Section: .. / 0705-advisories /
| /// File Name: |
04.27.07-1.txt |
Description:
|
iDefense Security Advisory 04.27.07 - Remote exploitation of a design error in the "Shared Folders" feature of VMware Inc.'s VMware Workstation could allow an attacker to write arbitrary content from a guest system to arbitrary locations on the host system. The "Shared Folders" feature of VMware Workstation allows folders on the physical "host" system to be shared with virtual "guest" systems. Due to a flaw in the code which validates that the filename is safe, an attacker or malicious code within the guest system can read or write files on the host system in the context of the user running Workstation. iDefense confirmed this vulnerability to exist in VMware Workstation 5.5.3 build 34685 on a Windows XPSP2 host. Other versions may also be affected.
| | Author: | Greg MacManus | | Homepage: | http://www.idefense.com/ | | File Size: | 3844 | | Related CVE(s): | CVE-2007-1744 | | Last Modified: | May 3 07:17:50 2007 |
| MD5 Checksum: | a5985d27acc6eb6f99e110ce44769ee8 |
|
| /// File Name: |
04.30.07-1.txt |
Description:
|
iDefense Security Advisory 04.30.07 - Remote exploitation of multiple vulnerabilities in the Internet Relay Chat (IRC) module of Cerulean Studios' Trillian could allow for the interception of private conversations or execution of code as the currently logged on user. When handling long CTCP PING messages containing UTF-8 characters, it is possible to cause the Trillian IRC client to return a malformed response to the server. This malformed response is truncated and is missing the terminating newline character. This could allow the next line sent to the server to be improperly sent to an attacker. When a user highlights a URL in an IRC message window Trillian copies the data to an internal buffer. If the URL contains a long string of UTF-8 characters, it is possible to overflow a heap based buffer corrupting memory in a way that could allow for code execution. A heap overflow can be triggered remotely when the Trillian IRC module receives a message that contains a font face HTML tag with the face attribute set to a long UTF-8 string. iDefense has confirmed the existence of this vulnerability in Cerulean Studios Trillian 3.1.
| | Author: | enhalos | | Homepage: | http://www.idefense.com/ | | File Size: | 3461 | | Last Modified: | May 3 08:35:16 2007 |
| MD5 Checksum: | ae9a653cbd647041c3db1bf6b7603b55 |
|
| /// File Name: |
05.02.07-1.txt |
Description:
|
iDefense Security Advisory 05.02.07 - Remote exploitation of a heap overflow vulnerability within LiveData's Protocol Server could allow an attacker to cause the service to crash or potentially execute arbitrary code with SYSTEM privileges. iDefense has confirmed the existence of this vulnerability in LiveData Protocol Server version 5.00.045 which was the current release as of September 13th 2006.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3470 | | Last Modified: | May 3 09:46:53 2007 |
| MD5 Checksum: | 879424bc88729ddda6fed02139472d3d |
|
| /// File Name: |
05.07.07-1.txt |
Description:
|
iDefense Security Advisory 05.07.07 - Local exploitation of an integer signedness error in Sun Microsystem's Solaris could allow attackers to cause a kernel panic, leading to a DoS condition on the affected computer. The facl() system call is used to set access controls on a file. Due to an improper check on one of the arguments passed to this function, an attacker can cause the kernel allocate a large amount of memory which causes a kernel panic. iDefense has confirmed the existence of this vulnerability in Solaris 10 on x86 and SPARC architectures. It is suspected that earlier versions are also affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3010 | | Last Modified: | May 8 11:12:47 2007 |
| MD5 Checksum: | 352b4c8e0a105b097dc2fdb7ea33c60e |
|
| /// File Name: |
05.08.07-1.txt |
Description:
|
iDefense Security Advisory 05.08.07 - Remote exploitation of a buffer overflow in an ActiveX control distributed with McAfee Security Center could allow for the execution of arbitrary code. iDefense confirmed the existence of this vulnerability using McAfee Virus Scan 10.0.27 running on Windows XP SP2. However, many additional McAfee products are reported to install this component.
| | Author: | Peter Vreugdenhil | | Homepage: | http://www.idefense.com/ | | File Size: | 4695 | | Last Modified: | May 10 04:22:18 2007 |
| MD5 Checksum: | 55724073f11143b0ac7a085bacb12eb7 |
|
| /// File Name: |
05.08.07-2.txt |
Description:
|
iDefense Security Advisory 05.08.07 - Remote exploitation of an input validation error in the handling of AutoFilter records in Excel BIFF8 format spreadsheet files by Microsoft Corp.'s Excel 2003 could allow an attacker to execute arbitrary code in the context of the current user. The AutoFilter feature of Excel allows data not matching a specified criteria to be filtered out. By creating a document containing a specially crafted filter record, an attacker is able to cause an invalid memory access leading to arbitrary code execution. iDefense has confirmed Microsoft Excel 2003 is vulnerable. Previous versions are also likely to be affected. Excel 2007 does not appear to be vulnerable.
