http://secunia.com/advisories/24962/
Description:
A vulnerability and a security issue have been reported in Nortel VPN Routers, which can be exploited by malicious people to bypass certain security restrictions or manipulate certain data.
1) Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. These can be exploited to gain unauthorized access to the private network.
2) Missing authentication checks within two template files of the web management tool can be exploited to e.g. modify certain router configurations.
An issue regarding same DES keys used to encrypt user's passwords has also been reported, which can facilitate brute-force attacks on user's passwords if the attacker were to gain access to the LDAP store.
The vulnerability and security issue reportedly affect the following products:
* Contivity 1000 VPN Switch
* Contivity 2000 VPN Switch
* Contivity 4000 VPN Switch
* VPN Router 5000
*VPN Router Portfolio
Solution:
Update to versions 6_05.140, 5_05.304, or 5_05.149.
Provided and/or discovered by:
The vendor credits
Detack GmbH.Labels: Advisory, Appliance, Backdoor, Insecurity, Vulnerability
[Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd)
From: Matthew Murphy (mattmurphy AT kc.rr.com)
Date: Mon Feb 13 2006 - 18:46:38 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
My apologies to those who are receiving this late or are otherwise
inconvenienced by the staggered release. I had unexpected, last-minute
travel issues that interfered somewhat with today's release.
Of note since the initial drafting of the advisory is that Microsoft has
released a blog post on the MSRC blog about the vulnerability report,
which can be read here:
http://blogs.technet.com/msrc/archive/2006/02/13/419439.aspx
The technical/strategic points about the exploit that are raised in the
post are indeed accurate (though it references MS05-014, when I believe
the correct reference is MS05-008/MS05-013). The exploit has a greater
dependence on timing than previous, related attacks. As such,
Microsoft's decision not to include this issue in a standalone patch is
seemingly justified at this point. However, the point of disagreement
with Microsoft remains the choice of release *timeline*.
I released the information about this issue to a trusted colleague (Gadi
Evron) for publication today, after what I felt was a reasonable time,
in light of my difficulties obtaining internet access.
Though there are disagreements between myself and Microsoft about the
nature of this vulnerability, I would like to thank Brian Schafer of the
MSRC for adhering to a high level of professionalism and technical
accuracy in that post and for continuing to work with me once it was
made clear that the issue would imminently become public.
Also of note is that there was a typo in the information I provided
originally to SecuriTeam. The proper candidate is CVE-2005-3240, not
*3840* as was originally reported by me. SecurityFocus has also
informed me that my original BID reservation was a casualty of a data
migration and that the proper BID associated with this vulnerability is
now BID 16352, which is public in full detail as of this writing.
There have also been some incorrect reports made to SecuriTeam that this
issue does not affect Windows XP Service Pack 2. These reports are not
correct -- my testing during this investigation was done exclusively on
current installations of Windows 2000 and Windows XP. These systems had
all service packs applied and all updates installed when tests were
performed.
Thanks to Gadi Evron for doing some of my bidding today and taking some
of the heat for my fat-fingers.
The final advisory, corrected with the now-accurate references is
attached with an armored-format PGP signature inline.
- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38
iD8DBQFD8Shufp4vUrVETTgRA/hpAJ9DobMIa4EH8otBMNlzIPK6RrMGUgCfcrrj
ZI9G00rer59rLkwI5uH0KGQ=
=DQ2a
-----END PGP SIGNATURE-----
Microsoft Internet Explorer Drag-and-Drop Redeux
I. SYNOPSIS
Affected Systems:
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
- Windows 98
- Windows 98 Second Edition
- Windows Millennium Edition
- Windows 2000
- Windows XP
- Windows Server 2003
Risk: Medium
Impact: Potential remote code execution with some user interaction
Status: Uncoordinated Release
Author: Matthew Murphy (mattmurphykc.rr.com)
II. VULNERABILITY OVERVIEW
Microsoft Internet Explorer suffers from a vulnerability in its handling of certain drag-and-drop events. As a result, it is possible for a malicious web site to predict and exploit the timing of a drag-and-drop operation such that any drag operation (including using scroll-bars) could potentially lead to the installation of arbitrary files in sensitive locations that may enable further system compromise.
III. TECHNICAL DESCRIPTION
As a result of recent updates to its drag-and-drop functionality, Internet Explorer now imposes a rigid set of restrictions on most drag-and-drop sources:
* Input to the browser from other applications is not permitted.
* Dragging an object from inside a frame is not permitted.
* Dragging an HTML element from a top-level window will produce a security warning.
However, certain objects not derived from an HTML document (specifically, file objects within a folder view) remain draggable. This gives rise to a potential race condition in the handling of user input. If an attacker can persuade a user to drag any object within the top-level window that his/her site is contained in, malicious script can redirect these inputs to other top-level windows, potentially resulting in an unintended consequence such as file installation.
Proof-of-concept code has been developed that utilizes a pop-under window pointing to a malicious file share. This window can be created using window.open() or other stealthier methods that are known to evade Internet Explorer's built-in pop-up blocking. Focus is then returned to the opening window, where the user is encouraged to drag an object (image, link, etc.) in a seemingly "safe" fashion.
Immediately prior to this object being dragged, a mouseOver event is triggered that enables the attacker to (with a varying degree of success) predict the imminent drag attempt. The pop-under can then be returned to focus by way of a window.blur() executed in the current window. If the timing of the transition is accurate to a margin of error within a user's reaction time threshold, the user will unwittingly initiate a drag of a file from the pop-under instead of the object originally used as a lure by the attacker.
As soon as it transfers focus, the window with the original interactive content may set a timer (via window.setTimeout()) that returns focus to the window with a simple window.focus() call. After a split-second delay, focus is returned to the interactive window. At this point, on-demand alteration of CSS attributes can be used to display previously-hidden objects (such as inline frames). These objects serve as "drop target" windows and will initiate the copying of the file dropped from the (presumably malicious) pop-under window.
