
Symantec Products RAR and CAB Handling Code Execution and DoS Vulnerabilities
Advisory ID : FrSIRT/ADV-2007-2508
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
Two vulnerabilities have been identified in Symantec products, which could be exploited by remote attackers or malware to cause a denial of service or take control of an affected system.
The first issue is caused by an infinite loop within the decomposition of RAR files with malformed headers, which could be exploited to exhaust all available memory resources, creating a denial of service condition.
The second vulnerability is caused by a memory corruption error when processing malformed CAB files, which could be exploited by attackers to execute arbitrary commands by sending a malicious file to a system being protected by a vulnerable application.
Affected Products
Symantec Mail Security 8200
Symantec Mail Security for MS Exchange version 4.6.3 and prior
Symantec Mail Security for MS Exchange version 5.0.0.204
Symantec Mail Security for MS Exchange version 6.0.0
Symantec Mail Security for Domino NT version 4.1.4 and prior
Symantec Mail Security for Domino NT version 5.0.0.47
Symantec AntiVirus/Filtering for Domino MPE (AIX, Linux, Solaris) version 3.0.12 and prior
Symantec Scan Engine version 5.0.1 and prior
Symantec AntiVirus Scan Engine version 4.1.8 and prior
Symantec AntiVirus Scan Engine version 4.3.12 and prior
Symantec AntiVirus Scan Engine for MS ISA version 4.3.12 and prior
Symantec AntiVirus Scan Engine for MS Sharepoint version 4.3.12 and prior
Symantec AntiVirus Scan Engine for Messaging version 4.3.12 and prior
Symantec AntiVirus for Network Attached Storage version 4.3.12 and prior
Symantec AntiVirus Scan Engine for Clearswift version 4.3.12 and prior
Symantec AntiVirus Scan Engine for Caching version 4.3.12 and prior
Symantec Client Security version 3.0
Symantec Client Security version 3.x
Symantec Client Security version 2.x
Symantec Web Security version 3.0.1.76 and prior
Symantec Gateway Security 5000 Series version 3.0.1
Symantec Gateway Security 5400 Series version 2.0.1
Symantec Brightmail AntiSpam version 6.0.x
Symantec Brightmail AntiSpam version 5.5
Symantec Brightmail AntiSpam version 4.x
Symantec AntiVirus Corporate Edition version 10.1
Symantec AntiVirus Corporate Edition version 10.0
Symantec AntiVirus Corporate Edition version 9.0
Symantec AntiVirus Corporate Edition for Linux
Symantec AntiVirus for Macintosh version 10.x
Symantec Web Security for MS ISA 2004 version 5.0
Symantec Mail Security for SMTP version 5.0.0 Solaris
Symantec Mail Security for SMTP version 5.0.0 Linux
Symantec Mail Security for SMTP version 5.0.0 Windows
Symantec Mail Security for SMTP version 5.0.1
Solution
Apply patches :
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html
References
http://www.frsirt.com/english/advisories/2007/2508
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html
Credits
Vulnerabilities reported by Zero Day Initiative.
ClamAV "execute_standard_filter()" RAR Archive Denial of Ser
ClamAV "execute_standard_filter()" RAR Archive Denial of Service Vulnerability
Advisory ID : FrSIRT/ADV-2007-2509
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
A vulnerability has been identified in ClamAV (Clam AntiVirus), which could be exploited by attackers or malware to cause a denial of service. This issue is caused by an error in the "execute_standard_filter()" [libclamav/unrar/unrarvm.c] function when processing a malformed RAR archive, which could be exploited to crash a vulnerable application, creating a denial of service condition.
Affected Products
ClamAV (Clam AntiVirus) version 0.90 and prior
Solution
Upgrade to ClamAV version 0.91 :
http://sourceforge.net/projects/clamav/
References
http://www.frsirt.com/english/advisories/2007/2509
http://sourceforge.net/project/shownotes.php?release_id=522414&group_id=86638
http://sourceforge.net/projects/clamav/
Credits
Vulnerability reported by Metaeye SG.
Apple QuickTime Multiple Media File Processing Command Execu
Apple QuickTime Multiple Media File Processing Command Execution Vulnerabilities
Advisory ID : FrSIRT/ADV-2007-2510
CVE ID : CVE-2007-2295 - CVE-2007-2296 - CVE-2007-2392 - CVE-2007-2393 - CVE-2007-2394 - CVE-2007-2396 - CVE-2007-2397 - CVE-2007-2402
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
Multiple vulnerabilities have been identified in Apple QuickTime, which could be exploited by remote attackers to gain knowledge of sensitive information or take complete control of an affected system.
