Section: .. / 0707-advisories /
| /// File Name: |
07.09.07-1.txt |
Description:
|
iDefense Security Advisory 07.09.07 - Local exploitation of an input validation vulnerability within the NPF.SYS device driver of WinPcap allows attackers to execute arbitrary code in kernel context. The vulnerability specifically exists due to insufficient input validation when handling the Interrupt Request Packet (Irp) parameters passed to IOCTL 9031 (BIOCGSTATS). By passing carefully chosen parameters to this IOCTL, an attacker can overwrite arbitrary kernel memory. iDefense has confirmed the existence of this vulnerability in version 4.0 of WinPcap as included in Wireshark 0.99.5. The version of NPF.SYS tested was 4.0.0.755. Older versions are suspected to be vulnerable.
| | Author: | Mario Ballano | | Homepage: | http://www.idefense.com/ | | File Size: | 3670 | | Last Modified: | Jul 10 05:07:58 2007 |
| MD5 Checksum: | f82d75712873da8e8192b774dda27d9f |
|
| /// File Name: |
07.09.07-2.txt |
Description:
|
iDefense Security Advisory 07.09.07 - Remote exploitation of multiple integer overflow vulnerabilities in several of the image loader plug-ins included with distributions of 'The GIMP' allow attackers to crash The GIMP or potentially execute arbitrary code with the privileges of the user. iDefense has confirmed that version 2.2.15 of The GIMP is vulnerable on both Linux and Windows platforms. It is suspected that all previous versions of the GIMP are also affected.
| | Author: | Sean Larsson | | Homepage: | http://www.idefense.com/ | | File Size: | 4913 | | Related CVE(s): | CVE-2006-4519 | | Last Modified: | Jul 10 05:13:12 2007 |
| MD5 Checksum: | 0bed7c854f7e51ca02e6f60a08783965 |
|
| /// File Name: |
07.09.07-3.txt |
Description:
|
iDefense Security Advisory 07.09.07 - Local exploitation of a buffer overflow vulnerability in IBM Corp.'s AIX libodm library could allow an attacker to execute arbitrary code on a targeted host. iDefense has confirmed the existence of this vulnerability in AIX version 5.3 SP 4. Previous versions may be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3071 | | Last Modified: | Jul 11 10:44:39 2007 |
| MD5 Checksum: | 0d23d29c03247682a5eaebb7f6823828 |
|
| /// File Name: |
07.11.07-1.txt |
Description:
|
iDefense Security Advisory 07.11.07 - Remote exploitation of a heap overflow vulnerability in Symantec Backup Exec could allow an unauthenticated attacker to create a denial of service condition or potentially execute arbitrary code. The flaw specifically exists within the RPC server that listens on TCP port 6106. When handling requests using the "ncacn_ip_tcp" protocol, the service will copy a user supplied amount of data into a fixed-size heap buffer. iDefense confirmed the existence of this vulnerability in Symantec Backup Exec 10d with all current hot-fixes and service packs applied. Other versions are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3291 | | Related CVE(s): | CVE-2007-3509 | | Last Modified: | Jul 12 04:11:03 2007 |
| MD5 Checksum: | 4cc94feac32d16129426e23162440125 |
|
| /// File Name: |
07.11.07-2.txt |
Description:
|
iDefense Security Advisory 07.11.07 - Local exploitation of an input validation vulnerability in version 5.5.1.6 of symtdi.sys allows attackers to elevate privileges to SYSTEM. The vulnerability specifically exists due to improper address space validation when the \\symTDI\ device driver processes IOCTL 0x83022323. An attacker can overwrite an arbitrary address, including code segments, with a constant double word value by supplying a specially crafted Irp to the IOCTL handler function. iDefense confirmed this vulnerability in version 5.5.1.6 of Symantec's symtdi.sys device driver as included with version 10 of Symantec AntiVirus Corporate Edition. Previous versions and related products that contain the affected driver are suspected vulnerable.