| | Author: | Greg MacManus | | Homepage: | http://www.idefense.com/ | | File Size: | 4047 | | Related CVE(s): | CVE-2007-1214 | | Last Modified: | May 10 05:57:15 2007 |
| MD5 Checksum: | d27db40fb89a0c701dc0fca564b08c70 |
|
| /// File Name: |
05.08.07-3.txt |
Description:
|
iDefense Security Advisory 05.08.07 - Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s Word could allow attackers to execute arbitrary code under the privileges of the target user. This vulnerability specifically exists in the handling of property strings of certain control words in an RTF document. In certain circumstances, these property strings can be written into a memory region which has already been deallocated and heap corruption can occur. iDefense has confirmed that winword.exe file version 11.0.8106.0, as included with a fully patched Microsoft Word 2003 SP2, is vulnerable. Previous versions of Microsoft Word are also likely to be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 4203 | | Related CVE(s): | CVE-2007-1202 | | Last Modified: | May 10 05:58:15 2007 |
| MD5 Checksum: | 28fa9f14d32120f6d9bb8a85f0086f5f |
|
| /// File Name: |
05.08.07-4.txt |
Description:
|
iDefense Security Advisory 05.08.07 - Remote exploitation of an integer overflow vulnerability in the IMAP service of Microsoft Exchange 2000 could allow a remote attacker to crash all running Exchange services and other services in the same process. The vulnerability specifically exists in code responsible for reading of literals in the IMAP4 service. When the IMAP4 service encounters a specially crafted literal, it fails to properly process it. An access violation occurs causing an unhandled exception that terminates the process. iDefense confirmed the existence of this vulnerability in Microsoft Exchange 2000 with Service Pack 3.
| | Author: | Joxean Koret | | Homepage: | http://www.idefense.com/ | | File Size: | 3409 | | Related CVE(s): | CVE-2007-0221 | | Last Modified: | May 10 05:59:23 2007 |
| MD5 Checksum: | 41dfd11ab1612d6ad35ed1f0004b4d0e |
|
| /// File Name: |
05.09.07-1.txt |
Description:
|
iDefense Security Advisory 05.09.07 - Remote exploitation of a design error vulnerability in an ActiveX control installed by Symantec Norton Internet Security 2006 could allow for the execution of arbitrary code. Defense confirmed the existence of this vulnerability within version 12.2.0.13 of NavOpts.dll as distributed with Norton Internet Security 2006. Prior versions are suspected to be vulnerable.
| | Author: | Peter Vreugdenhil | | Homepage: | http://www.idefense.com/ | | File Size: | 3995 | | Related CVE(s): | CVE-2006-3456 | | Last Modified: | May 10 05:56:05 2007 |
| MD5 Checksum: | 7927b6b7092a2f9525bdd7fc8f777708 |
|
| /// File Name: |
05.09.07-2.txt |
Description:
|
iDefense Security Advisory 05.09.07 - Local exploitation of a buffer overflow vulnerability in Computer Associates International Inc.'s (CA) eTrust Antivirus allows attackers to execute arbitrary code with SYSTEM privileges. The Task Service component of eTrust Antivirus, InoTask.exe, is used to schedule and execute tasks such as scanning the system for virii. The service uses a shared file mapping to share information about scheduled tasks. The file mapping has a NULL security descriptor, which allows any user to modify its contents. By modifying a string inside of this mapping an attacker can trigger a stack based overflow in the InoTask process. iDefense confirmed that CA eTrust Antivirus r8 on Windows is vulnerable.