The first issue is caused by a memory corruption error when processing a malformed H.264 movie, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a malicious movie.
The second vulnerability is caused by a memory corruption error when processing a malformed movie file, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a malicious file.
The third issue is caused by an integer overflow error when processing a malformed m4v file, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a malicious file.
The fourth vulnerability is caused by an integer overflow error when processing a malformed SMIL file, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a malicious file.
The fifth issue is caused by a design error in QuickTime for Java, which could be exploited by attackers to bypass security checks and execute arbitrary code by tricking a user into visiting a malicious web page.
The sixth vulnerability is caused by a design error in QuickTime for Java, which could be exploited by malicious Java applets to bypass security checks and read and write process memory, leading to arbitrary code execution.
The seventh issue is caused by a design error in QuickTime for Java where certain interfaces are exposed by JDirect, which could be exploited by attackers to load arbitrary libraries and free arbitrary memory, leading to arbitrary code execution.
The eighth vulnerability is caused by a design error in QuickTime, which could be exploited by attackers to capture a client's screen content by tricking a user into visiting a specially crafted web page.
Affected Products
Apple QuickTime versions prior to 7.2
Solution
Upgrade to Apple QuickTime version 7.2 for Mac:
http://www.apple.com/support/downloads/quicktime72formac.html
Upgrade to Apple QuickTime version 7.2 for Windows:
http://www.apple.com/support/downloads/quicktime72forwindows.html
References
http://www.frsirt.com/english/advisories/2007/2510
http://docs.info.apple.com/article.html?artnum=305947
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=556
Credits
Vulnerabilities reported by Tom Ferris (Security-Protocols), Matt Slot (Ambrosia Software), Jonathan Wolf Rentzsch (Red Shed Software), David Vaartjes (ITsec Security Services), iDefense Labs, Adam Gowdiak and the vendor.
QuickTime Update Equals Update QuickTime
Apple released QuickTime version 7.2 yesterday. The update includes eight important security fixes in which viewing a maliciously crafted H.264 movie/movie/.m4v/SMIL file or visiting a malicious website may lead to arbitrary code execution. Apple's website has additional details.
The QuickTime update is available from Apple's Software Download for both Mac OS X and Windows. If you have iTunes or Apple Software Update installed, then you can just install iTunes 7.3.1 and QuickTime 7.2 will be included. If you only have QuickTime installed, perhaps on a corporate network, then you'll need to manually download the update.
It's important to update. Why? Because of stuff like MPack.
MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment.
More: http://www.f-secure.com/weblog/
Cisco Unified Communications Manager and Presence Server Sec
Cisco Unified Communications Manager and Presence Server Security Bypass Issues
Advisory ID : FrSIRT/ADV-2007-2511
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
Two vulnerabilities have been identified in Cisco Unified Communications Manager (CUCM), formerly CallManager, and Cisco Unified Presence Server (CUPS), which could be exploited by malicious users to bypass security checks. These issues are caused by unspecified errors that could allow an unauthorized administrator to activate and terminate CUCM / CUPS system services and access SNMP configuration information, leading to a denial of service condition and the disclosure of sensitive SNMP details (including community strings).
Affected Products
Cisco Unified CallManager versions 5.x
Cisco Unified Communications Manager versions 5.x
Cisco Unified Presence Server versions 1.x
Solution
Upgrade to Cisco Unified Communications Manager (CUCM) version 5.1(2a) :
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-51?psrtdcat20e2
Upgrade to Cisco Unified Presence Server (CUPS) version CUPS 6.0(1) :
http://www.cisco.com/pcgi-bin/tablebuild.pl/cups-60?psrtdcat20e2
References
http://www.frsirt.com/english/advisories/2007/2511
http://www.cisco.com/warp/public/707/cisco-sa-20070711-voip.shtml
Credits
Vulnerabilities reported by the vendor.
Cisco Unified CallManager CTL Provider and RIS Collector Cod
Cisco Unified CallManager CTL Provider and RIS Collector Code Execution Issues
Advisory ID : FrSIRT/ADV-2007-2512
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
Two vulnerabilities have been identified in Cisco Unified Communications Manager (CUCM), formerly CallManager, which could be exploited by remote attackers to cause a denial of service or take complete control of an affected system.
The first issue is caused by an off-by-one buffer overflow error in the Certificate Trust List (CTL) Provider service when processing malformed requests (port 2444/TCP), which could be exploited by remote unauthenticated attackers to crash an affected service or execute arbitrary code.