While Internet Explorer blocks hiding or resizing of certain "suspect" objects (IFRAMEs, for instance), so-called container objects (DIV, SPAN, etc.) suffer no such restrictions, even when they contain one of the objects in the former category. The proof-of-concept code as developed simply stores a full-screen inline frame in a container initially marked with the "hidden" visibility style.
The pop-under window, in this instance, would be a folder on a malicious server. This could be accessed via SMB (\\HOSTILESERVER\SHARE), FTP (ftp://hostileserver/somedirectory) or even HTTP (web folders) using certain link behaviors in combination with the click() method of a hyperlink object. In the third case, the pop-under would be targeted to an HTML document initally, which would then open the web folder containing hostile content.
The path to the drop target (the hidden frame in the original window) requires a little more creativity. Particularly in Windows XP Service Pack 2, Microsoft has done a fairly good job of locking down access to local resources. The most interesting vector for the purposes of this attack is via the network redirector. By using the IP address or machine name of the local system (typically obtainable via any number of means), such as:
\\MACHINENAME\share
It becomes possible to access resources offered by the network redirector on the local system. Of most interest is the "Scheduled Tasks" folder:
\\MACHINENAME\Scheduled Tasks
Items dropped into this folder execute automatically at a system-determined time (3 AM local time in tests on Windows XP Professional Service Pack 2) each day as the user dropping the file. Also of interest are common shares such as the administrative shares (C$, D$, etc.) and typical share names like "SharedDocs" on Windows XP. In most cases, this is at least a partial functional equivalent to local file system access and is not subject to zone restrictions, even on Windows XP Service Pack 2.
IV. IMPACT
A malicious web site, with a minimum of social engineering, may be able to compromise user systems by triggering an unintended installation of malicious software. Typical defense-in-depth measures may mitigate this issue. For those who run Internet Explorer with administrative privileges, the impact of any successful exploitation is complete control of the affected system. A malicious web site could install software that would add or delete privileged user accounts, alter, destroy or disclose the content of personal or otherwise sensitive files, record personal information or any number of other activities.
Users who do not browse with such high levels of privilege would be at a significantly reduced risk from exploitation of this vulnerability. In the case of a user with limited privileges, this vulnerability could only be exploited by an attacker to install software that executes with the privileges of that user.
V. WORKAROUNDS
The following workarounds are believed at the time of this writing to be effective against the exploitation of this vulnerability in some form:
1. Set a Kill Bit on the Shell.Explorer Control
-----------------------------------------------
Setting a kill bit on this control will prevent Internet Explorer from displaying the rich folder view interface that gives rise to this attack. For more information about setting kill bits, please see Microsoft Knowledge Base Article 240797:
http://support.microsoft.com/kb/240797
The CLSID of this component as deployed on Windows XP is:
{8856F961-340A-11D0-A96B-00C04FD705A2}
Tools to automate the process of setting this kill bit have been provided at:
http://student.missouristate.edu/m/matthew007/tools/shellkill.zip
PGP signature: http://student.missouristate.edu/m/matthew007/tools/shellkill.zip.asc
Included in this archive are an Administrative Template (.adm) and a VBScript file (.vbs) which implement this setting. The Administrative Template also allows an administrator to work around a specific case of functionality loss caused by the implementation of this workaround. Instructions on using both files are contained within the readme file in the archive.
IMPACT: This workaround will cause Internet Explorer to no longer render folder views for local directories, network file shares, FTP directories and web folders by default. The ability to browse FTP directories in Internet Explorer can be restored by clearing the "Enable Folder View for FTP Sites" option in Internet Explorer's "Advanced" options. However, this countermeasure is known to expose another security vulnerability that does not appear to have been fixed as of this writing:
http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005321.html
For ordinary browsing purposes, the Windows Explorer tool is unaffected by this change. This defensive measure has been successfully implemented in at least one commercial software product and tested on a significant scale prior to the release of this advisory. Therefore, it is the belief of the author that potential loss of functionality *should* be minimal. As with all measures, you are encouraged to test the impact of this workaround prior to making any decision about deployment.
2. Prevent Automatic Navigation to Local Intranet Zone (Windows XP SP2, Windows Server 2003 SP1)
------------------------------------------------------------------------------------------------
This workaround will prevent internet content in Internet Explorer from automatically navigating to URLs within the Local Intranet Zone. This effectively prevents the introduction of malicious code to the local system via the network redirector. To implement this workaround, follow these steps:
1. In Internet Explorer's Tools menu, choose "Internet Options..."
2. Select the "Security" tab and choose "Local Intranet"
3. Click the "Custom Level" button
4. Set the "Web sites in less privileged content zone can navigate into this zone" setting to "Disable" or "Prompt".
5. Click OK to close any dialogs and optionally, close Internet Explorer.
IMPACT: This workaround will block or prompt before allowing any navigation to LAN resources from the Internet Zone. Direct access to LAN resources continues to function normally. As a result of this workaround, attempts to access local intranet content (for instance, web applications on corporate intranets) from web sites outside of the LAN will fail or produce prompts, depending upon the chosen setting.
3. Disable Active Scripting
---------------------------
This workaround will prevent internet content from executing script that could potentially cause the exploitation of this vulnerability. To implement this workaround, follow these steps:
1. In Internet Explorer's Tools menu, choose "Internet Options..."
2. Select the "Security" tab and choose "Internet"
3. Click the "Custom Level" button
4. Set the "Active scripting" option to "Prompt" or "Disable".
IMPACT: This workaround will block or prompt before allowing web sites to execute any script statement. Scripting in more-privileged zones (Local Intranet, Trusted Sites) continues to function normally. Setting this option to "Prompt" may cause a significant increase in the number of security prompts received while browsing and may be ineffective in closing this vulnerability for users not capable of making an assessment of a web site's relative trustworthiness.
