Section: .. / 0608-advisories /
| /// File Name: |
NISR02082006H.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix it was discovered that any user can create a database and thus gain DBA privileges. On Informix public has the connect privilege; thus anyone with a login may connect. Public can also issue the create database command. When the database is created, the user that created the database is made a DBA of that database. A DBA can execute code as the informix user and trivially gain root privileges. Versions affected include 9.40.xC6 and earlier and 10.00.xC2, C1.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2192 | | Related CVE(s): | CVE-2006-3861 | | Last Modified: | Aug 27 00:41:54 2006 |
| MD5 Checksum: | a9a996c792c7d57a32ccd09ac3c50373 |
|
| /// File Name: |
NISR02082006G.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix it was discovered that an overflow could be triggered in a shared library with the SQLIDEBUG environment variable. This can be triggered to gain root privileges by accessing one of the setuid root binaries such as onmode. Versions affected include 9.40.xC6 and earlier and 10.00.xC2, C1.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2144 | | Related CVE(s): | CVE-2006-3862 | | Last Modified: | Aug 27 00:40:15 2006 |
| MD5 Checksum: | 7f64285bcca453df2f6588f93dc4db6e |
|
| /// File Name: |
NISR02082006F.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix multiple arbitrary command execution flaws were found. It is possible to inject arbitrary operating system commands into the SET DEBUG FILE SQL statement and the start_onpload and dbexp procedures. Any commands injected into SET DEBUG FILE will execute with the privileges of the informix user; any command injected into dbexp or start_onpload will execute with the privileges of the logged on user. All versions are affected.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2021 | | Related CVE(s): | CVE-2006-3860 | | Last Modified: | Aug 27 00:38:50 2006 |
| MD5 Checksum: | 74ea9745c14f2d2c36c2c7fb96ee99a4 |
|
| /// File Name: |
NISR02082006E.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix multiple password exposure flaws were discovered. When a user logs on to an Informix server their cleartext password can be found in a shared memory section. On Windows "everyone" can open the section and read the contents and thus gain access to the passwords for every logged on user. On both Linux and Windows, in the event of a crash the share memory is dumped in a log file which is world readable. All versions are affected.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2005 | | Related CVE(s): | CVE-2006-3858 | | Last Modified: | Aug 27 00:37:52 2006 |
| MD5 Checksum: | a61d36800c1b28ff381005ac203e1e33 |
|
| /// File Name: |
NISR02082006D.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix multiple buffer overflow vulnerabilities were discovered that could be exploited via SQL or the protocol. All versions are affected.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2543 | | Related CVE(s): | CVE-2006-3857 | | Last Modified: | Aug 27 00:36:34 2006 |
| MD5 Checksum: | 8875427912f012a55b6338d61b48cb0d |
|
| /// File Name: |
NISR02082006C.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. An attacker can force to the database server to load an arbitrary library and thus execute arbitrary code. The ifx_load_internal SQL function can be used to load an arbitrary library into the address space of the database server process. By placing code in the DllMain() function on Windows or _init() on Linux an attacker can have this code execute automatically when the library is loaded. In conjunction with exploiting other flaws it is possible to remotely create a library over SQL, dump this to the server disk and then load it. All versions are affected.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2188 | | Related CVE(s): | CVE-2006-3855 | | Last Modified: | Aug 27 00:35:45 2006 |
| MD5 Checksum: | b8d173ad4c04f94ba83b3cd3ce98f140 |
|
| /// File Name: |
NISR02082006B.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. When IBM released a patch for the overly long username buffer overflow (CVE-2006-3853) it was discovered that the patch introduced a new buffer overflow vulnerability. Versions affected include 9.40.xC7 and xC8, 10.00.xC3 and xC4.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2267 | | Related CVE(s): | CVE-2006-3853, CVE-2006-3854 | | Last Modified: | Aug 27 00:34:28 2006 |
| MD5 Checksum: | 0d741bc614c48dd1b99de79937d95136 |
|
| /// File Name: |
NISR02082006A.txt |
Description:
|
NGSSoftware Insight Security Research Advisory - When an Informix server logs on a user it copies the username to a 260 byte stack based buffer without first verifying its length. An attacker can exploit this by overflowing this buffer to overwrite the saved return address on the stack and thus redirect the process' path of execution to a location of their choosing. Versions 9.40.xC6 and below are affected. Versions 10.00.xC2 and below are affected.