| | Author: | Zohiartze Herce | | Homepage: | http://www.idefense.com/ | | File Size: | 3537 | | Related CVE(s): | CVE-2007-3673 | | Last Modified: | Jul 12 04:12:12 2007 |
| MD5 Checksum: | bfa8d5d856fa94a003e3308a03769383 |
|
| /// File Name: |
07.11.07-3.txt |
Description:
|
iDefense Security Advisory 07.11.07 - Remote exploitation of a command injection vulnerability in the G/PGP Encryption Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server. The deleteKey() functionality is affected. iDefense has confirmed the existence of this vulnerability in the latest version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1. Furthermore, this vulnerability has been confirmed to exist as early as version 2.0. Other versions may be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 4131 | | Related CVE(s): | CVE-2005-1924 | | Last Modified: | Jul 12 04:16:02 2007 |
| MD5 Checksum: | a3ae17003817196eef6b310ecb3a4e2c |
|
| /// File Name: |
07.11.07-4.txt |
Description:
|
iDefense Security Advisory 07.11.07 - Remote exploitation of a command injection vulnerability in the G/PGP Encryption Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server. The gpg_check_sign_pgp_mime() function is affected. iDefense has confirmed the existence of this vulnerability in version 2.0 of the G/PGP Encryption Plugin for SquirrelMail. It is suspected that earlier versions of the plug-in are also affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3997 | | Last Modified: | Jul 12 04:16:48 2007 |
| MD5 Checksum: | 8e44a3d654e323aa396d2fdf8751771e |
|
| /// File Name: |
07.11.07-5.txt |
Description:
|
iDefense Security Advisory 07.11.07 - Remote exploitation of a command injection vulnerability in the G/PGP Encryption Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server. The gpg_recv_key() function is affected. iDefense has confirmed the existence of this vulnerability in the latest version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1. Furthermore, this vulnerability has been confirmed to exist as early as version 2.0. Other versions may be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 4123 | | Related CVE(s): | CVE-2005-1924 | | Last Modified: | Jul 12 04:18:10 2007 |
| MD5 Checksum: | 85ec03ca46e9372ff23ffb76b3929be5 |
|
| /// File Name: |
07.11.07-6.txt |
Description:
|
iDefense Security Advisory 07.11.07 - Remote exploitation of a local file inclusion vulnerability in gpg_help.php in version 2.0 of the SquirrelMail G/PGP Plugin could allow an authenticated webmail user to execute arbitrary PHP code under the security context of the running web server. iDefense has confirmed the existence of this vulnerability in version 2.0 of the G/PGP Encryption Plugin for SquirrelMail. It is suspected that earlier versions of the plug-in are also affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3641 | | Related CVE(s): | CVE-2006-4169 | | Last Modified: | Jul 12 04:19:41 2007 |
| MD5 Checksum: | 40a6dd2a758ab52216078a1dadd0edc1 |
|
| /// File Name: |
07.11.07-7.txt |
Description:
|
iDefense Security Advisory 07.11.07 - Remote exploitation of an integer overflow vulnerability in Apple Computer Inc.'s QuickTime media player could allow attackers to execute arbitrary code in the context of the targeted user. The vulnerability specifically exists in QuickTime players handling of the title and author fields in an SMIL file. When parsing an SMIL file, arithmetic calculations can cause insufficient memory to be allocated. When copying in user-supplied data from the SMIL file, a heap-based buffer overflow occurs. This results in a potentially exploitable condition. iDefense Labs confirmed this vulnerability exists in version 7.1.3 and 7.1.5 of QuickTime on Windows and Mac OS X. Previous versions are suspected to be vulnerable.