VI. MITIGATION RECOMMENDATIONS
1. Limit Viewing to Trusted Web Sites
-------------------------------------
In some situations, browsing can be successfully limited to only trustworthy sites without significant loss of productivity. Users should be extremely cautious while browsing unknown or untrusted web sites, as such web sites are often able to introduce hostile code.
2. Run Exposed Applications With Reduced Privilege
--------------------------------------------------
Users who log on interactively without the privileges of powerful groups such as the "Administrators" or "Power Users" groups are at a much lower risk of damage from successful exploitation of software vulnerabilities in client applications. This mitigation step greatly reduces the likelihood of a successful malware installation if this vulnerability is exploited.
VII. VENDOR RESPONSE
Microsoft was informed of this vulnerability on August 3, 2005. Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.
Microsoft's internal risk-assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft. In particular, the drag-and-drop vulnerability patched by MS05-013 received an "Important" rating.
I disagree with the technical conclusion behind Microsoft's decision and I further find the timeframe of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude. I find the harm this decision could potentially inflict upon down-level users (most importantly, users of Windows 2000) to be unjustified by the technical concern Microsoft has raised to me. Microsoft also rejected a request that it consider the issue for inclusion in a later security update as a "Moderate" risk issue.
Due to Microsoft's noncommittal and generally unimpressive response to the issue, this advisory is being issued to inform users of this vulnerability such that defensive action may be taken as desired.
VIII. REFERENCES/STANDARDS
* CVE
The MITRE Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3840 to this issue. Status information and related references for this candidate may be found at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3840
* OSVDB
The Open Source Vulnerability Database (OSVDB) project has assigned OSVDB vulnerability ID #2707 to this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.osvdb.org/displayvuln.php?osvdb_id=2707
* SecurityTracker
SecurityTracker has pre-assigned an alert number in its internal database to reference this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.securitytracker.com/id?1015049
* SecurityFocus
SecurityFocus has pre-assigned BugTraq ID #15089 to reference this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.securityfocus.com/bid/15089
IX. ACKNOWLEDGEMENTS
* The Administrative Template file supplied in the workaround ZIP was authored by Steven Platt.
X. CONTACT
The author may be contacted via e-mail at mattmurphykc.rr.com
XI. LEGAL
This document is believed accurate based upon information available at the time it was written. However, the information offered is offered in an AS-IS condition, without warranty. By acting upon this information in any way you accept all responsibility for damage that may occur as a result.
This document may be reproduced in whole without limitation and in part provided that a full copy of the original document is readily accessible and the author of the document is duly acknowledged.
Labels: Advisory, http, Microsoft, Vulnerability
Secunia Advisory: SA22896
Release Date: 2007-04-10
Last Update: 2007-04-11
Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference: CVE-2007-1205
Description:
Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in Microsoft Agent (agentdpv.dll) when processing specially crafted URLs passed as arguments to certain methods.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website with Internet Explorer.
Solution:
Apply patches.
Windows XP (requires SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=e16ededa-6e8c-40d6-a3c0-d61362411accWindows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=23909036-898f-41af-a3de-4a899a15d25dCredits: discovered by JJ Reyes and Carsten Eiram, Secunia Research.
Changelog:
2007-04-11: Added link to US-CERT.
Original Advisory:
MS07-020 (KB932168):
http://www.microsoft.com/technet/security/Bulletin/MS07-020.mspxSecunia Research:
http://secunia.com/secunia_research/2006-74/
Other References:
US-CERT VU#728057:
http://www.kb.cert.org/vuls/id/728057Labels: Advisory, Critical, Microsoft, Vulnerability
Microsoft Windows Animated Cursor Handling Vulnerability
".. any web page, email or content that can load an animated cursor can allow an attacker to take advantage of the vulnerability and run arbitrary code on the users system."
A short overview by SANS of how the different email clients are reacting to the animated cursor vulnerability.
An unofficial fix for the animated cursor vulnerability from Eeye.
Related Articles:
Microsoft confirms animated-cursor flaw: Microsoft confirmed on Thursday that attacker could take control of a user's system by exploiting a flaw in the way the company's Windows software handles animated-cursor files.
========================================
http://secunia.com/advisories/24659/
Microsoft Windows Animated Cursor Handling Vulnerability Secunia Advisory: SA24659
Release Date: 2007-03-30
Critical:
Extremely critical Impact: System access
Where: From remote
Solution Status: Unpatched
OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference:
CVE-2007-0038 Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message.
Successful exploitation allows execution of arbitrary code.
NOTE: The vulnerability is currently being actively exploited.
Solution:
Do not browse untrusted sites or view untrusted e-mails.Provided and/or discovered by:
Discovered as a 0-day.
Independently discovered by Determina Security Research.
Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/935423.mspx
http://blogs.technet.com/msrc/archive...-security-advisory-935423-posted.aspx
Determina:
http://www.determina.com/security_cen...ries/securityadvisory_0day_032907.asp
Other References:
US-CERT VU#191609:
http://www.kb.cert.org/vuls/id/191609
================================================================
Labels: Advisory, Microsoft, Virus, Vulnerability
Windows Mail URL Bug Lets Remote Users Cause Execute Existing Code on the Target User's System to Be Executed
SecurityTracker Alert ID: 1017816
SecurityTracker URL: http://securitytracker.com/id?1017816
CVE Reference: CVE-2007-1658 (Links to External Site)
Date: Mar 26 2007
Impact: Execution of arbitrary code via network, User access via network
Exploit Included: Yes
Description: A vulnerability was reported in Windows Mail. A remote user can cause code to be executed on the target user's system without warning when the user clicks on a link.
A remote user can send an e-mail message containing a specially crafted link that, when loaded by the target user, will execute an arbitrary existing executable file located on the target user's system. The executable will run without warning and will run with the privileges of the target user.
