VULNERABILITIES \ FIXES - October 20, 2008

Release Date: 2008-10-20

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: MyNETS 1.x

Description:
A vulnerability has been reported in MyNETS, which can be exploited by malicious people to conduct cross-site scripting attacks.

Unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in version 1.2.0 and prior.

Solution:
Update to version 1.2.0.1.

Provided and/or discovered by:
JVN

Original Advisory:
MyNETS:
http://usagi-project.org/PRESS/archives/53

JVN:
http://jvn.jp/jp/JVN53267766/index.html

Release Date: 2008-10-20

Critical:
Less critical
Impact: Security Bypass

Where: From local network
Solution Status: Vendor Patch


Software: nfs-utils 1.x

Description:
A security issue has been reported in nfs-utils, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the TCP wrappers implementation calling the "hosts_ctl()" function with a wrong order of arguments. This can be exploited to bypass access control rules imposed on NFS netgroups and gain access to restricted services.

The security issue is reported in version 1.0.9. Other versions prior to 1.1.3 may also be affected.

Solution:
Update to version 1.1.3 or later.

Provided and/or discovered by:
Reported by Michele Marcionelli in a Red Hat bug report.

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=458676

Release Date: 2008-10-20

Critical:
Not critical
Impact: Privilege escalation
DoS

Where: Local system
Solution Status: Vendor Patch


OS: Linux Kernel 2.4.x

Description:
Some vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges.

Solution:
Update to version 2.4.36.8.

Original Advisory:
http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.8

Other References:
SA25895:
http://secunia.com/advisories/25895/

SA31366:
http://secunia.com/advisories/31366/

Release Date: 2008-10-20

Critical:
Highly critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Workaround


Software: VLC media player 0.x

Description:
A vulnerability has been reported in VLC Media Player, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the processing of TY files and can be exploited to cause a stack-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions 0.9.0 through 0.9.4. Other versions may also be affected.

Solution:
Fixed in the GIT repository.
http://git.videolan.org/?p=vlc.git;a=...92b87bba99b5ea2e17b7eaa39c462d65e9133

The vendor recommends to refrain from opening untrusted files or from visiting untrusted websites. Please see the vendor's advisory for additional workaround information.

Provided and/or discovered by:
The vendor credits Tobias Klein.

Original Advisory:
VideoLAN:
http://www.videolan.org/security/sa0809.html

Release Date: 2008-10-20

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Hummingbird Deployment Wizard 2008

Description:
shinnai has discovered some vulnerabilities in Hummingbird Deployment Wizard, which can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to the DeployRun.DeploymentSetup.1 (DeployRun.dll) ActiveX control providing the insecure "Run()", "SetRegistryValueAsString()", and "PerformUpdateAsync()" methods. These can be exploited to execute arbitrary commands or modify existing registry keys in the context of the currently logged-on user.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are confirmed in DeployRun.dll version 10.0.0.44 included in Hummingbird Deployment Wizard 2008. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
shinnai

Original Advisory:
http://www.shinnai.net/xplits/TXT_L0z0Mimixdsko8kI6VFW.html
http://www.shinnai.net/xplits/TXT_JqLchaIAfq4kSH0NsvJO.html
http://www.shinnai.net/xplits/TXT_2XfQ1sHruhjaoePszNTG.html

Release Date: 2008-10-20

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: phpFastNews 1.x

Description:
Qabandi has discovered a vulnerability in phpFastNews, which can be exploited by malicious people to bypass certain security restrictions.

The problem is that the application allows access to the admin interface by checking if a certain cookie exists. This can be exploited to gain administrative access to the application by creating the cookie "fn-loggedin" and assigning it the value "1".

This vulnerability is confirmed in version 1.0.0. Other versions may also be affected.

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
Qabandi

Original Advisory:
http://milw0rm.com/exploits/6779

Release Date: 2008-10-20

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Zeeproperty

Description:
Hussin X has reported a vulnerability in Zeeproperty, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "adid" parameter in bannerclick.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Hussin X

Original Advisory:
http://milw0rm.com/exploits/6780

Release Date: 2008-10-20

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Fast Click SQL Lite 1.x


Description:
NoGe has discovered a vulnerability in Fast Click SQL Lite, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "CFG[CDIR]" parameter in init.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources

This vulnerability is confirmed in version 1.1.7. Other versions may also be affected.