| | Author: | David Vaartjes | | Homepage: | http://www.idefense.com/ | | File Size: | 3749 | | Related CVE(s): | CVE-2007-2394 | | Last Modified: | Jul 12 04:20:40 2007 |
| MD5 Checksum: | 2a3cc0fd5e612bd18139afef28cdcb48 |
|
| /// File Name: |
07.12.07-1.txt |
Description:
|
iDefense Security Advisory 07.12.07 - Local exploitation of a race condition vulnerability in Red Hat Inc.'s Enterprise Linux init.d XFS script allows an attacker to elevate their privileges to root. iDefense has confirmed the existence of this vulnerability in Red Hat Enterprise Linux version 4, and Fedora Core 6. Other versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3129 | | Related CVE(s): | CVE-2007-3103 | | Last Modified: | Jul 13 03:41:40 2007 |
| MD5 Checksum: | 237191c6d33b34dc51bb47af02bc0d4a |
|
| /// File Name: |
07.16.07-1.txt |
Description:
|
iDefense Security Advisory 07.16.07 - Remote exploitation of a stack-based buffer overflow vulnerability in Trend Micro Inc.'s OfficeScan for Windows could allow attackers to execute arbitrary code with the privileges of the IIS Web User. The OfficeScan installation includes a series of CGI executables that are used for configuration through the Web interface. A shared library, CGIOCommon.dll, is used by many of these binaries to access environment variables passed to them from the parent IIS process. If a malicious Web request is made for a vulnerable binary, including an overly long session cookie, a stack-based Unicode buffer overflow will occur. iDefense has confirmed this vulnerability in OfficeScan 7.3 with all current patches applied. Testing has shown that this attack can be conducted by requesting multiple CGI binaries that make use of the shared library. Other versions are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3954 | | Related CVE(s): | CVE-2007-3454 | | Last Modified: | Jul 17 09:48:27 2007 |
| MD5 Checksum: | 690a05b37c2cbeba9b270c6c3cc72693 |
|
| /// File Name: |
07.16.07-2.txt |
Description:
|
iDefense Security Advisory 07.16.07 - Remote exploitation of an authorization bypass vulnerability in Trend Micro Inc.'s OfficeScan for Windows could allow attackers to login to the management console and alter application settings. The OfficeScan installation includes a web management console that allows administrators to configure the application and the Antivirus clients it manages. The web interface login is handled by cgiChkMasterPwd.exe which is passed a hash and an encrypted version of the password generated by an ActiveX control on the login page. If cgiChkMasterPwd.exe is sent an empty encryption string and empty hash it proceeds to issue the client a valid session id which can then be used to access the web management console. iDefense has confirmed the existence of this vulnerability in OfficeScan for Windows 7.3 with all current patches applied. Previous versions may also be affected.
| | Author: | David Maciejak | | Homepage: | http://www.idefense.com/ | | File Size: | 3811 | | Related CVE(s): | CVE-2007-3455 | | Last Modified: | Jul 17 09:50:19 2007 |
| MD5 Checksum: | 9feb23e6fea2157756924c3bbe576752 |
|
| /// File Name: |
07.17.07-1.txt |
Description:
|
iDefense Security Advisory 07.17.07 - Remote exploitation of a denial of service vulnerability within version 5.1.0.2 of IBM Corp.'s Tivoli Provisioning Manager for OS Deployment allows attackers to deny service to all product functionality. This vulnerability specifically exists in the TFTP protocol implementation. When processing a read request (RRQ), an integer division by zero error can be triggered by supplying an invalid "blksize" argument. This exception is not handled and will result in the rembo.exe service terminating. iDefense has confirmed the existence of this vulnerability in version 5.1.0.2 of IBM Corp.'s Tivoli Provisioning Manager for OS Deployment. Version 5.1.0.116 was tested and found not to be vulnerable.
| | Author: | Manuel Santamarina Suarez | | Homepage: | http://www.idefense.com/ | | File Size: | 3699 | | Related CVE(s): | CVE-2007-3268 | | Last Modified: | Jul 18 06:29:54 2007 |
| MD5 Checksum: | 187130b0ce36ace72f8f29c8f4ff40e6 |
|
| /// File Name: |
07.17.07-2.txt |
Description:
|
iDefense Security Advisory 07.17.07 - Remote exploitation of multiple buffer overflow vulnerabilities in Computer Associates International Inc.'s (CA) Threat Manager allows attackers to execute arbitrary code with SYSTEM privileges. When Computer Associates Threat Manager is installed, it also installs the Alert Notification Server (alert.exe) which registers an RPC interface with the GUID 3d742890-397c-11cf-9bf1-00805f88cb72. This interface contains stack-based buffer overflow vulnerabilities within the handling code for several RPC operation codes. iDefense confirmed that the Alert Notification Server included with Computer Associates International Inc.'s eTrust Integrated Threat Management r8 for Windows is vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3481 | | Related CVE(s): | CVE-2007-3825 | | Last Modified: | Jul 18 06:31:52 2007 |
| MD5 Checksum: | 071ca65929f073cb5606d8cc87efc22d |
|
| /// File Name: |
07.18.07-1.txt |
Description:
|
iDefense Security Advisory 07.18.07 - Exploitation of an input validation vulnerability in Microsoft Corp.'s DirectX library could allow an attacker to execute arbitrary code in the context of the current user. The vulnerability specifically exists in the way RLE compressed Targa format image files are opened. The Targa format allows multiple color depths and image storage options, depths and image storage options, and includes the ability to use run-length encoding (RLE), compression on the image data. This is a compression method which finds a 'run' of the pixels the same color and instead of storing the value multiple times, encodes the number of times to repeat one value. For example, instead of storing 'AAAAAAAA', it may encode that into 'store "A" 8 times'. The buffer allocated for the image data is based on the width, height and color depth stored in the image, but when decoding this type of file, no checks against writing past the end of the buffer are performed. If the encoding specifies more data than has been allocated, a controlled heap overflow can occur. iDefense has confirmed that libraries in Microsoft's DirectX SDK (February 2006) are vulnerable, as are the DirectX End User Runtimes (February 2006). It is suspected that previous versions are also affected, including the DirectX 9.0c End User Runtimes.