| | Author: | binagres | | Homepage: | http://www.idefense.com/ | | File Size: | 3504 | | Related CVE(s): | CVE-2007-2523 | | Last Modified: | May 11 04:02:12 2007 |
| MD5 Checksum: | 93ef0d3457b92f32e35c449f66804be2 |
|
| /// File Name: |
05.10.07-1.txt |
Description:
|
iDefense Security Advisory 05.10.07 - Local exploitation of a design error vulnerability in the srsexec binary optionally included in Sun Microsystems Inc., Solaris 10 allows attackers to gain access to sensitive information, such as the root password hash. The vulnerability specifically exists because of a failure to drop permissions or check the permissions on the file specified for the target file. If a user specified verify only mode (-v) as well as debug mode (-d), and specified a protected file such as /etc/shadow, srsexec will display the first line of /etc/shadow in the debug messages. iDefense has confirmed the existence of this vulnerability in Solaris 10 with the SUNWsrspx package installed.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3731 | | Last Modified: | May 11 04:03:13 2007 |
| MD5 Checksum: | 825b8fad3d665c164ee2330c41490f69 |
|
| /// File Name: |
05.10.07-2.txt |
Description:
|
iDefense Security Advisory 05.10.07 - Remote exploitation of a buffer overflow vulnerability within Novell Inc.'s NetMail allows attackers to execute arbitrary code with the privileges of the service. This vulnerability specifically exists within the SSL version of the "NMDMC.EXE" service. The application does not perform sufficient input validation when copying data into a fixed size stack buffer. When processing a specially crafted request made to this service, a stack-based buffer overflow occurs leading to corruption of program control registers saved on the stack. iDefense has confirmed the existence of this vulnerability within version 3.52e_FTF2 of Novell Inc's NetMail. Older versions are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3110 | | Last Modified: | May 11 04:03:48 2007 |
| MD5 Checksum: | dc11553dd0c89f52a4081a3c78bf573c |
|
| /// File Name: |
05.10.07-3.txt |
Description:
|
iDefense Security Advisory 05.10.07 - Remote exploitation of multiple buffer overflow vulnerabilities in Apple Inc.'s Darwin Streaming Proxy allows attackers to execute arbitrary code with the privileges of running service, usually root. Due to insufficient sanity checking, a stack-based buffer overflow could occur while trying to extract commands from the request buffer. The "is_command" function, located in proxy.c, lacks bounds checking when filling the 'cmd' and 'server' buffers. Additionally, a heap-based buffer overflow could occur while processing the "trackID" values contained within a "SETUP" request. If a request with more than 32 values is encountered, memory corruption will occur. iDefense has confirmed the existence of these vulnerabilities in Darwin Streaming Server 5.5.4 and Darwin Streaming Proxy 4.1. It is suspected that earlier versions are also vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 4396 | | Related CVE(s): | CVE-2007-0749, CVE-2007-0748 | | Last Modified: | May 11 04:05:01 2007 |
| MD5 Checksum: | be68582e3d87c6ad155585a8cbd9bd2c |
|
| /// File Name: |
05.14.07-1.txt |
Description:
|
Remote exploitation of a command injection vulnerability within Samba Project's Samba could allow an attacker to execute arbitrary code with nobody privileges. The vulnerability exists within the code responsible for updating a user's password in the SAM database. Unfiltered user input is passed to "/bin/sh". This allows an attacker to execute arbitrary shell commands with the privileges of the nobody user. iDefense has confirmed the existence of this vulnerability in Samba version 3.0.24. Previous versions of Samba release 3 may be vulnerable. Release version 2 and below did not have this feature.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3621 | | Related CVE(s): | CVE-2007-2447 | | Last Modified: | May 15 08:39:44 2007 |
| MD5 Checksum: | 629add6846a069a66788467f82a3a333 |
|
| /// File Name: |
05.23.07-1.txt |
Description:
|
iDefense Security Advisory 05.23.07 - Remote exploitation of a stack-based buffer overflow in Opera Software ASA's Opera Web browser could allow an attacker to execute arbitrary code on the affected host. Opera 9.2 supports BitTorrent downloads. If a server sends the browser a specially crafted BitTorrent header, it can lead to a buffer overflow. The buffer overflow is triggered when the user right clicks on the item in the download pane. iDefense has confirmed the existence of this vulnerability in the Opera version 9.2 for Windows. Previous versions may also be affected.
