Section: .. / 0704-advisories /
| /// File Name: |
03.31.07-1.txt |
Description:
|
iDefense Security Advisory 03.31.07 - Remote exploitation of several buffer overflow vulnerabilities in ImageMagick, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the credentials used for image processing. An integer overflow exists ImageMagick's handling of DCM (Digital Imaging and Communications in Medicine) format files which allows an attacker to cause a heap-based buffer overflow. This vulnerability specifically exists in the ReadDCMImage() function. Two integer overflows exists ImageMagick's handling of XWD (X Windows Dump) format files that allows an attacker to cause a heap-based buffer overflow. The vulnerabilities specifically exist in the ReadXWDImage() function. An integer overflow could occur when calculating the amount of memory to allocate for the 'colors' or 'comment' field. iDefense has confirmed the existence of these vulnerabilities in ImageMagick version 6.3.x. Additionally, the source code for versions 6.3.1, 6.3.2, 6.3.3-3 and 6.2.9 contain the affected code. It is suspected that earlier versions of ImageMagick are also vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 4032 | | Last Modified: | Apr 3 02:52:07 2007 |
| MD5 Checksum: | e3db8efadfc4cefbd2fd80dafc869eba |
|
| /// File Name: |
03.31.07-2.txt |
Description:
|
iDefense Security Advisory 03.31.07 - Remote exploitation of a multiple vulnerabilities within IBM Corp.'s Tivoli Provisioning Manager for OS Deployment allows attackers to crash the service or potentially execute arbitrary code with SYSTEM privileges. These vulnerabilities specifically exist in the handling of multi part/form-data HTTP POST requests. Malformed requests can cause invalid memory accesses leading to denial of service, or in some cases heap corruption. iDefense has confirmed the existence of these vulnerabilities within version 5.1.0.116 of Tivoli Provisioning Manager for OS Deployment. Older versions are suspected to be vulnerable as well.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3447 | | Last Modified: | Apr 3 02:54:32 2007 |
| MD5 Checksum: | e832c816eea404fdaf3f90ee8f532d3a |
|
| /// File Name: |
04.02.07-1.txt |
Description:
|
iDefense Security Advisory 04.02.07 - Remote exploitation of a buffer overflow vulnerability in an ActiveX control installed by Hewlett-Packard Mercury Quality Center could allow for the execution of arbitrary code. iDefense has confirmed this vulnerability in the control that is installed with the 9.0 version of Hewlett-Packard Mercury Quality Center. The vulnerable ActiveX control is version 9.1.0.4353.
| | Author: | Eric Detoisien, Titon, Ri0t | | Homepage: | http://www.idefense.com/ | | File Size: | 3376 | | Last Modified: | Apr 3 02:53:44 2007 |
| MD5 Checksum: | 05cb3a803519f121f8fa5bf004dd3404 |
|
| /// File Name: |
04.03.07-1.txt |
Description:
|
iDefense Security Advisory 04.03.07 - Remote exploitation of a design error in certain kernel GDI functions in multiple versions of Microsoft Corp.'s Windows operating system may allow an attacker to cause a denial of service condition. During testing of the MS06-001 WMF (Windows Metafile) vulnerability, a flaw was found in the handling of WMF files. This flaw can cause the kernel to perform a bug check, also known as a "blue screen" or system crash, when it tries to parse the file. The cause of this bug check is an attempt by a function in a kernel system call to read a value obtained by dereferencing an offset into a kernel structure. This value had been previously created and then reset by previous system calls, and at the point it is accessed it does not contain a valid memory reference. This results in an access violation error, which in turn triggers the bug check. This vulnerability is different from both the Microsoft MS06-001 WMF vulnerability and the MS05-053 WMF vulnerability and is not fixed by either of these patches.