| | Author: | Ruben Santamarta | | Homepage: | http://www.idefense.com/ | | File Size: | 4179 | | Related CVE(s): | CVE-2006-4183 | | Last Modified: | Jul 19 05:26:22 2007 |
| MD5 Checksum: | 90bae1472730b5cdfd52dc955a5da8ea |
|
| /// File Name: |
07.18.07-2.txt |
Description:
|
iDefense Security Advisory 07.18.07 - Remote exploitation of multiple buffer overflow vulnerabilities in Ipswitch Inc.'s IMail Server 2006 could allow attackers to execute arbitrary code. IMail includes an IMAP daemon that users can use to access their email. The "Search" IMAP command contains an exploitable stack-based buffer overflow vulnerability. Additionally, the "Search charset" contains an exploitable heap-based buffer overflow vulnerability. iDefense has confirmed the existence of these vulnerabilities in IMail Server 2006. The vulnerable executable used was version 6.8.8.1 of imapd32.exe.
| | Author: | Manuel Santamarina Suarez | | Homepage: | http://www.idefense.com/ | | File Size: | 3282 | | Last Modified: | Jul 19 05:28:10 2007 |
| MD5 Checksum: | 1e0ce85fd16d67c016ab72edc74b38c8 |
|
| /// File Name: |
07.19.07-1.txt |
Description:
|
iDefense Security Advisory 07.19.07 - Remote exploitation of a dangling pointer vulnerability in Opera Software ASA's Opera web browser could allow an attacker to execute arbitrary code with the privileges of the logged in user. Opera 9.2 supports BitTorrent downloads. When parsing a specially crafted BitTorrent header, Opera uses memory that has already been freed. This can result in an invalid object pointer being dereferenced, and may allow for the execution of arbitrary code. The vulnerability is triggered when the user right clicks on the transfer and removes it. iDefense has confirmed the existence of this vulnerability in Opera version 9.21 on Windows. Previous versions may also be affected.
| | Author: | enhalos | | Homepage: | http://www.idefense.com/ | | File Size: | 3071 | | Last Modified: | Jul 20 08:27:45 2007 |
| MD5 Checksum: | b5ed8c60f7cd7a1f4ccb27150d5ba7b5 |
|
| /// File Name: |
07.19.07-2.txt |
Description:
|
iDefense Security Advisory 07.19.07 - Remote exploitation of an input handling vulnerability within multiple browsers on the Microsoft Windows platform allows code execution as the local user. This vulnerability is due to interaction between programs. The most commonly used Microsoft Windows URL protocol handling code doesn't provide a way for the URI handling application to distinguish the end of one argument from the start of another. The problem is caused by the fact that browsers do not pct-encode certain characters in some URIs, which does not comply with the behavior that RFC3986 (also known as IETF STD 66) requires. As a result, a specially constructed link could be interpreted as multiple arguments by a URI protocol handler.