Successful exploitation of these vulnerabilities requires that "register_globals" is enabled.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
NoGe

Original Advisory:
http://www.milw0rm.com/exploits/6785

Release Date: 2008-10-20

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: yappa-ng 2.x

Description:
Vrs-hCk has discovered a vulnerability in yappa-ng, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "album" parameter in index.php is not properly verified before being used to include files. This can be exploited to include files from local resources via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerability is confirmed in version 2.3.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
Vrs-hCk

Original Advisory:
http://milw0rm.com/exploits/6788

Release Date: 2008-10-20

Critical:
Less critical
Impact: Hijacking

Where: From remote
Solution Status: Vendor Patch


Software: Vivvo CMS 4.x



Description:
A vulnerability has been reported in Vivvo CMS, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to perform unspecified actions e.g. when a user visits a malicious site.

Solution:
Update to version 4.0.4 (build 3132).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Vivvo CMS:
http://www.vivvo.net/news.php

Release Date: 2008-10-20

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: rGallery 1.x (plugin for Woltlab Burning Board)



Description:
Five-Three-Nine has reported a vulnerability in the rGallery plugin for WoltLab Burning Board, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "itemID" parameter in index.php (when "page" is set to "RGalleryImageWrapper") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in version 1.09. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Five-Three-Nine

Original Advisory:
http://www.milw0rm.com/exploits/6790

Release Date: 2008-10-20

Critical:
Less critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: e107 0.x

Description:
__GiReX__ has discovered a vulnerability in e107, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed as array keys in the "ue[]" array to usersettings.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator password hashes, but requires valid user credentials and knowledge of the database table prefix.

The vulnerability is confirmed in version 0.7.13. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
__GiReX__

Original Advisory:
http://milw0rm.com/exploits/6791

Release Date: 2008-10-20

Critical:
Moderately critical
Impact: Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: DS-Syndicate 1.x (component for Joomla)



Description:
boom3rang has discovered a vulnerability in the DS-Syndicate component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "feed_id" parameter in the Joomla! installation's index.php script (when "option" is set to "ds-syndicate" and "version" to "1") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is confirmed in version 1.1.1. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
boom3rang

Original Advisory:
http://milw0rm.com/exploits/6792

Release Date: 2008-10-20

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Workaround


OS: Linux Kernel 2.6.x

Description:
Olaf Kirch has reported a vulnerability in the Linux kernel, which can be exploited by malicious, local users to potentially gain escalated privileges.

The vulnerability is caused due to the DRM_I915_HWS_ADDR IOCTL being available to non-root users, which can be exploited to e.g. zero and remap memory locations by sending a specially crafted IOCTL to the driver.

Successful exploitation may allow to execute arbitrary code with escalated privileges, but requires an Intel G33 series or newer chipset.

Solution:
Fixed in version 2.6.27-git8.
http://git.kernel.org/?p=linux/kernel...0893918203ee1a1f6a114316c2a19c072e9bd

Provided and/or discovered by:
Olaf Kirch

Original Advisory:
http://git.kernel.org/?p=linux/kernel...0893918203ee1a1f6a114316c2a19c072e9bd

Release Date: 2008-10-20

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: MUSCLE 4.x

Description:
A vulnerability has been discovered in MUSCLE, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library.

The vulnerability is caused due to a boundary error within the function "Message::AddToString()" in message/Message.cpp. This can be exploited to cause a stack-based buffer overflow when an application uses the affected function on a specially crafted message.

The vulnerability is confirmed in version 4.30. Other versions may also be affected.

Solution:
Update to version 4.40.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
https://public.msli.com/lcs/muscle/muscle/HISTORY.txt

Release Date: 2008-10-20

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


Software: RealVNC 4.x

Description:
A vulnerability has been discovered in RealVNC VNC Viewer, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error within the "CMsgReader::readRect()" function in common/rfb/CMsgReader.cxx when processing encoding types, which can be exploited by sending specially crafted messages to the application.

Successful exploitation may allow the execution of arbitrary code, but requires that the user connects to a malicious server.