| | Author: | Greg MacManus | | Homepage: | http://www.idefense.com/ | | File Size: | 4758 | | Related CVE(s): | CVE-2007-1211 | | Last Modified: | Apr 5 00:51:14 2007 |
| MD5 Checksum: | 3ac9834c0e713667c5071757fe38e31a |
|
| /// File Name: |
04.03.07-2.txt |
Description:
|
iDefense Security Advisory 04.03.07 - Remote exploitation of a buffer overflow vulnerability in the Kerberos kadmind server, as included in various vendors' operating system distributions, could allow attackers to execute arbitrary code on a targeted host. The vulnerability exists within the server's logging function, klog_vsyslog(). A call is made to vsprintf(), with the destination buffer passed as a fixed size stack buffer. User input is not properly validated before being passed to this function, and a stack based buffer overflow can occur. iDefense has confirmed the existence of this vulnerability with Kerberos version 1.5.1 on Fedora CORE 5. It is likely that all distributions that contain this version of Kerberos are vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3557 | | Related CVE(s): | CVE-2007-0957 | | Last Modified: | Apr 5 02:11:15 2007 |
| MD5 Checksum: | d2db051bd931f4bf4da09013876b41ba |
|
| /// File Name: |
04.03.07-3.txt |
Description:
|
iDefense Security Advisory 04.03.07 - Local exploitation of an integer overflow vulnerability in multiple vendors' implementations of the X Window System server BDF font parsing component could allow execution of arbitrary commands with elevated privileges. The vulnerability specifically exists in the parsing of BDF fonts. When the X server encounters a specially crafted BDF font, an integer overflow occurs leading to a potentially exploitable heap overflow condition. iDefense has confirmed the existence of this vulnerability in X.Org X11R7.1. Older versions are suspected to be vulnerable. Additionally, it is reported that the freetype library is also vulnerable.
| | Author: | Greg MacManus | | Homepage: | http://www.idefense.com/ | | File Size: | 4069 | | Related CVE(s): | CVE-2007-1351 | | Last Modified: | Apr 5 02:58:56 2007 |
| MD5 Checksum: | 30359c8c7fc83b725aecaa519a4a0e4c |
|
| /// File Name: |
04.03.07-4.txt |
Description:
|
iDefense Security Advisory 04.03.07 - Local exploitation of an integer overflow vulnerability in multiple vendors' implementations of the X Window System font information file parsing component could allow execution of arbitrary commands with elevated privileges. The vulnerability specifically exists in the parsing of the "fonts.dir" font information file. When the element count on the first line of the file specifies it contains more than 1,073,741,824 (2 to the power of 30) elements, a potentially exploitable heap overflow condition occurs. iDefense has confirmed the existence of this vulnerability in X.Org X11R7.1. Older versions are suspected to be vulnerable.
| | Author: | Greg MacManus | | Homepage: | http://www.idefense.com/ | | File Size: | 3951 | | Related CVE(s): | CVE-2007-1352 | | Last Modified: | Apr 5 02:59:16 2007 |
| MD5 Checksum: | 2d2d4358753d392f60c621adb8c53210 |
|
| /// File Name: |
04.03.07-5.txt |
Description:
|
iDefense Security Advisory 04.03.07 - Local exploitation of a memory corruption vulnerability in the multiple vendor's X server implementations could allow an attacker to execute arbitrary code with elevated privileges. The XC-MISC extension is used by the X Server to manage resource IDs. It is built in to the X server by default. The vulnerability exists in the ProcXCMiscGetXIDList() function in the XC-MISC extension. This request is used to determine what resource IDs are available for use. Inside this function, the ALLOCATE_LOCAL() macro is used. This macro allocates memory on the stack or heap depending on the availability of the alloca() function. If alloca() is available, the stack is used, other wise the heap is used. Due to insufficient input validation, it is possible to cause memory corruption by passing specially crafted values to the ProcXCMiscGetXIDList() handler function. iDefense has confirmed the existence of this vulnerability in the X.org server version 7.1-1.1.0. Previous versions may also be affected.
| | Author: | Sean Larsson | | Homepage: | http://www.idefense.com/ | | File Size: | 4138 | | Related CVE(s): | CVE-2007-1003 | | Last Modified: | Apr 5 02:53:34 2007 |
| MD5 Checksum: | 8a1ce6c14dc43b109074fba25227ac61 |
|
| /// File Name: |
04.03.07-6.txt |
Description:
|
iDefense Security Advisory 04.03.07 - Local exploitation of a heap overflow vulnerability in Kaspersky Lab's Internet Security Suite klif.sys could allow an attacker to execute arbitrary code within kernel context. iDefense confirmed this vulnerability in Kaspersky Internet Security 6.0.1.411 for Windows. Previous versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3556 | | Last Modified: | Apr 5 08:55:41 2007 |
| MD5 Checksum: | 0994d9a726b1e80edff9e0fca9b3fc29 |
|
| /// File Name: |
04.04.07-1.txt |
Description:
|
iDefense Security Advisory 04.04.07 - Remote exploitation of a information disclosure vulnerability in Kaspersky AntiVirus 6 could allow malicious websites to steal files off of a user's machine. iDefense has confirmed the existence of this vulnerability in version 6.0 of Kaspersky Antivirus.