Kingcope discovered this vulnerability.
Impact: A remote user can cause existing code located on the target user's system to be executed with the privileges of the target user when the user clicks on a specially crafted link.
Solution: No solution was available at the time of this entry.
Vendor URL: www.microsoft.com/
Cause: State error
Underlying OS: Windows (Vista)
Reported By: "Kingcope"
Labels: Advisory, Microsoft, Vulnerability
Trend Micro Antivirus UPX Parsing Kernel Divide by Zero VulnerabilityI. BACKGROUNDTrend Micro AntiVirus is an virus scanning engine included in a wide array of products by Trend Micro. Several examples of vulnerable products include PC-cillin and Internet Security Suite.
http://www.trendmicro.com/en/home/us/home.htm
II. DESCRIPTIONRemote exploitation of a divide by zero error in Trend Micro AntiVirus may allow attackers to cause a denial of service.
The vulnerability exists in the kernel driver, VsapiNT.sys. This driver is responsible for scanning various file formats for malicious content. The code that parses UPX files takes an integer value from an attacker supplied file and uses it as a divisor. This results in a divide by zero error in kernel mode. This causes a kernel fault resulting in a blue screen of death (BSOD).
III. ANALYSISExploitation of this vulnerability results not only in a DOS of the Trend Micro process, but in an operating system crash.
There are several different attack vectors depending on which product is being targeted. Someone targeting a home user would need to convince a user to download a file from a website or an attachment from an email message. The user would then need to manually scan this file or save it and have the Trend Micro auto scan process scan it at some later time. If instead a mail gateway is being targeted this vulnerability can be exploited automatically by sending a malicious attachment through a gateway that uses Trend Micro to scan content.
IV. DETECTIONiDefense has confirmed the existence of this vulnerability in Trend Micro AntiVirus version 14.10.1041, engine version 8.320.1003. Previous versions may also be affected.
V. WORKAROUNDiDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE"To address this vulnerability, Trend Micro recommends customers to update to Virus Pattern File 4.335.00 or higher."
For more information, consult the Trend Micro Knowledge Base article at the link shown below.
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587 VII. CVE INFORMATIONA Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE
02/27/2007 Initial vendor notification
02/27/2007 Initial vendor response
03/14/2007 Coordinated public disclosure
IX. CREDITThe discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICESCopyright © 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Labels: Advisory, Anti-Virus, Microsoft, Vulnerability
SymbOS.Feakks , Writeup By: Masaki Suenaga
Risk Level 1: Very Low
SUMMARY Discovered: March 7, 2007
Updated: March 8, 2007 5:13:54 AM
Type: Worm
Infection Length: 3,276 bytes
Systems Affected: Symbian OS
SymbOS.Feakks is a proof of concept worm that spreads through SMS messages.
Threat Assessment: Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Payload: Spreads through SMS messages.
Distribution
Distribution Level: Low
Technical DetailsInfection Length: 3,276 bytes
Systems Affected: Symbian OS
Once executed, the worm creates the following files:
%System%/apps/feakk.exe
%System%/recogs/feakk.mdl
The worm then searches the contact list for "HACKME" and terminates itself if it is not found.
The worm sends a link that contains a copy of the worm to all the contacts found.
RemovalInstall a file manager program on the device.
Enable the option to view the files in the system folder.
Delete the following files:
%System%/apps/feakk.exe
%System%/recogs/feakk.mdl
Exit the file manager.
Labels: Advisory, Symbian, Worm
OSVDB ID: 31256
Disclosure Date: Jan 9, 2007
Description:
A memory corruption flaw exists in Excel. The program fails to validate file contents resulting in memory corruption when a malformed string is encountered. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Vulnerability Classification:
Local/Shell Access Required
Input Manipulation
Loss Of Integrity
Exploit Unknown
Verified
Products:
Microsoft Corporation Works Suite 2004
Microsoft Corporation Excel 2000
Microsoft Corporation Excel 2002
Microsoft Corporation Excel 2003
Microsoft Corporation Works Suite 2005
Microsoft Corporation Office for Mac 2004
Microsoft Corporation Office for Mac v. X
Solution:
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.
External References:
CVE ID: 2007-0029
National Vulnerability Database: CVE-2007-0029
Bugtraq ID: 21877
Microsoft Security Bulletin: MS07-002 Related OSVDB ID: 31249
Related OSVDB ID: 31255
Related OSVDB ID: 31257
Related OSVDB ID: 31258
US-CERT Cyber Security Alert: TA07-009A
Security Tracker: 1017487
News Article:
EweekFrSIRT Advisory: ADV-2007-0103
Credit:
NSFocus Security Team http://www.nsfocus.com/
Labels: Advisory, Microsoft, Vulnerability
OSVDB ID: 31256
Disclosure Date: Jan 9, 2007
Description:
A memory corruption flaw exists in Excel. The program fails to validate file contents resulting in memory corruption when a malformed string is encountered. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Vulnerability Classification:
Local/Shell Access Required
Input Manipulation
Loss Of Integrity
Exploit Unknown
Verified
Products:
Microsoft Corporation Works Suite 2004
Microsoft Corporation Excel 2000
Microsoft Corporation Excel 2002
Microsoft Corporation Excel 2003
Microsoft Corporation Works Suite 2005
Microsoft Corporation Office for Mac 2004
Microsoft Corporation Office for Mac v. X
Solution:
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.
