|
|
|
|
Windows Kernel Library Filename Parsing Vulnerability
Author: Lucas Apa
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Windows. User interaction is required to exploit this vulnerability in that the target must open or browse to a file or subfolder with a specially crafted name on a network SMB share, a UNC share or a WebDAV web folder.
The vulnerability exists in a critical operating system DLL, so it could be exploited when a user land application browses the file system using the Windows API, such as when opening a folder (File->Open).
Routines within the KERNEL32.DLL dynamic link library do not properly validate substructure elements before using them to manipulate memory. This can lead to memory corruption, which can be used to run arbitrary code in the context of the current user.
IOActive has developed a proof-of-concept Unicode exploit that overwrites the saved return address with arbitrary data sent by a modified SMB server.
Read the technical details here.
|
IBM Informix XML functions overflows
Author: Ariel Matias Sanchez
Informix is one of the world's most widely used database servers, with users ranging from the world's largest corporations to start-ups. Informix incorporates design concepts that are significantly different from traditional relational platforms, resulting in extremely high levels of performance and availability, distinctive capabilities in data replication and scalability, and minimal administrative overhead.
Informix contains two vulnerabilities affecting several versions. Exploitation of these vulnerabilities may allow execution of arbitrary code or cause denial of service (DoS).
Read the technical details here.
|
Multiple Vulnerabilities in Fwknop
Author: Fernando Arnaboldi
Fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter and libpcap. A server might appear to have no open ports available, but it could still grant access to certain services if authorized fwknop packets are received. This service is commonly used on exposed systems which need to diminish the attack surface of their services.
Fwknop contains several vulnerabilities, of which the most critical could allow remote authenticated attackers to take advantage of flaws to execute code and/or to produce denials of service. In addition to that, certain local flaws could also be triggered to execute code.
Read the technical details here.
|
XBMC File Traversal Vulnerability
Author: Lucas Lundgren
XBMC is an award-winning free and open source (GPL) software media player and entertainment hub for digital media. XBMC is available for Linux, OSX, and Windows. Created in 2003 by a group of like-minded programmers, XBMC is a non-profit project run and developed by volunteers located around the world. More than 50 software developers have contributed to XBMC, and 100-plus translators have worked to expand its reach, making it available in more than 30 languages
Currently XBMC can be used to play almost all popular audio and video formats around. It was designed for network playback, so you can stream your multimedia from anywhere in the house or directly from the internet using practically any protocol available. Use your media as-is: XBMC can play CDs and DVDs directly from the disk or image file, almost all popular archive formats from your hard drive, and even files inside ZIP and RAR archives. It will even scan all of your media and automatically create a personalized library complete with box covers, descriptions, and fanart. There are playlist and slideshow functions, a weather forecast feature and many audio visualizations. Once installed, your computer will become a fully functional multimedia jukebox.
Vulnerability is exploitable and tested on XBMC 11 and latest Nightly build of 20121028, for Linux, Raspberry Pi, and a Jailbroken AppleTV 2. XBMC. Potentially any device running XBMC with the webserver might be vulnerable. XBMC is not installed by default in any of the tested platforms. The XBMC team was notified of the vulnerability on October 31, 2012, and has approved the release of this advisory.
Read the technical details here.
|
SIEMENS Sipass Integrated 2.6 Ethernet Bus Arbitrary Pointer Dereference
Author: Lucas Apa
The vulnerability exists within AscoServer.exe during the handling of RPC messages over the Ethernet Bus. Insufficient sanity checking allows remote and unauthenticated attackers to corrupt a Heap-Allocated Structure and then dereference an arbitrary pointer.
When manipulating an IOCP message, it is possible to alter the behavior of message parsing, allowing another IOCP message to subvert the listener of IOCP messages, leading to export of a write-n primitive.
This flaw allows remote attackers to execute arbitrary code on the target system, under the context of the SYSTEM account, where the vulnerable versions of SIEMENS SiPass Integrated are installed.
Read the technical details here.
|
Invensys Wonderware InTouch 10 DLL Hijack
Author: Carlos Hollman
ICS-CERT originally released Advisory ICSA-12-177-01P on the US-CERT Portal on July 05, 2012. This web page release was delayed to provide the vendor time to contact customers concerning this information.
Independent researcher Carlos Mario Penagos Hollmann has identified an uncontrolled search path element vulnerability, commonly referred to as a DLL hijack, in the Invensys Wonderware InTouch application. Successfully exploiting this vulnerability could lead to arbitrary code execution.
ICS-CERT has coordinated the report with Invensys, which has produced an upgrade to address this vulnerability. Mr. Hollmann has validated that the upgrade resolves the reported vulnerability.