| | Author: | Peter Vreugdenhil | | Homepage: | http://www.idefense.com/ | | File Size: | 3414 | | Last Modified: | Apr 5 08:53:47 2007 |
| MD5 Checksum: | 25f95ec76b493a33ea7cd029093124fc |
|
| /// File Name: |
04.04.07-2.txt |
Description:
|
iDefense Security Advisory 04.04.07 - Remote exploitation of a buffer overflow vulnerability within Environmental Systems Research Institute (ESRI) Inc.'s ArcSDE service allows attackers to execute arbitrary code in the context of the running service. An iDefense contributor reported that version 9.2 is vulnerability to this attack. ESRI confirmed the vulnerability. All prior versions are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3646 | | Last Modified: | Apr 8 01:28:41 2007 |
| MD5 Checksum: | 75819d79ed48371e0a643b82e4be2de5 |
|
| /// File Name: |
04.09.07-1.txt |
Description:
|
iDefense Security Advisory 04.09.07 - Remote exploitation of a path-traversal vulnerability in AOL's AIM and ICQ could allow a remote attacker to place arbitrary files on the victim's machine during a file transfer operation. AIM and ICQ allow users to share and transfer files via a custom protocol. During file transfers, the sender is allowed to specify the display name of the file, and the filename used for the transfer. The recipient can only specify the folder in which to save the file. Due to an input validation flaw, the clients do not properly strip "../" traversal characters from the filename the attacker supplies. By specially encoding the path attackers can force the file to be saved to a directory of their choosing when the victim accepts the file transfer. iDefense has confirmed this vulnerability in ICQ version 5.1. Previous versions are suspected vulnerable. Additionally, AOL reported that AIM version 5.9 and prior are vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 4011 | | Last Modified: | Apr 10 08:22:44 2007 |
| MD5 Checksum: | 38118024af561f9ae30f4fab3499164f |
|
| /// File Name: |
04.10.07-1.txt |
Description:
|
iDefense Security Advisory 04.10.07 - Remote exploitation of a buffer overflow vulnerability in the Universal Plug-and-Play (UPnP) component of Microsoft Windows could allow an attacker to execute code in the context of the vulnerable service. The vulnerability specifically exists in the handling of HTTP headers sent to the UPnP control point as part of a request or notification. Because it processes certain fields without checking if there is enough storage space, a malicious request may cause a stack-based buffer overflow, potentially resulting in code execution.
| | Author: | Greg MacManus | | Homepage: | http://www.idefense.com/ | | File Size: | 4866 | | Related CVE(s): | CVE-2007-1204 | | Last Modified: | Apr 11 06:49:54 2007 |
| MD5 Checksum: | d3f3aeb459678c191f6ad6d63656eb56 |
|
| /// File Name: |
04.11.07-1.txt |
Description:
|
iDefense Security Advisory 04.11.07 - Local exploitation of multiple vulnerabilities within Apache Software Foundation's suexec utility could allow an attacker to execute arbitrary code as another user. iDefense has confirmed the existence of these vulnerabilities in the suexec binary distributed with the version 2.2.3 of the Apache httpd in Red Hat Inc.'s Fedora Core 4. This distribution is not vulnerable in the default configuration, as exploitation requires additional, but common, configuration changes to be made to the system. It is suspected that all previous versions of suexec are vulnerable, including the 1.3.x versions.