| | Author: | enhalos | | Homepage: | http://www.idefense.com/ | | File Size: | 2667 | | Last Modified: | May 24 04:09:48 2007 |
| MD5 Checksum: | e782312def384c697fff20d9c45a910b |
|
| /// File Name: |
05.24.07-1.txt |
Description:
|
iDefense Security Advisory 05.24.07 - Local exploitation of a privilege escalation vulnerability in Apple Computer Inc.'s Mac OS X pppd could allow an attacker to gain root privileges. The vulnerability exists due to insufficient access validation when processing the "plugin" command line option. The application does not properly verify that the requesting user has root privileges and allows any user to load plug-ins. When checking to see if the executing user has root privileges, a check is made to see if the stdin file descriptor is owned by root. Passing this check is trivial and allows the attacker to load arbitrary plug-ins resulting in arbitrary code execution with root privileges. iDefense has confirmed the existence of this vulnerability in version 10.4.8 of Mac OS X. Other versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3568 | | Related CVE(s): | CVE-2007-0752 | | Last Modified: | May 30 22:49:34 2007 |
| MD5 Checksum: | 05fecd15da1bbba24ed181f41519fb2d |
|
| /// File Name: |
05.25.07-1.txt |
Description:
|
iDefense Security Advisory 05.25.07 - Remote exploitation of multiple stack-based buffer overflows in Sun Microsystems Inc's Java System Web Proxy allows unauthenticated attackers to execute arbitrary code with superuser privileges. The problem specifically exists within the "sockd" daemon. This daemon implements SOCKS proxy support for the Web Proxy product. Attackers can cause a buffer overflow by manipulating certain bytes during protocol negotiation. iDefense has confirmed the existence of this vulnerability using version 4.0.3 of Sun Java Web Proxy Server. Lab tests were performed on an x86 RedHat enterprise Linux machine. Previous versions, including products released under the "Sun ONE" product line, are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3483 | | Last Modified: | May 31 05:12:04 2007 |
| MD5 Checksum: | 1598909a3d4f1ba7380b51a8e5f82b75 |
|
| /// File Name: |
12all-upload.txt |
Description:
|
1-2-All versions 4.5x through 4.53.13 use blacklisting instead of whitelisting for file extensions allowing for malicious file uploads.
| | Author: | John McGuire | | File Size: | 592 | | Last Modified: | May 4 07:53:46 2007 |
| MD5 Checksum: | cd908b94fc37f5597e479409ee98edd7 |
|
| /// File Name: |
acp3-multi.txt |
Description:
|
ACP3 suffers from cookie manipulation, cross site scripting, and SQL injection vulnerabilities.
| | Author: | John Martinelli | | Homepage: | http://john-martinelli.com/ | | File Size: | 1812 | | Last Modified: | May 8 09:49:44 2007 |
| MD5 Checksum: | 0e726168af051f76a98ac20c3f0b7a2a |
|
| /// File Name: |
adobe-xss.txt |
Description:
|
Adobe RoboHelp 6, RoboHelp Server 6, and RoboHelp X5 suffer from a cross site scripting vulnerability.
| | Author: | Michael Domberg | | Homepage: | http://www.devtarget.org/ | | File Size: | 3552 | | Last Modified: | May 12 04:46:33 2007 |
| MD5 Checksum: | 5636fefbce5c006174287a4e8757d98b |
|
| /// File Name: |
ag-leak.txt |
Description:
|
Advanced Guestbook version 2.4.2 is prone to multiple information disclosure vulnerabilities.
| | Author: | Jesper Jurcenoks | | Homepage: | http://www.netvigilance.com/ | | File Size: | 4950 | | Related OSVDB(s): | 33876 | | Related CVE(s): | CVE-2007-0608 | | Last Modified: | May 8 11:42:12 2007 |
| MD5 Checksum: | 55f6efc225d1bfb0e161cc07b32412a2 |
|
| /// File Name: |
ap-pwn.txt |
Description:
|
The AP Newspower software installs with a MySQL instance that has a blank root password, allowing for remote attackers to manipulate the news.
| | Author: | gobbles_fo_evar | | File Size: | 1517 | | Last Modified: | May 10 03:37:40 2007 |
| MD5 Checksum: | 42bd122436e11e042e559ada335afce4 |
|
| /// File Name: |
ASPR-2007-05-14-1.txt |
Description:
|
ACROS Security Problem Report #2007-05-14-1 - There is a session fixation vulnerability in HP Systems Insight Manager 4.2 and 5.0 SP4/5 (IM) that allows an attacker to gain administrative access to IM console. As a result, the attacker can take complete administrative control over all managed systems, upload and execute malicious code on them, extract any information from them and disable them at her will.
| | Homepage: | http://www.acrossecurity.com/ | | File Size: | 4675 | | Last Modified: | May 21 06:01:13 2007 |
| MD5 Checksum: | e7e668d4412559a0e42a337e73fbbb1d |
|
| /// File Name: |
bypassing-pwf-hips.txt |
Description:
|
A flaw with how various personal firewalls and HIPS software use process identifiers in Microsoft Windows allows for complete bypass. Comodo Firewall Pro 2.4.18.184, Comodo Personal Firewall 2.3.6.81, and ZoneAlarm Pro 6.1.744.001 are some of the products affected.
| | Homepage: | http://www.matousec.com/ | | Related Exploit: | BTP00000P000ZA.zip | | File Size: | 1854 | | Last Modified: | May 17 02:41:16 2007 |
| MD5 Checksum: | 579317c5c7048a1cd8e38680cff269df |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