| | Author: | David Litchfield | | Homepage: | http://www.ngssoftware.com/ | | File Size: | 2348 | | Related CVE(s): | CVE-2006-3853 | | Last Modified: | Aug 27 00:32:48 2006 |
| MD5 Checksum: | 2a1610a31726c9d9726e8f05d201102c |
|
| /// File Name: |
glsa-200608-20.txt |
Description:
|
Gentoo Linux Security Advisory GLSA 200608-20 - The Ruby on Rails developers have corrected some weaknesses in action_controller/, relative to the handling of the user input and the LOAD_PATH variable. A remote attacker could inject arbitrary entries into the LOAD_PATH variable and alter the main Ruby on Rails process. The security hole has only been partly solved in version 1.1.5. Version 1.1.6 now fully corrects it. Versions less than 1.1.6 are affected.
| | Homepage: | http://security.gentoo.org | | File Size: | 2945 | | Last Modified: | Aug 27 00:19:15 2006 |
| MD5 Checksum: | 6db4d3e282777430d69b590a709e3e9a |
|
| /// File Name: |
SSRT061184.txt |
Description:
|
HP Security Bulletin - A potential security vulnerability has been identified with HP OpenView Storage Data Protector running on HP-UX, IBM AIX, Linux, Microsoft Windows, and Solaris. This vulnerability could allow a remote unauthorized user to execute arbitrary commands.
| | Author: | HP | | Homepage: | http://www.hp.com | | File Size: | 8082 | | Last Modified: | Aug 27 00:18:10 2006 |
| MD5 Checksum: | 30c63fbcf0440d1217be2735a45e9d14 |
|
| /// File Name: |
brainzbof.txt |
Description:
|
libmusicbrainz versions 2.1.2 and below and versions SVN 8406 and below suffer from multiple buffer overflows.
| | Author: | Luigi Auriemma | | Homepage: | http://aluigi.org | | Related Exploit: | brainzbof.zip | | File Size: | 4146 | | Last Modified: | Aug 26 23:10:32 2006 |
| MD5 Checksum: | fd048f832137cc0a65069cfa4e7819fc |
|
| /// File Name: |
mshelpExec.txt |
Description:
|
Multiple remote code execution and denial of service vulnerabilities exist in Microsoft Help (WINHLP32.EXE) due to a file handling issue.
| | Author: | Benjamin Tobias Franz | | File Size: | 1264 | | Last Modified: | Aug 26 23:05:52 2006 |
| MD5 Checksum: | ffe5b850b153c0a263d1d7d760c62c92 |
|
| /// File Name: |
dsa-1150-1.txt |
Description:
|
Debian Security Advisory 1150-1 - A bug has been discovered in several packages that execute teh setuid() system call without checking for sucess when trying to drop privileges, which may fail with some PAM configurations.
| | Homepage: | http://www.debian.org/security | | File Size: | 6768 | | Related CVE(s): | CVE-2006-2194 | | Last Modified: | Aug 26 23:03:57 2006 |
| MD5 Checksum: | 7152a20ff09ddbdc8f6deec67fa0fc8a |
|
| /// File Name: |
SYMSA-2006-014.txt |
Description:
|
Symantec Security Advisory - Symantec Backup Exec for Windows Server suffers from a RPC interface heap overflow and a flaw that allows an authorized user potential elevation of privileges.
| | Author: | Nicolas Pouvesle | | Homepage: | http://www.symantec.com/research | | File Size: | 5435 | | Last Modified: | Aug 26 22:44:56 2006 |
| MD5 Checksum: | 47217c772674ff14497c4bce84e5fe84 |
|
| /// File Name: |
ScatterChat-2006-01.txt |
Description:
|
ScatterChat Advisory 2006-01 - Steven Murdoch, a security researcher with the University of Cambridge, discovered a theoretical weakness in ScatterChat's cryptographic module. He found that an eavesdropper might locate patterns in a private communications channel if extraordinarily large amounts of messages were exchanged in a single conversation.
| | Homepage: | http://www.scatterchat.com/ | | File Size: | 4450 | | Related CVE(s): | CVE-2006-4021 | | Last Modified: | Aug 26 22:40:56 2006 |
| MD5 Checksum: | 933d03d7f648cbedd9c0130a59fdea1f |
|
| /// File Name: |
CYBSEC-SAPIGSBO.txt |
Description:
|
CYBSEC Security Advisory - The SAP Internet Graphics Service (IGS) suffers from a buffer overflow condition.