| | Author: | Greg MacManus | | Homepage: | http://www.idefense.com/ | | File Size: | 7577 | | Related CVE(s): | CVE-2007-3670 | | Last Modified: | Jul 20 08:29:46 2007 |
| MD5 Checksum: | 401f50546fb7a6ac0740d19ed3abeec5 |
|
| /// File Name: |
07.23.07-1.txt |
Description:
|
iDefense Security Advisory 07.23.07 - Remote exploitation of a Denial of Service vulnerability in Ipswitch Inc.'s IM Server daemon allows unauthenticated attackers to crash the service. iDefense has confirmed the existence of the vulnerability in version 2.0.5.30 of Ipswitch Inc's IM Server. Previous versions are suspected to be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3262 | | Last Modified: | Jul 24 06:09:48 2007 |
| MD5 Checksum: | 273de42076683fa130b593c0b5020877 |
|
| /// File Name: |
07.24.07-1.txt |
Description:
|
iDefense Security Advisory 07.24.07 - Remote exploitation of a denial of Service (DoS) vulnerability in Computer Associates Inc.'s eTrust Antivirus products could allow attackers to create a DoS condition on the affected computer. When eTrust Antivirus engine scans a malformed CHM file that has an invalid 'previous listing chunk number' field, the scanner will enter an infinite loop and be unable to process any other files. iDefense has confirmed this vulnerability in eTrust AntiVirus version r8. Previous versions of eTrust Antivirus are suspected vulnerable. Other Computer Associates products, as well as derived products, may also be vulnerable.
| | Homepage: | http://www.idefense.com/ | | File Size: | 3134 | | Related CVE(s): | CVE-2007-3875 | | Last Modified: | Jul 25 06:42:29 2007 |
| MD5 Checksum: | c9e430e97c86ccb8e479f4edf4a11819 |
|
| /// File Name: |
07.24.07-2.txt |
Description:
|
iDefense Security Advisory 07.24.07 - Remote exploitation of a design error vulnerability in Computer Associates International Inc.'s (CA) eTrust Intrusion Detection allows attackers to execute arbitrary code. iDefense has confirmed that CA eTrust Intrusion Detection version 3.0.5 on Windows is vulnerable. The file version of caller.dll tested was 3.0.5.55.
| | Author: | Sebastian Apelt | | Homepage: | http://www.idefense.com/ | | File Size: | 3291 | | Related CVE(s): | CVE-2007-3302 | | Last Modified: | Jul 25 06:43:52 2007 |
| MD5 Checksum: | 9d2f71feb74c13277bfb86cb0ac81e17 |
|
| /// File Name: |
07.26.07-1.txt |
Description:
|
iDefense Security Advisory 07.26.07 - Local exploitation of an arbitrary library loading vulnerability in the 'pioout' program, as included with IBM Corp.'s AIX operating system, allows an attacker to execute arbitrary code with root privileges. iDefense has confirmed the existence of this vulnerability in AIX version 5.3 with service pack 6. Previous versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | Related Exploit: | aix53-pioout.txt | | File Size: | 3364 | | Related CVE(s): | CVE-2007-4003 | | Last Modified: | Jul 28 03:57:56 2007 |
| MD5 Checksum: | 9d36562bc15ad8623f7986b460f30dcd |
|
| /// File Name: |
07.26.07-2.txt |
Description:
|
iDefense Security Advisory 07.26.07 - Local exploitation of a stack-based buffer overflow vulnerability in the 'capture' program, as included with IBM Corp.'s AIX operating system, allows an attacker to execute arbitrary code with root privileges. The vulnerability exists within the code that parses terminal control sequences. A long series of control sequences will trigger an exploitable stack-based buffer overflow. iDefense has confirmed the existence of this vulnerability in AIX version 5.3 with service pack 6. Previous versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | Related Exploit: | aix53-capture.txt | | File Size: | 3278 | | Related CVE(s): | CVE-2007-3333 | | Last Modified: | Jul 28 04:00:31 2007 |
| MD5 Checksum: | 6e43f4b6fd2d9f067af9b6d7d199bda2 |
|
| /// File Name: |
07.26.07-3.txt |
Description:
|
iDefense Security Advisory 07.26.07 - Local exploitation of multiple buffer overflow vulnerabilities in the 'ftp' program, as included with IBM Corp.'s AIX operating system, allow an attacker to execute arbitrary code with root privileges. iDefense has confirmed the existence of this vulnerability in AIX version 5.3 with service pack 6. Previous versions may also be affected.
| | Homepage: | http://www.idefense.com/ | | Related Exploit: | aix53-ftp.txt | | File Size: | 3524 | | Related CVE(s): | CVE-2007-4004 | | Last Modified: | Jul 28 04:02:45 2007 |
| MD5 Checksum: | 46ff849350b0dd5d6e2524262b69fd3c |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