External References:
CVE ID: 2007-0029
National Vulnerability Database: CVE-2007-0029
Bugtraq ID: 21877
Microsoft Security Bulletin: MS07-002 Related OSVDB ID: 31249
Related OSVDB ID: 31255
Related OSVDB ID: 31257
Related OSVDB ID: 31258
US-CERT Cyber Security Alert: TA07-009A
Security Tracker: 1017487
News Article:
EweekFrSIRT Advisory: ADV-2007-0103
Credit:
NSFocus Security Team http://www.nsfocus.com/
Labels: Advisory, Microsoft, Vulnerability
Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability
Bugtraq ID: 21937
Class: Failure to Handle Exceptional Conditions
CVE: CVE-2006-1305
Remote: Yes
Local: No
Published: Jan 09 2007 12:00AM
Updated: Jan 25 2007 04:26PM
Credit: The vendor disclosed this issue.
Microsoft Outlook is prone to a remote denial-of-service vulnerability because the application fails to properly handle malformed email messages.
A remote attacker can exploit this issue to crash affected email clients. This issue will persist as long as the email message resides on the mail server, creating a prolonged denial-of-service condition.
see http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
Vulnerable: Microsoft Outlook 2003 SP2
+ Microsoft Office 2003 SP3
+ Microsoft Office 2003 SP2
+ Microsoft Office 2003 SP1
+ Microsoft Office 2003
Microsoft Outlook 2003 0
+ Microsoft Office 2003 SP3
+ Microsoft Office 2003 SP2
+ Microsoft Office 2003 SP1
+ Microsoft Office 2003
Microsoft Outlook 2002 SP3
+ Microsoft Office XP SP3
+ Microsoft Office XP SP3
Microsoft Outlook 2002 SP2
+ Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Outlook 2002 SP1
+ Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2002 0
+ Microsoft Office XP
+ Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2000 SP3
+ Microsoft Office 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2000 0
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Office 2000
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Outlook 2000 SR1
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Office 2000 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Outlook 2000 SP2
- Citrix ICA Client for Windows 4.0 SP6a
+ Microsoft Internet Explorer for Unix SP2
+ Microsoft Internet Explorer for Unix SP2
+ Microsoft Office 2000 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Office XP SP3
+ Microsoft Excel 2002 SP3
+ Microsoft Excel 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft Publisher 2002 SP3
+ Microsoft Publisher 2002 SP3
+ Microsoft Word 2002 SP3
+ Microsoft Word 2002 SP3
Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office 2003 SP2
Microsoft Office 2003 SP1
Microsoft Office 2003
+ Microsoft Excel 2003
+ Microsoft FrontPage 2003
+ Microsoft InfoPath 2003
+ Microsoft OneNote 2003 0
+ Microsoft Outlook 2003 0
+ Microsoft PowerPoint 2003 0
+ Microsoft Publisher 2003
+ Microsoft Word 2003
Microsoft Office 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office 2000 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Internet Explorer for Unix SP2
Not Vulnerable:
(Nothing!)
Labels: Advisory, Email, Microsoft, Vulnerability
Kaspersky AntiVirus UPX File Decompression DoS Vulnerability
I. BACKGROUND
Kaspersky Antivirus is a popular client and gateway virus scanner for Unix and Windows. UPX, the ultimate packer for executables, is a method for compressing executable files to reduce their size on disk. For more information, visit the vendor's site at the following URL.
http://www.kaspersky.com/
II. DESCRIPTION
Remote exploitation of a denial of service (DoS) vulnerability in Kaspersky Lab's Antivirus could allow an attacker to conduct a DoS attack on a targeted host.
The antivirus engine is vulnerable to a DoS condition when processing an executable packed with UPX compression. Malformed compressed data causes the decompression routine to enter an infinite loop. Specifically, a negative data offset results in the same compressed data chunk being processed endlessly.
III. ANALYSIS
Exploitation allows an attacker to conduct a DoS attack.
If this attack is conducted against an e-mail gateway running Kaspersky, legitimate clients may be unable to send e-mail through the server.
The infinite loop being executed consists of a short sequence of instructions, which results in maximum CPU usage. On a client desktop, the infinite loop will render the machine nearly unusable. On a server, it severely degrades the quality of service of other applications running.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Kaspersky Labs Antivirus Engine version 6.0.1.411 for Windows and 5.5-10 for Linux. Previous versions may also be affected. Any products that use the scanning engine are also affected, which includes the Kaspersky e-mail gateway scanner.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE
Kaspersky Lab reports that it has fixed this vulnerability as of February 7th, 2007. In addition, they stated the following.
"There is no need to download any special patches. All installed Kaspersky Lab products are updated automatically through the regular signature-update functionality. There is not need to contact Kaspersky Lab to obtain this fix."
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE
01/24/2007 Initial vendor notification
03/01/2007 Initial vendor response
03/02/2007 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Labels: Advisory, Anti-Virus, Microsoft, Virus, Vulnerability
Why does anyone still have telnetd running? Should be off by default.
Slashdot discussion
Info Week article
Turkey Worm
===============================
Sun Solaris Telnet WormOriginal release date: February 28, 2007
Last revised: --
Source: US-CERT
Systems AffectedSun Solaris 10 (SunOS 5.10)
Sun "Nevada" (SunOS 5.11)
Both SPARC and Intel (x86) architectures are affected.
OverviewA worm is exploiting a vulnerability (VU#881872) in the Sun Solaris telnet daemon (in.telnetd).
I. DescriptionA worm is exploiting a vulnerability in the telnet daemon (in.telnetd) on unpatched Sun Solaris systems. The vulnerability allows the worm (or any attacker) to log in via telnet (23/tcp) with elevated privileges. Further details about the vulnerability are available in Vulnerability Note VU#881872 (CVE-2007-0882).
Because VU#881872 is trivial to exploit and sufficient technical detail is publicly available, any attacker, not just this worm, could exploit vulnerable systems.
Characteristics of the worm include, but are not limited to:
Exploiting VU#881872 to log in via telnet as the users adm or lp
Changing permissions on /var/adm/wtmpx to -rw-r--rw-
Creating the directory .adm in /var/adm/sa/
Adding .profile files to /var/adm/ and /var/spool/lp/
Installing an authenticated backdoor shell on port 32982/tcp
Modifying crontab entries for the users adm and lp
Scanning for other hosts running telnet (23/tcp)
Sun has published information about the worm in the Security Sun Alert Feed including an inoculation script that disables the telnet daemon and reverses known changes made by the worm.