Read the technical details here.
|
WellinTech KingView and KingHistorian Multiple Vulnerabilities
Author: Carlos Hollman
Independent researchers Carlos Hollmand and Dillon Beresford identified multiple vulnerabilities in WellinTech's KingView and a single vulnerability in WellinTech's KingHistorian applications. These vulnerabilities can be exploited remotely. WellinTech has created a patch and the researchers have validated that the patch resolves these vulnerabilities in the KingView and KingHistorian applications.
Read the technical details here.
|
Sielco Sistemi Winlog Multiple Vulnerabilities
Author: Carlos Hollman
This advisory is a follow-up to the alerts titled "ICS-ALERT-12-166-01 Sielco Sistemi Winlog Buffer Overflow" that was published June 14, 2012, and "ICS-ALERT-12-179-01 Sielco Sistemi Winlog Multiple Vulnerabilities" that was published June 27, 2012, on the ICS-CERT web page.
Read the technical details here.
|
Wonderware Archestra ConfigurationAccessComponent ActiveX stack overflow
Author: Richard van Eeden
The Wonderware Archestra ConfigurationAccessComponent ActiveX control that is marked "safe for scripting" is suffering from a stack overflow vulnerability. The UnsubscribeData method of the IConfigurationAccess interface is using wcscpy() to copy its first parameter into a static sized local buffer. Attackers can exploit this vulnerability in order to overwrite arbitrary stack data and gain code execution.
Read the technical details here.
|
Authentication Bypass In Tranax Remote Management Software
Author: Barnaby Jack
Reported: 04.05.10. The Tranax Remote Management Software (RMS) allows for the administration of common Automated Teller Machine (ATM) tasks from a remote location.
To successfully authenticate to a remote ATM, both the serial number and the RMS password are required. Due to an implementation flaw when verifying these credentials, it is possible to craft a request that bypasses all authentication measures, which means that remote management tasks can be performed with invalid credentials.
The RMS interface is enabled by default on a typical ATM installation.
Read the technical details here.
|
SQL Injection and Cross-site Scripting at www.courts.wa.gov
Author: Mike Davis, Rich Lundeen, and Sean Malone
Discovered: 03.18.10. Reported: 03.23.10. The formID parameter at http://www.courts.wa.gov/forms/ is vulnerable to SQL injection. The searchTerms parameter at
http://www.courts.wa.gov/search/index.cfm is vulnerable to cross-site scripting attacks. Exploiting these vulnerabilities would likely expose sensitive data and may result in compromise of the
affected systems.
Read the technical details here.
|
Multiple Vulnerabilities in Accoria Web Server
Author: Ilja van Sprundel
Discovered/Reported to Accoria: December 2008. Date Reported to US-Cert: March 1, 2010. The Accoria Web Server 1.4.7 for x86 Solaris exhibits multiple vulnerabilities including cross-site scripting, directory traversal, and format string errors.
Read the technical details here.
|
Mach Exception Handling Privilege Escalation
Author: Richard van Eeden
Discovered: 01.05.10. Mach exception handling suffers from a vulnerability that allows an attacker to gain access to the memory of a suid process (set user identifer). Due to a
vulnerability that's similar to CVE-2006-4392 (found by Dino Dai Zovi of Matasano Security), it's possible for a suid process to inherit the Mach exception ports of the parent.
Read the technical details here.
|
Microsoft Windows CryptoAPI X.509 Spoofing Vulnerability
Author: Dan Kaminsky (IOActive), Ian Wright and Jean-Luc Giraud (Citrix)
Release Date: 10.13.09. VUPEN ID: VUPEN/ADV-2009-2891. CVE ID: CVE-2009-2510, CVE-2009-2511.
Two vulnerabilities have been identified in Microsoft Windows that have to do with the use of X.509 certificates and could be exploited by attackers to bypass security restrictions.
Read the technical details here.
|
AppleTalk Response Packet Parsing Array Over-indexing Vulnerability
Author: Ilja van Sprundel
Discovered: 03.03.09. Reported: 03.03.09. Disclosed: 08.05.09. CVE-ID: CVE-2009-2193.
The Mac OS X AppleTalk stack contains an array over-indexing vulnerability that, if exploited correctly while AppleTalk is powered on, could lead to a remote system compromise. Even if only partially exploited, it could lead to denial of service and cause a kernel panic remotely, effectively shutting down the system.
Read the technical details here.
|
doc.export* Methods Allow Arbitrary File Creation
Discovered: 07.13.09. Several JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods that can be used to create arbitrary files and folders on a targeted file system.
Read the technical details here.
|
Recursive Stack Overflow in ClamAV
Author: Ilja van Sprundel
Reported: 10.30.08. Patched: 12.01.08. Disclosed: 06.09.0. ClamAV's JPEG parser contains code that recursively checks thumbnails if they are included. Since the thumbnails can be JPEGs, there is no limit to the amount of recursions that can occur, leading to potential stack overflow.