| | Homepage: | http://www.idefense.com/ | | File Size: | 6374 | | Related CVE(s): | CVE-2007-1741 | | Last Modified: | Apr 13 00:03:08 2007 |
| MD5 Checksum: | 2777bbac6bc0954fb4df94de09daabd8 |
|
| /// File Name: |
04.12.07-1.txt |
Description:
|
iDefense Security Advisory 04.12.07 - Remote exploitation of a buffer overflow vulnerability in pfs_mountd.rpc included in multiple versions of Hewlett Packard Co. HP-UX allows for remote root access. If a remote user sends two specially crafted packets over UDP, the buffer overflow is triggered. One must first send a call to procedure 5, and soon thereafter send the actual payload to procedure 2. Due to the closed nature of the pfs_mountd.rpc protocol specification, it is unclear at this time what functions the respective procedures actually perform. iDefense has confirmed the existence of this vulnerability in HP-UX 11.11i. It is suspected that previous versions are also vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3655 | | Last Modified: | Apr 13 01:05:32 2007 |
| MD5 Checksum: | 30ef5baf243b4e964bc645d9aeb659c5 |
|
| /// File Name: |
04.16.07-1.txt |
Description:
|
iDefense Security Advisory 04.16.07 - Remote exploitation of a buffer overflow vulnerability in Clam AntiVirus' ClamAV allows attackers to execute arbitrary code with the privileges of the affected process. The vulnerability exists within the cab_unstore() function in libclamav, the library used by clamd to scan various file types. A 32-bit signed integer is taken from the packet and compared against the sizeof() the destination buffer. However, the sizeof() return value is improperly casted to a signed integer. By supplying a negative value, an attacker can pass cause the comparison to succeed. This eventually leads to an exploitable stack-based buffer overflow. iDefense has confirmed the existence of this vulnerability in ClamAV in versions 0.90rc3 through 0.90.1.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3463 | | Related CVE(s): | CVE-2007-1997 | | Last Modified: | Apr 17 18:32:28 2007 |
| MD5 Checksum: | c651a7e917f03cee3ad31c1a26299810 |
|
| /// File Name: |
04.16.07-2.txt |
Description:
|
iDefense Security Advisory 04.16.07 - Remote exploitation of a buffer overflow vulnerability in Akamai Technologies, Inc's Download Manager ActiveX Control could allow an attacker to execute arbitrary code within the security context of the targeted user. iDefense has confirmed the existence of this vulnerability within version 2.2.0.5 of Akamai Technologies Inc's DownloadManagerV2.ocx. All older versions are suspected to be vulnerable.
| | Author: | McSlibin | | Homepage: | http://www.idefense.com/ | | File Size: | 4175 | | Related CVE(s): | CVE-2007-1891 | | Last Modified: | Apr 17 19:11:08 2007 |
| MD5 Checksum: | c84a7094094da11cbde394fb5d68e9d3 |
|
| /// File Name: |
04.17.07-1.txt |
Description:
|
iDefense Security Advisory 04.17.07 - Remote exploitation of a buffer overflow vulnerability in McAfee's VirusScan Antivirus application allows attackers to disable the On-Access scanner or potentially execute arbitrary code with SYSTEM privileges. The McAfee On-Access scanner component contains a common software flaw that leads to heap corruption when dealing with overly long file names that contain multi-byte characters. This flaw only manifests itself when the target system has East Asia language files installed and the default Unicode codepage is set to a language which contains multi-byte characters such as Chinese. iDefense has confirmed this vulnerability in McAfee VirusScan 8.0 Enterprise. Previous versions are suspected vulnerable as well.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3722 | | Last Modified: | Apr 19 04:18:11 2007 |
| MD5 Checksum: | 3d715bcec5a7afe04fbae672439ff82c |
|
| /// File Name: |
04.17.07-2.txt |
Description:
|
iDefense Security Advisory 04.17.07 - Remote exploitation of a denial of service (DoS) vulnerability in McAfee Inc.'s E-Business Server could allow an attacker to crash the administration server. Prior to authentication, an attacker can crash the server by sending a malformed authentication packet. The server will read in a length from the packet header, and then attempt to read that many bytes from the buffer. By specifying a large length value and sending a small packet, the server can be caused to read off the end of mapped heap memory. This will trigger an exception that is not handled, and the server will exit. iDefense has confirmed the existence of this vulnerability in McAfee E-Business Server version 8.5.1.101 for Windows. Previous versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3733 | | Last Modified: | Apr 19 04:18:44 2007 |
| MD5 Checksum: | cba7c6f6d0ff05eb5392429c569cd019 |
|
| /// File Name: |
04.20.07-1.txt |
Description:
|
iDefense Security Advisory 04.20.07 - Local exploitation of multiple design error vulnerabilities within multiple Check Point Zone Alarm products could allow an attacker to gain elevated privileges. iDefense has confirmed the existence of these vulnerabilities within version 5.0.63.0 of srescan.sys as installed with Check Point Zone Labs Zone Alarm Free. All other products within the Zone Alarm product line are suspected to be vulnerable. Previous versions are also suspected to be vulnerable.