II. ImpactVU#881872 allows remote attacker to log on to a vulnerable system via telnet and gain elevated privileges. The worm exploits this vulnerability to compromise systems as described above. Since the worm installs a backdoor shell, it is possible for an attacker with knowledge of the authentication tokens to access a compromised system and take any action with the privileges of the backdoor shell process, likely adm or lp.
III. SolutionApply a patch
To address VU#881872, apply the appropriate patches referenced in Sun Alert Notification 102802.
Run inoculation script
To recover compromised systems, Sun has provided an inoculation script that disables the telnet daemon and reverses known changes made by the worm.
Note that the inoculation script only recovers from this particular worm. Running the inoculation script does not guarantee system integrity. A vulnerable system may be compromised in different ways by attackers exploiting VU#881872 or using the backdoor installed by the worm. To fully recover, it may be necessary to rebuild a compromised system using trusted software sources. For more information, see Recovering from an Incident.
IV. WorkaroundsUntil the appropriate patches can be applied, consider the following workarounds.
Disable telnet
Telnet can be disabled by issuing the following command as root:
# /usr/sbin/svcadm disable telnet
Restrict telnet access
Restrict access to telnet (23/tcp) from untrusted networks such as the Internet.
Use SSH instead of telnet
SSH provides a comparatively more secure method for remotely logging into a system than telnet. As general advice, we recommend using SSH rather than telnet.
V. ReferencesUS-CERT Vulnerability Note VU#881872 -
Recovering from an Incident -
Sun Alert Notification 102802 -
Solaris in.telnetd worm seen in the wild + inoculation script -
inoculate.local -
CVE-2007-0882 -
Produced 2007 by US-CERT, a government organizationLabels: Advisory, SUN, UNIX, Vulnerability, Worm
SecurityTracker Alert ID: 1017639
SecurityTracker URL: http://securitytracker.com/id?1017639
CVE Reference: CVE-2007-0208 , CVE-2007-0209
Date: Feb 13 2007
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Microsoft Security Bulletin
Version(s): 2000, 2002, 2003, 2004 for Mac, 2004
Description: Two vulnerabilities were reported in Microsoft Word. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a document with a specially crafted macro that, when loaded by the target user, will bypass the macro security warning and execute arbitrary code on the target system [CVE-2007-0208]. The code will run with the privileges of the target user.
A remote user can create a document with a specially crafted drawing object, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2007-0209]. The code will run with the privileges of the target user.
Microsoft Word 2007 is not affected.
Microsoft credits USAA with reporting the macro security bypass vulnerability.
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued the following fixes:
Microsoft Word 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F1E61E6A-BE3D-4536-AF76-A11D5CE67199
Micr osoft Word 2002:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A1CA8DD7-0622-4D66-A85F-A6586545EF9D
Microsoft Word 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyID=882F8503-DA72-43C9-B556-A002EC58F289
Microsoft Word Viewer 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=FB59798B-AFE2-4103-9991-CBDD7686F9AD
Microsoft Works Suite 2004:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A1CA8DD7-0622-4D66-A85F-A6586545EF9D
Microsoft Works Suite 2005:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A1CA8DD7-0622-4D66-A85F-A6586545EF9D
Microsoft Works Suite 2006:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A1CA8DD7-0622-4D66-A85F-A6586545EF9D
Microsoft Office 2004 for Mac:
http://www.microsoft.com/mac/
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms07-014.mspx
Vendor URL: www.microsoft.com/technet/security/bulletin/ms07-014.mspx
Labels: Advisory, Microsoft, Vulnerability
phpwcms-referer-security-bypass (26130)
Description:phpwcms is a Content Management System (CMS) written in PHP. phpwcms versions 1.2.5-DEV and prior and versions 1.1-RC4 and prior are vulnerable to header injection, caused by improper validation of the HTTP REFERER header by the act_formmailer.php and mail_file_form.php scripts. A remote attacker could exploit this vulnerability to use an affected system to send arbitrary email and spam messages.
Platforms Affected:Data General: DG/UX Any version
Hewlett-Packard Company: HP-UX Any version
Hewlett-Packard Company: Tru64 UNIX Any version
IBM: AIX Any version
Linux: Linux Any version
Microsoft Corporation: Windows 95
Microsoft Corporation: Windows 98
Microsoft Corporation: Windows 98 Second Edition
Microsoft Corporation: Windows Me
Microsoft Corporation: Windows XP
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4.0
phpwcms: phpwcms 1.1-RC4 and prior
phpwcms: phpwcms 1.2.5-DEV and prior
Santa Cruz Operation, Inc.: SCO Unix Any version
SGI: IRIX Any version
Sun Microsystems, Inc.: Solaris Any version
Wind River Systems, Inc.: BSD Any version
Remedy:Apply the patch for this vulnerability, available from the phpwcms Web site. See References.
Consequences:Bypass Security
References:FrSIRT/ADV-2006-1556, phpwcms Remote Code Execution and Mail Form Security Bypass Vulnerabilities at http://www.frsirt.com/english/advisories/2006/1556.
phpwcms Forum, Fri Apr 21, 2006 16:11, Security Alert 1.2.6 CVS at http://www.phpwcms.de/forum/viewtopic.php?t=10958.
phpwcms Web site, phpwcms at http://www.phpwcms.de.
Standards associated with this entry:CVE-2006-7020: CRLF injection vulnerability in (1) include/inc_act/act_formmailer.php and possibly (2) sample_ext_php/mail_file_form.php in phpwcms 1.2.5-DEV and earlier, and 1.1 before RC4, allows remote attackers to modify HTTP headers and send spam e-mail via a spoofed HTTP Referer (HTTP_REFERER).