The vulnerability is confirmed in RealVNC Free Edition version 4.1.2. Prior versions may also be affected.

Solution:
Update to version 4.1.3.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.realvnc.com/products/free/4.1/release-notes.html

Release Date: 2008-10-20

Critical:
Less critical
Impact: Exposure of sensitive information
Privilege escalation
DoS

Where: Local system
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0

Description:
Debian has issued an update for linux 2.6. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, cause a DoS (Denial of Service) or disclose sensitive information.

Solution:
Apply updated packages.

Original Advisory:
DSA 1655-1:
http://www.debian.org/security/2008/dsa-1655

Other References:
SA31826:
http://secunia.com/advisories/31826

SA32320:
http://secunia.com/advisories/32320

Release Date: 2008-10-20

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


Software: Movable Type 4.x

Description:
A vulnerability has been reported in Movable Type, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to an unspecified parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session, in the context of an affected site.

This vulnerability is reported in Movable Type 4, Movable Type 4 Enterprise, Movable Type 4 Community Solution, and Movable Type 4 Open Source version 4.21 and prior. Other versions may also be affected.

Solution:
Update to version 4.22.

Provided and/or discovered by:
JVN credits Mr. Riyuuzi Sakai, Architects Inc.

Original Advisory:
http://jvn.jp/jp/JVN81490697/index.html

Release Date: 2008-10-20

Critical:
Less critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


Software: Titan FTP Server 6.x

Description:
dmnt has reported a vulnerability in Titan FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the processing of the "SITE WHO" command, which can be exploited to exhaust available CPU resources.

The vulnerability is reported in version 6.26 build 630. Other versions may also be affected.

Solution:
Update to version 6.26 build 631.

Provided and/or discovered by:
dmnt

Original Advisory:
http://milw0rm.com/exploits/6753

Release Date: 2008-10-20

Critical:
Moderately critical
Impact: Unknown

Where: From remote
Solution Status: Vendor Patch


Software: Midgard Components Framework 8.x

Description:
Some vulnerabilities with unknown impacts have been reported in Midgard Components Framework.

The vulnerabilities are caused due to unspecified errors. No further information is currently available.

Solution:
Update to version 8.09.1:
http://ragnaroek.pear.midgard-project.org/get/midcom-8.09.1.tgz

Original Advisory:
http://freshmeat.net/projects/midcom/?branch_id=38063&release_id=286210

Release Date: 2008-10-20

Critical:
Less critical
Impact: Cross Site Scripting

Where: From local network
Solution Status: Unpatched


Software: HP SiteScope 9.x

Description:
Secunia Research has discovered a vulnerability in HP SiteScope, which can be exploited by malicious people to conduct script insertion attacks.

Input passed in received SNMP trap messages is not properly sanitised before being displayed in the web interface. This can be exploited to execute arbitrary HTML and script code in context of an administrative user's browser session when viewing the information in the management interface.

The vulnerability is confirmed in version 9.0 build 911. Other versions may also be affected.

Solution:
Do not view SNMP traps in the web interface.

Provided and/or discovered by:
Dyon Balding, Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2007-84/

GearSoftware Powered Products Local Privilege Escalation (IopfCompleteRequest)

20 Oct. 2008

Summary
"GEAR Software has set the standard for professional DVD & CD recording software for more than twenty years. GEAR develops solutions for professional premastering, DVD editing and authoring, and is also a leading provider of development tools that enable software companies to integrate optical recording technology into their own products. GEAR technology is integrated into solutions from some of the world's most prominent technology organizations, including Apple, Symantec, Siemens, Kodak, Philips and Bosch, among many others". Microsoft Windows Kernel is prone to a local privilege escalation due to an integer overflow error within the IopfCompleteRequest function. This vulnerability may allow attackers to execute arbitrary code in the kernel context, thus allowing to escalate privileges to SYSTEM. However, the attack vector needed for taking advantage of this weakness has not been identified on a out-of-box Windows installation. Therefore, a third-party application is, so far, the unique possible attack vector to exploit this issue.

Credit:
The information has been provided by Ruben Santamarta.
The original article can be found at: http://www.wintercore.com/advisories/advisory_W021008.html

http://www.securiteam.com/windowsntfocus/6X00S00MUG.html

20 Oct. 2008

Summary
Lenovo Rescue and Recovery monitors system changes and enables users to quickly restore their systems in the event of failure. One component of the Rescue and Recovery system is a file system filter driver which monitors new file writes/reads.