| | Author: | Ruben Santamarta | | Homepage: | http://www.idefense.com/ | | File Size: | 3629 | | Last Modified: | Apr 23 05:55:41 2007 |
| MD5 Checksum: | f2c085825568801fef403af26b05a475 |
|
| /// File Name: |
04.26.07-1.txt |
Description:
|
iDefense Security Advisory 04.26.07 - Remote exploitation of a denial of service (DoS) vulnerability in Novell Inc.'s eDirectory product could allow an attacker to force the running daemon to cease servicing requests. The problem specifically exists within the NCP functionality of eDirectory. Sending a sequence of specially crafted fragmented requests will cause a DoS condition. iDefense has confirmed the existence of this vulnerability in version 8.8.1 of Novell Inc.'s eDirectory server with FTF1 applied. The earliest version tested was 8.8. Earlier versions are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3838 | | Related CVE(s): | CVE-2006-4520 | | Last Modified: | May 3 02:11:38 2007 |
| MD5 Checksum: | 48a75120cc625ccfb07acaa52aedc405 |
|
| /// File Name: |
04.26.07-2.txt |
Description:
|
iDefense Security Advisory 04.26.07 - Local exploitation of a buffer overflow vulnerability in Norton Ghost could allow local attackers to run code as the SYSTEM level user. Norton Ghost Service Manager is a Local Server COM object that allows privileged Ghost Backup Operators the ability to take and restore Ghost images of the system. A function within the Service Manager can be used to trigger a buffer overflow by supplying an overly long string. iDefense verified the existence of this vulnerability on Norton Ghost 10.0. Other versions may be vulnerable as well.
| | Author: | Pravus | | Homepage: | http://www.idefense.com/ | | File Size: | 3063 | | Last Modified: | May 3 02:44:41 2007 |
| MD5 Checksum: | 8e1831adea9ac92f11f0c6b4c607ea0b |
|
| /// File Name: |
04.26.07-3.txt |
Description:
|
iDefense Security Advisory 04.26.07 - Norton Ghost allows administrators and other power users to schedule snapshots of local disks for backup and recovery purposes. If these recovery points are set to save to a remote network share Ghost will prompt the user to enter a user name and password for the share. Password information entered into Ghost for this purpose is encrypted and saved to the local file system in the applications home directory which has read access allowed for all users. The encryption key used by Ghost to decrypt these stored credentials is derived from the MD5 hash of the plain text user name stored in the configuration file. Since every user on the system has read access to these configuration files, any user can decrypt the stored passwords. iDefense verified the existence of this vulnerability on Norton Ghost 10.0. Other versions may be vulnerable as well.
| | Author: | Pravus | | Homepage: | http://www.idefense.com/ | | File Size: | 3690 | | Last Modified: | May 3 02:45:34 2007 |
| MD5 Checksum: | c9c6043fee23fdf1fc462b362a8403d3 |
|
| /// File Name: |
13070411.txt |
Description:
|
PunBB versions 1.2.14 and below suffer from multiple vulnerabilities.
| | Author: | DarkFig | | Related Exploit: | 13070411-sploit.txt | | File Size: | 8349 | | Last Modified: | Apr 12 21:07:34 2007 |
| MD5 Checksum: | 44f0fd6a87a7b5aec7009cb96334dc69 |
|
| /// File Name: |
afflib-fmtstr.txt |
Description:
|
Virtual Security Research, LLC. Security Advisory - Multiple format string injection vulnerabilities exist in AFFLIB versions 2.2.0 through 2.2.8.
| | Author: | Timothy D. Morgan | | Homepage: | http://www.vsecurity.com/ | | File Size: | 9197 | | Related CVE(s): | CVE-2007-2054 | | Last Modified: | May 3 03:35:01 2007 |
| MD5 Checksum: | f5720e6ca358ef67b2fbb4e58f26fd49 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