Reported:Apr 21, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2007 Internet Security Systems, Inc. All rights reserved worldwide.
Labels: Advisory, Bug, Vulnerability
OSVDB ID: 31592
Disclosure Date: Jan 1, 2006
Description: Check Point Firewall-1 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker connects to port 18264 and accesses the internal certificate for the server, revealing the presence of the firewall. This may also disclose certificate revocation lists and other information resulting in a loss of confidentiality.
Vulnerability Classification: Remote/Network Access Required
Information Disclosure Attack
Loss Of Confidentiality
Exploit Available
Verified
Concern
Web Related
Products: Check Point Software Technologies, Inc. FireWall-1 Unknown or Unspecified
Solution: Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to the Internal Certificate Authority interface to internal hosts.
Manual Testing Notes: http://[target]:18264/
External References:Nessus Script ID:
22094 Vendor URL: http://www.checkpoint.com/products/firewall-1/index.html
Credit:OSVDB does not have information on who discovered this vulnerability. If you have credit information please send it to OSVDB Moderators
Vulnerability Status:
This entry was last updated on Feb 14, 2007. If you have additional information or corrections for this vulnerability please submit them to OSVDB Moderators.
Labels: Advisory, Firewall, Vulnerability
Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW Informaton Leak
Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak
Author: 3APA3A, http://securityvulns.com
Affected: Microsoft Windows 2000,XP,2003,Vista
Exploitable: Yes
Type: Remote (from local network), authentication required (NULL session was not tested).
Class: Information leak
CVE: CVE-2007-0843
Intro:
It's very simple yet interesting vulnerability. ReadDirectoryChangesW()
API allows application to monitor directory changes in real time.
bWatchSubtree parameter of this functions allows to monitor changes
within whole directory tree with a root in monitored directory. To
monitor changes directory must be open with LIST access. Function
returns the list of modified files with a type of modification. File
modification refers to any modification of file record in directory.
Vulnerability: ReadDirectoryChangesW() doesn't check user's permissions for child directories.
Impact:
Any unprivileged user with LIST access to parent directory can monitor
any files in child directories regardless of files permissions. Because
by default Windows updates access time of any accessed files on NTFS
volumes, it makes it possible for user to gather information about
NTFS-protected files, their names and time of access to the files
(reading, writing, creation, deletion, renaming, etc). Filenames may
contain sensitive information or leak information about user's behavior
(e.g. cookies files).
Exploit:
http://securityvulns.com/files/spydir.c
Usage example:
spydir \\corpsrv\corpdata
I believe you find this utility useful regardless of this security
issue. It shows names of accessed/modified files for given directory in
real time (it seems there are non-security bugs in ReadDirectoryChangesW
implementations, e.g. you can not see non-ASCII names and some changes
are missing).
Compiled version can be downloaded from http://securityvulns.com/soft/
Workaround:
Avoid creation of more secure folder in less secure ones. Avoid using
sensitive data in documents naming.
Vendor (Microsoft):
January, 17 2006 Initial vendor notification
January, 18 2006 Vendor reply (assigned)
January, 26 2006 2nd vendor notification
February, 7 2006 3rd vendor notification
February, 9 2006 Vendor accepted vulnerability as "service pack class" for Windows XP and Windows 2003.
February, 9 2006 Accepted to wait until SP
February, 22 2006 Vendor gives SP timelines (late 2006 for W2K3
SP2 and 2007 for XP SP3)
February, 22 2007 Public release, because Windows Vista is released with same vulnerability.
Labels: Advisory, Microsoft, Vulnerability
Microsoft Internet Explorer HTML tag parsing denial of service
Vulnerability Summary CVE-2006-7030Description:
Microsoft Internet Explorer is vulnerable to a denial of service caused by a NULL pointer dereference that can occur when processing a malformed HTML document. A remote attacker could create a malicious Web page containing malformed HTML to cause a victim's browser to crash, if the victim could be persuaded to browse to the malicious page.
Note: It may also be possible for this vulnerability to be exploited for remote code execution.
Platforms Affected:
Microsoft Corporation: Microsoft Internet Explorer 6.0
Microsoft Corporation: Microsoft Internet Explorer 6.0 SP2
Microsoft Corporation: Windows 95
Microsoft Corporation: Windows 98
Microsoft Corporation: Windows 98 Second Edition
Microsoft Corporation: Windows Me
Microsoft Corporation: Windows XP
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4.0
Remedy:
No remedy available as of June 2006.
Consequences:
Denial of Service
References:
BugTraq Mailing List, Fri May 26 2006 - 11:56:28 CDT, Re: [BuHa-Security] DoS Vulnerability in MS IE 6 SP2 at http://archives.neohapsis.com/archives/bugtraq/2006-05/0567.html.
BugTraq Mailing List, Thu May 25 2006 - 17:53:03 CDT, [BuHa-Security] DoS Vulnerability in MS IE 6 SP2 at http://archives.neohapsis.com/archives/bugtraq/2006-05/0546.html.
Standards associated with this entry:
BID-18112: Microsoft Internet Explorer Malformed HTML Parsing Denial of Service Vulnerability
Reported:
May 25, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2007 Internet Security Systems, Inc. All rights reserved worldwide.
Labels: Advisory, Microsoft, Vulnerability
2007-02-19 Sourcefire Advisory: Vulnerability in Snort DCE/RPC Preprocessor
2007-02-19 Sourcefire Advisory:
Vulnerability in Snort DCE/RPC Preprocessor
Summary:Sourcefire has learned of a remotely exploitable vulnerability in the Snort DCE/RPC preprocessor. This preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary. Sourcefire has prepared updates for Snort open-source software to address this issue.
This vulnerability has been identified as CVE-2006-5276.