The second vulnerability is caused by a heap overflow error in the Real-Time Information Server (RIS) Data Collector service when processing malformed requests (port 2556/TCP), which could be exploited by remote unauthenticated attackers to crash an affected service or execute arbitrary code.
Affected Products
Cisco Unified CallManager 3.3 versions prior to 3.3(5)SR3
Cisco Unified CallManager 4.1 versions prior to 4.1(3)SR5
Cisco Unified CallManager 4.2 versions prior to 4.2(3)SR2
Cisco Unified Communications Manager 4.3 versions prior to 4.3(1)SR1
Cisco Unified Communications Manager 5.1 versions prior to 5.1(2)
Solution
Apply fixes :
http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml#fixes
References
http://www.frsirt.com/english/advisories/2007/2512
http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml
http://www.iss.net/threats/270.html
http://www.iss.net/threats/271.html
Credits
Vulnerabilities reported by IBM ISS X-Force.
FlashBB "phpbb_root_path" Parameter Handling Remote File Inc
FlashBB "phpbb_root_path" Parameter Handling Remote File Inclusion Vulnerability
Advisory ID : FrSIRT/ADV-2007-2514
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
A vulnerability has been identified in FlashBB, which could be exploited by remote attackers to compromise a vulnerable web server. This issue is caused by an input validation error in the "sendmsg.php" script when processing the "phpbb_root_path" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.
Affected Products
FlashBB version 1.1.7 and prior
Solution
The FrSIRT is not aware of any official supplied patch for this issue.
References
http://www.frsirt.com/english/advisories/2007/2514
Credits
Vulnerability reported by kw3rln .
SuSE Security Update Fixes Kernel Multiple Denial of Service
SuSE Security Update Fixes Kernel Multiple Denial of Service Vulnerabilities
Advisory ID : FrSIRT/ADV-2007-2500
CVE ID : CVE-2006-7203 - CVE-2007-1357 - CVE-2007-1496 - CVE-2007-1497 - CVE-2007-1592 - CVE-2007-1861 - CVE-2007-2453 - CVE-2007-2876
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
Multiple vulnerabilities have been identified in SuSE, which could be exploited by attackers to bypass security restrictions, disclose sensitive information or cause a denial of service. These issues are caused by errors in Kernel. For additional information, see : FrSIRT/ADV-2007-1340 - FrSIRT/ADV-2007-1595 - FrSIRT/ADV-2007-0944 - FrSIRT/ADV-2007-1084 - FrSIRT/ADV-2007-2209 - FrSIRT/ADV-2007-2105 - CVE-2007-2876
Affected Products
SUSE LINUX 10.0
openSUSE 10.2
SUSE SLES 9
Novell Linux Desktop 9
Open Enterprise Server
Novell Linux POS 9
Solution
Upgrade the affected packages :
ftp://ftp.suse.com/pub/suse/update/
References
http://www.frsirt.com/english/advisories/2007/2500
http://lists.opensuse.org/opensuse-security-announce/2007-07/msg00005.html
rPath Security Update Fixes Wireshark Remote Denial of Servi
rPath Security Update Fixes Wireshark Remote Denial of Service Vulnerabilities
Advisory ID : FrSIRT/ADV-2007-2501
CVE ID : CVE-2007-3389 - CVE-2007-3390 - CVE-2007-3391 - CVE-2007-3392 - CVE-2007-3393
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
Multiple vulnerabilities have been identified in rPath Linux, which could be exploited by remote attackers to cause a denial of service. These issues are caused by errors in Wireshark. For additional information, see : FrSIRT/ADV-2007-2353
Affected Products
rPath Linux 1
Solution
Upgrade the affected packages :
tshark=/conary.rpath.com at rpl:devel//1/0.99.6-0.1-1
wireshark=/conary.rpath.com at rpl:devel//1/0.99.6-0.1-1
References
http://www.frsirt.com/english/advisories/2007/2501
http://lists.rpath.com/pipermail/security-announce/2007-July/000208.html
rPath Security Update Fixes GIMP PSD Plugin Integer Overflow
rPath Security Update Fixes GIMP PSD Plugin Integer Overflow Vulnerability
Advisory ID : FrSIRT/ADV-2007-2502
CVE ID : CVE-2007-2949
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
A vulnerability has been identified in rPath Linux, which could be exploited by attackers to execute arbitrary code. This issue is caused by an error in GIMP. For additional information, see : FrSIRT/ADV-2007-2421
Affected Products
rPath Linux 1
Solution
Upgrade the affected package :
gimp=/conary.rpath.com at rpl:devel//1/2.2.16-0.1-1
References
http://www.frsirt.com/english/advisories/2007/2502
http://lists.rpath.com/pipermail/security-announce/2007-July/000209.html
Redhat Security Update Fixes X.Org XFS Script Privilege Esca
Redhat Security Update Fixes X.Org XFS Script Privilege Escalation Vulnerability
Advisory ID : FrSIRT/ADV-2007-2515
CVE ID : CVE-2007-3103
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
A vulnerability has been identified in Redhat, which could be exploited by local attackers to obtain elevated privileges. This issue is caused by a race condition in the way temporary files are handled when executing the X.Org X11 XFS script handles, which could be exploited by malicious users manipulate certain files and gain root privileges when a vulnerable system (or XFS) is rebooted.