Read the technical details here.
|
Heap Corruption in Tor
Author: Ilja van Sprundel
Discovered: January 2009. Reported: 01.20.09. Disclosed: 06.08.09. There is a potential heap corruption bug in Tor when escaping data for logging purposes. Only certain deployments are vulnerable and the bug can be triggered only from certain locales.
Read the technical details here.
|
Diskimages-helper band-size Vulnerability
Author: Tiller Beauchamp
Reported to Vendor: 09.30.08. Patch Released: 04.29.09. CVE ID: CVE-2009-0150. A signed-to-unsigned conversion flaw exists in diskimages-helper when it reads the band-size parameter. When the value specified for the band-size key is changed to a negative number, the diskimages-helper process crashes when the user attempts to log in.
Read the technical details here.
|
Pointer Dereference in OpenSolaris
Author: Ilja van Sprundel
Reported: 09.29.08. Disclosed: 02.04.09. Patched: 02.05.09. The OpenSolaris kernel exhibits a vulnerability around a userland pointer dereference, and allows both reading from and writing to the kernel.
Read the technical details here.
|
Multiple Vulnerabilities in Apple's MobileMe Service
Author: Richard van Eeden, Ilja van Sprundel
Reported: 08.05.08. Patched: 11.06.08 Disclosed: 11.20.08. Apple's MobileMe (me.com) web service contains several serious security vulnerabilities, the most critical of which combine Cross-site Request Forgery and Cross-site Scripting, and allow an attacker to access the service without a valid password.
Read the technical details here.
|
QNX ker_msg_sendv System Call Integer Overflow
Author: Ilja van Sprundel
Discovered: 10.30.08. Reported: 10.30.08. Disclosed: 10.31.08. QNX's ker_msg_sendv() system call contains an integer overflow that could lead to heap corruption and, if correctly exploited, system compromise. If it is only partially exploited it could lead to denial of service and kernel panic, effectively shutting down the system.
Read the technical details here.
|
DNS TXT Record Parsing Bug in LibSPF2
Author: Dan Kaminsky
Reported: 10.20.08. Disclosed: 10.21.08. A relatively common bug that parses TXT records delivered over DNS—dating back at least to 2002 in Sendmail 8.2.0 and almost certainly much earlier—has been found in LibSPF2, a library that is used frequently to retrieve Sender Policy Framework (SPF) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption and should be treated as a path to anonymous remote code execution.
Read the technical details here.
|
Buffer Overflow in Mono BigInteger Montgomery Reduction Method
Author: Jason Larsen, Walter Pearce
CVE-2007-5197, VU#146292.
Discovered: 07.25.07. Reported: 08.24.07. Disclosed: 09.20.07. An exploitable buffer overflow vulnerability in the Montgomery reduction method within the Mono Frameworks BigInteger Class (Mono.Math.BigInteger).
Read the technical details here.
|
Multiple Total Remote Compromise Vulnerabilities in Mercury SiteScope Monitoring Software
Author: Chris Paget
CVE-2007-6257, VU#245025. Discovered: 10.05.06. Disclosed: 09.20.07. Critical vulnerabilities within the Mercury SiteScope server monitoring software, some of which allow for complete remote compromise of the entire monitored network as well as arbitrary code execution on all servers managed by the SiteScope software.
Read the technical details here.
|
Multiple Buffer Overflows in legacy mod_jk2 apache module 2.0.3-DEV and earlier
Author: Josh Betts, Jason Larsen, Walter Pearce
CVE-2007-6257, VU#245025. Discovered: 05.01.07. Reported: 06.27.07. Disclosed: 09.20.07. A buffer overflow in the Host Header field of the legacy version of the mod_jk2 apache module (jakata-tomcat-connectors) which allows for remote code execution in the context of the apache process.
Read the technical details here.
|
Static Microsoft Windows WPAD entries might allow interception of traffic
Author: Chris Paget
CVE-2007-1692. Disclosed: 03.26.07. The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries, which might allow remote attackers to intercept web traffic by registerng a proxy server using WINS or DNS, then responding to WPAD requests.
|
Numerous WebEOC Vulnerabilities
VU#956762, VU#170394, VU#138538, VU#372797, VU#491770, VU#258834, and VU#388282.
Date first published: July 2005.
- WebEOC is vulnerable to a denial-of-service condition via uploading large files (VU#956762). Details »
- WebEOC account lock-out policy may allow a denial-of-service (VU#170394).
Details »
- WebEOC is vulnerable to cross-site scripting attacks (VU#138538). Details »
- WebEOC contains multiple SQL injection vulnerabilities (VU#372797). Details »
- WebEOC implements weak algorithms to encrypt sensitive information (VU#491770). Details »
- WebEOC privileges are based on client-side authorization (VU#258834). Details »
- WebEOC uses a global shared key (VU#388282). Details »
|
|
|
|
|