| | Author: | Mariano Nunez Di Croce | | Homepage: | http://www.cybsec.com | | File Size: | 3548 | | Last Modified: | Aug 26 21:54:44 2006 |
| MD5 Checksum: | 248edcb65495f3b7616044270f30f225 |
|
| /// File Name: |
rubyonrails.txt |
Description:
|
Scott Barron and Tobias Luetke, of the Ruby on Rails Core Team, discovered a fault with the dependency resolution mechanism which can, when exploited by a remote attacker, leave a system vulnerable to denial of service attacks, or even data loss. Affected are versions 1.1.0 through 1.1.5.
| | File Size: | 886 | | Last Modified: | Aug 26 21:50:19 2006 |
| MD5 Checksum: | ddc3b411312b8ae0569f4994f458e025 |
|
| /// File Name: |
glsa-200608-19.txt |
Description:
|
Gentoo Linux Security Advisory GLSA 200608-19 - The WordPress developers have confirmed a vulnerability in capability checking for plugins. Versions less than 2.0.4 are affected.
| | Homepage: | http://security.gentoo.org | | File Size: | 2410 | | Last Modified: | Aug 26 21:45:40 2006 |
| MD5 Checksum: | b3aa681aab6cd648c01b8352659d901a |
|
| /// File Name: |
glsa-200608-18.txt |
Description:
|
Gentoo Linux Security Advisory GLSA 200608-18 - The log function of Net::Server does not handle format string specifiers properly before they are sent to syslog. Versions less than 0.88 are affected.
| | Homepage: | http://security.gentoo.org | | File Size: | 2520 | | Last Modified: | Aug 26 21:43:51 2006 |
| MD5 Checksum: | 08230f9d79c540ffd62c04d95cd190c6 |
|
| /// File Name: |
glsa-200608-17.txt |
Description:
|
Gentoo Linux Security Advisory GLSA 200608-17 - infamous41md discovered that libwmf fails to do proper bounds checking on the MaxRecordSize variable in the WMF file header. This could lead to an head-based buffer overflow. Versions less than 0.2.8.4 are affected.
| | Homepage: | http://security.gentoo.org | | File Size: | 2663 | | Last Modified: | Aug 26 21:43:34 2006 |
| MD5 Checksum: | 3cd50aaef4e60c27bed50ea026b2f353 |
|
| /// File Name: |
glsa-200608-16.txt |
Description:
|
Gentoo Linux Security Advisory GLSA 200608-16 - Luigi Auriemma discovered two buffer overflow vulnerabilities in Warzone 2100 Resurrection. The recvTextMessage function of the Warzone 2100 Resurrection server and the NETrecvFile function of the client use insufficiently sized buffers. Versions less than or equal to 2.0.3 are affected.
| | Homepage: | http://security.gentoo.org | | File Size: | 3262 | | Last Modified: | Aug 26 21:43:16 2006 |
| MD5 Checksum: | c26a9de26ea0c12fb2f3af8e42e03839 |
|
| /// File Name: |
CYBSEC-SAPIGSDOS.txt |
Description:
|
CYBSEC Security Advisory - The SAP Internet Graphics Service (IGS) suffers from a remote denial of service condition.
| | Author: | Mariano Nunez Di Croce | | Homepage: | http://www.cybsec.com | | File Size: | 3043 | | Last Modified: | Aug 26 21:42:09 2006 |
| MD5 Checksum: | 39a23d4600a97b350f9c11425b90dc8d |
|
| /// File Name: |
glsa-200608-15.txt |
Description:
|
Gentoo Linux Security Advisory GLSA 200608-15 - Unchecked calls to setuid() in krshd and v4rcp, as well as unchecked calls to seteuid() in kftpd and in ksu, have been found in the MIT Kerberos 5 program suite and may lead to a local root privilege escalation. Versions less than 1.4.3-r3 are affected.
| | Homepage: | http://security.gentoo.org | | File Size: | 2799 | | Last Modified: | Aug 26 21:38:56 2006 |
| MD5 Checksum: | dabe3a31dcdc17dbdb0e04a912b6c973 |
|
| /// File Name: |
dsa-1149-1.txt |
Description:
|
Debian Security Advisory 1149-1 - Tavis Ormandy from the Google Security Team discovered a missing boundary check in ncompress, the original Lempel-Ziv compress and uncompress programs, which allows a specially crafted datastream to underflow a buffer with attacker controlled data.
| | Homepage: | http://www.debian.org/security | | File Size: | 5048 | | Related CVE(s): | CVE-2006-1168 | | Last Modified: | Aug 26 21:31:54 2006 |
| MD5 Checksum: | f8c277bfbb31ea8808a6d99d7d270a26 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