Affected Products
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Solution
Upgrade the affected packages :
http://rhn.redhat.com/
References
http://www.frsirt.com/english/advisories/2007/2515
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242903
http://rhn.redhat.com/errata/RHSA-2007-0519.html
http://rhn.redhat.com/errata/RHSA-2007-0520.html
Credits
Vulnerability reported by iDefense Labs .
Symantec Products Real-Time Scanner Notification Window Priv
Symantec Products Real-Time Scanner Notification Window Privilege Escalation
Secunia Advisory: SA26054
Release Date: 2007-07-12
Critical:
Less critical
Impact: Privilege escalation
Where: Local system
Solution Status: Vendor Patch
Software: Symantec AntiVirus Corporate Edition 10.x
Symantec AntiVirus Corporate Edition 9.x
Symantec Client Security 2.x
Symantec Client Security 3.x
Description:
A vulnerability has been reported in some Symantec products, which can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to an error in the Real-Time scanner (RTVScan) component when displaying a notification window containing information on threats found on a system. This can be exploited to execute arbitrary code with SYSTEM privileges.
The vulnerability is reported in the following products and versions:
* Symantec AntiVirus Corporate Edition versions 9.0, 10.0 and 10.1
* Symantec Client Security versions 2.0, 3.0, and 2.1
Solution:
Apply updates.
http://www.symantec.com/enterprise/support/all_products.jsp
Symantec AntiVirus Corporate Edition 9.0:
SAV 9.0.6 MR6 MP1- build 1100 or later
Symantec AntiVirus Corporate Edition 10.0/10.1:
10.1.4 MR4 MP1- build 4010 or later
Symantec Client Security 2.0:
SCS 2.0.6 MR6 MP1 - build 1100 or later
Symantec Client Security 3.0/3.1:
SCS 3.1.4 MR4 MP1 - build 4010 or later
Provided and/or discovered by:
The vendor credits Ali Rhabar, Sysdream.
Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11c.html
Red Hat update for perl-Net-DNS
Secunia Advisory: SA26055
Release Date: 2007-07-12
Critical:
Less critical
Impact: Spoofing
DoS
Where: From remote
Solution Status: Vendor Patch
OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4
Description:
Red Hat has issued an update for perl-Net-DNS. This can be exploited to poison the DNS cache or to cause a DoS (Denial of Service).
For more information:
SA25829
Solution:
Updated packages are available from Red Hat Network.
http://rhn.redhat.com
Original Advisory:
https://rhn.redhat.com/errata/RHSA-2007-0674.html
https://rhn.redhat.com/errata/RHSA-2007-0675.html
Other References:
SA25829:
http://secunia.com/advisories/25829/
Red Hat update for xorg-x11
Secunia Advisory: SA26056
Release Date: 2007-07-12
Critical:
Not critical
Impact: Privilege escalation
Where: Local system
Solution Status: Vendor Patch
OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 4
Description:
Red Hat has issued an update for xorg-x11 and xorg-x11-xfs. This fixes a vulnerability, which can be exploited by malicious, local users to perform actions with escalated privileges.
The vulnerability is caused due to a race condition within the handling of temporary files when the xfs font server startup script is executed. This can be exploited to change the permissions of arbitrary files.
Solution:
Updated packages are available from Red Hat Network.
http://rhn.redhat.com
Provided and/or discovered by:
Reported in a Bugzilla bug report with reference to iDefense.
Original Advisory:
https://rhn.redhat.com/errata/RHSA-2007-0520.html
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242903
Red Hat update for flash-plugin
Secunia Advisory: SA26057
Release Date: 2007-07-12
Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Red Hat Enterprise Linux Extras v. 3
Red Hat Enterprise Linux Extras v. 4
RHEL Supplementary (v. 5 server)
Description:
Red Hat has issued an update for flash-plugin. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system.