There is a heap overflow in the Lenovo Rescue and Recovery file system filter kernel driver which could allow an attacker to overwrite kernel memory leading to elevation of privilege.

Credit:
The information has been provided by Chris Clark and Rachel Engel.
The original article can be found at: https://www.isecpartners.com/advisories/2008-02-lenovornr.txt

http://www.securiteam.com/windowsntfocus/6U00P00MUQ.html

20 Oct. 2008

Summary
Multiple vulnerabilities have been discovered in Novell's eDirectory's dhost.exe service, these vulnerabilities would allow an attacker to overflow internal buffers used by the product which can be then leveraged to cause the execution of arbitrary code.

Credit:
The information has been provided by Zero Day Initiative (ZDI).
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-08-063, http://www.zerodayinitiative.com/advisories/ZDI-08-064, http://www.zerodayinitiative.com/advisories/ZDI-08-065 and http://www.zerodayinitiative.com/advisories/ZDI-08-066


http://www.securiteam.com/windowsntfocus/6V00Q00MUA.html

Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability

20 Oct. 2008

Summary
There exists a vulnerability within a function of the Sun Solstice AdminSuite sadmind, which when properly exploited can lead to remote compromise of the vulnerable system. This vulnerability was confirmed by us in the following versions of the Sun operating system, other versions may be also affected.

Credit:
The information has been provided by RISE Security.
The original article can be found at: http://risesecurity.org/advisories/RISE-2008001.txt

http://www.securiteam.com/unixfocus/6S00N00MUW.html

20 Oct. 2008

Summary
VLC media player is an open-source, highly portable multimedia player for various audio and video formats, as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.

VLC media player is vulnerable to a memory corruption vulnerability, which can be exploited by malicious remote attackers to compromise a user's system, by providing a specially crafted XSPF playlist file. The vulnerability exists because the VLC ('demux/playlist/xspf.c') library does not properly perform bounds-checking on an 'identifier' tag from an XSPF file before using it to index an array on the heap. This can be exploited to overwrite an arbitrary memory address in the context of the VLC media player process, and eventually get arbitrary code execution by opening a specially crafted file.

Credit:
The information has been provided by CORE Security Technologies Advisories.
The original article can be found at: http://www.coresecurity.com/content/vlc-xspf-memory-corruption


http://www.securiteam.com/securitynews/6Q00L00MUU.html

Telecom Italia Alice Pirelli Routers Backdoor Activates Telnet/FTP/TFTP

20 Oct. 2008

Summary
An embedded backdoor allows activation of the telnet/FTP/TFTP/web extended admin interface service with Admin privileges, from internal network LAN on Alice ADSL CPE Modem/Router, manufactered by Pirelli based on Broadcom platform.

Credit:
The information has been provided by saxdax and drpepperONE.

http://www.securiteam.com/securitynews/6R00M00MUK.html

20 Oct. 2008

Summary
The wireless drivers in some Wi-Fi access points (such as the MARVELL-based Linksys WAP4400N) do not correctly parse some malformed 802.11 frames.

Credit:
The information has been provided by Laurent Butti and Julien Tinnes.

http://www.securiteam.com/securitynews/6T00O00MUG.html

20 Oct. 2008

Summary
Graphviz is "an open-source multi-platform graph visualization software. It takes a description of graphs in a simple text format (DOT language), and makes diagrams out of it in several useful formats (including SVG)". A vulnerability exists in Graphviz's parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so.

Credit:
The information has been provided by Roee Hay.
The original article can be found at: http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html


http://www.securiteam.com/securitynews/6W00R00MUQ.html

20 October 2008

Oracle's quarterly Critical Patch Update (CPU) is once again generating a fair amount of work for database administrators. 15 patches with a top CVSS score of 6.5 out of 10 affect the Oracle database alone. In addition, there are a number of patches for the Application Server, the E-Business Suite, for Peoplesoft and for BEA.


More: http://www.heise-online.co.uk/security/Critical-patch-for-BEA-Weblogic-on-Oracle-patch-day--/news/111751