For more information:
SA26027
Solution:
Updated packages are available from Red Hat Network:
http://rhn.redhat.com
Original Advisory:
https://rhn.redhat.com/errata/RHSA-2007-0696.html
Other References:
SA26027:
http://secunia.com/advisories/26027/
Belkin Wireless G Plus Router DHCP Client Hostname Script In
Belkin Wireless G Plus Router DHCP Client Hostname Script Insertion
Secunia Advisory: SA26059
Release Date: 2007-07-12
Critical:
Not critical
Impact: Cross Site Scripting
Where: From local network
Solution Status: Unpatched
OS: Belkin Wireless G Plus Router
Description:
Nico Leidecker has reported a vulnerability in the Belkin Wireless G Plus Router, which can be exploited by malicious people to conduct script insertion attacks.
Input passed via the hostname when listing DHCP clients is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in an administrator's browser session in context of an affected interface.
The vulnerability is reported in Belkin Wireless G Plus Router (F5D7231-4) with firmware version 4.05.03. Other versions may also be affected.
Solution:
List DHCP clients in a trusted network environment only.
Provided and/or discovered by:
Nico Leidecker, Portcullis Computer Security Ltd.
Original Advisory:
http://lists.grok.org.uk/pipermail/fu...20070710/98374694/attachment-0033.txt
SurgeFTP Denial of Service and Script Insertion Vulnerabilit
SurgeFTP Denial of Service and Script Insertion Vulnerability
Secunia Advisory: SA26061
Release Date: 2007-07-12
Critical:
Less critical
Impact: Cross Site Scripting
DoS
Where: From remote
Solution Status: Vendor Patch
Software: SurgeFTP 2.x
Description:
Nico Leidecker has reported some vulnerabilities in SurgeFTP, which can be exploited by malicious people to conduct script insertion attacks and cause a DoS (Denial of Service).
1) SurgeFTP does not handle malformed responses to the "PASV" command correctly when connecting to a mirrored server. This can be exploited to crash the service by sending specially crafted responses to the "PASV" command.
2) The web interface of SurgeFTP does not properly sanitise certain status messages before using them. This can be exploited to execute arbitrary HTML and script code in an administrators browser session in context of the web interface by sending specially crafted status messages that do not start with a numeric value.
The vulnerabilities are reported in version 2.3a1. Other versions may also be affected.
Solution:
Reportedly, the vulnerabilities have been fixed. Contact the vendor for further details.
Provided and/or discovered by:
Nico Leidecker, Portcullis Computer Security Ltd.
Original Advisory:
http://lists.grok.org.uk/pipermail/fu...20070710/98374694/attachment-0030.txt
http://lists.grok.org.uk/pipermail/fu...20070710/98374694/attachment-0031.txt
AVG Anti-Virus "AVG7CORE.SYS " Driver IOCTL Privilege Escala
AVG Anti-Virus "AVG7CORE.SYS " Driver IOCTL Privilege Escalation Vulnerability
Advisory ID : FrSIRT/ADV-2007-2518
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
A vulnerability has been identified in AVG Anti-Virus, which could be exploited by local attackers to obtain elevated privileges. This issue is caused due to improper address space validation within the "AVG7CORE.SYS" driver when processing IOCTL 0x5348E004, which could be exploited by malicious users to overwrite arbitrary kernel memory addresses and execute code with elevated privileges.
Affected Products
AVG Anti-Virus Free versions 7.x
AVG Anti-Virus Professional Edition versions 7.x
Solution
Upgrade to the latest version :
http://www.grisoft.com/doc/32/us/crp/0
References
http://www.frsirt.com/english/advisories/2007/2518
Credits
Vulnerability reported by Jonathan Lindsay (NGSSoftware).
Mail Machine "archives" Parameter Processing Arbitrary File
Mail Machine "archives" Parameter Processing Arbitrary File Download Vulnerability
Advisory ID : FrSIRT/ADV-2007-2519
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-07-12
Technical Description
A vulnerability has been identified in Mail Machine, which could be exploited by attackers to gain unauthorized access to arbitrary files on a vulnerable system. This issue is caused by an input validation error in the "mailmachine.cgi" script that does not validate the "archives" parameter, which could be exploited by attackers to download arbitrary files from a vulnerable server.
Affected Products
Mail Machine version 3.989 and prior
Solution
The FrSIRT is not aware of any official supplied patch for this issue.
References
http://www.frsirt.com/english/advisories/2007/2519
Credits
Vulnerability reported by H4.