Snort Versions Affected:
Snort 2.6.1, 2.6.1.1, and 2.6.1.2
Snort 2.7.0 beta 1
This vulnerability also affects Sourcefire commercial products. For information and updates for Sourcefire products, please go to the Sourcefire support site.
Mitigating Factors: Users who have disabled the DCE/RPC preprocessor are not vulnerable. However, the DCE/RPC preprocessor is enabled by default.
Recommended Actions: Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately.
Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor. This issue will be resolved in Snort 2.7 beta 2.
Workarounds:
Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should reenable the DCE/RPC preprocessor.
Detecting Attacks Against This Vulnerability:Sourcefire will be releasing a rule pack that provides detection for attacks against this vulnerability.
FAQs: What does the update do?
Snort 2.6.1.3 (or later) removes the vulnerability by correcting the buffer overflow condition in the DCE/RPC preprocessor.
Has Sourcefire received any reports that this vulnerability has been exploited?
No. Sourcefire has not received any reports that this vulnerability has been exploited.
Acknowledgments:Sourcefire would like to thank Neel Mehta from IBM X-Force for reporting this issue and working with us to resolve it.
Labels: Advisory, Snort, Vulnerability
Kerio WinRoute Firewall Denial of Service Vulnerability
Bugtraq ID: 20584
Class: Failure to Handle Exceptional Conditions
CVE:
Remote: Yes
Local: No
Published: Oct 17 2006 12:00AM
Updated: Oct 18 2006 10:29PM
Credit: The vendor disclosed this issue.
Kerio WinRoute Firewall is prone to a remote denial-of-service vulnerability.
Exploiting this issue may permit an attacker to crash affected devices, denying further network services to legitimate users.
Kerio WinRoute Firewall 6.2.2 and prior versions are vulnerable; other versions may also be affected.
Vulnerable: Kerio WinRoute Firewall 6.2.2
Kerio WinRoute Firewall 6.2.1
Kerio WinRoute Firewall 6.2
Kerio WinRoute Firewall 6.1.4 Patch 2
Kerio WinRoute Firewall 6.1.4 Patch 1
Kerio WinRoute Firewall 6.1.4
Kerio WinRoute Firewall 6.1.3
Kerio WinRoute Firewall 6.1.2
Kerio WinRoute Firewall 6.1.1
Kerio WinRoute Firewall 6.1
Kerio WinRoute Firewall 6.0.11
Kerio WinRoute Firewall 6.0.9
Kerio WinRoute Firewall 6.0.8
Kerio WinRoute Firewall 6.0.7
Kerio WinRoute Firewall 6.0.6
Kerio WinRoute Firewall 6.0.5
Kerio WinRoute Firewall 6.0.4
Kerio WinRoute Firewall 6.0.3
Kerio WinRoute Firewall 6.0.2
Kerio WinRoute Firewall 6.0.1
Kerio WinRoute Firewall 6.0
Kerio WinRoute Firewall 5.10
Kerio WinRoute Firewall 5.1.10
Kerio WinRoute Firewall 5.1.9
Kerio WinRoute Firewall 5.1.8
Kerio WinRoute Firewall 5.1.7
Kerio WinRoute Firewall 5.1.6
Kerio WinRoute Firewall 5.1.5
Kerio WinRoute Firewall 5.1.4
Kerio WinRoute Firewall 5.1.3
Kerio WinRoute Firewall 5.1.2
Kerio WinRoute Firewall 5.1.1
Kerio WinRoute Firewall 5.1
Kerio WinRoute Firewall 5.0.9
Kerio WinRoute Firewall 5.0.8
Kerio WinRoute Firewall 5.0.7
Kerio WinRoute Firewall 5.0.6
Kerio WinRoute Firewall 5.0.5
Kerio WinRoute Firewall 5.0.4
Kerio WinRoute Firewall 5.0.3
Kerio WinRoute Firewall 5.0.2
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Kerio WinRoute Firewall 5.0.1
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Not Vulnerable: Kerio WinRoute Firewall 6.2.3
Labels: Advisory
Barracuda Spam Firewall default account
gssinclannlsoftware.com
Date: Tue Aug 01 2006 - 16:18:15 CDT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Title: Barracuda Hardcoded Password Vulnerability
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair (gssinclannlsoftware.com)
Discovered on: 28 May 2006
Overview:
Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to information disclosure which is made possible by a default guest password
Details:
The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have a hardcoded password for the "guest" account in the Login.pm script. This script is called to validate any user who attempts to login to the barracuda's web interface (typically at http://
:8080 or https://). While the guest account has limited access, the following information can be obtained:
* system configuration including IP accesses, admin IP ACLs
* email message logs (but not the content of the messages)
* version information of both spam/antivirus definitions and system firmware version
Used in conjunction with the vulnerability "Barracuda Arbitrary File Disclosure" (NNL-20060801-02), the integrity of the system can be compromised. An attacker can use both vulnerabilities to download both confidential emails as well as the configuration information (including the admin password).
Additionally, while some accounts such as "admin" are bound by user definable IP ACLs, the guest account is not. This means that sensitive information can be disclosed to ANY IP address regardless of the user defined network restrictions.
Proof of Concept:
Enter the username "guest" into the login page of any open barracuda and the password "bnadmin99"
Recommendations:
* Never allow your Barracuda web interface to be accessible from untrusted networks (especially the Internet)
* Upgrade to version 3.3.0.54 or later
Vendor Contact:
29 May 2006 - Initial Vendor Contact
24 June 2006 - Vendor replies with prospect of fix
17 July 2006 - NNL request status update, no reply
01 Aug 2006 - NNL releases vuln report, notifies vendor of releaseLabels: Advisory, Appliance, Email, Spam, Vulnerability
Microsoft IE mshtml.dll Multiple Script Action Handler Overflow
OSVDB ID: 23964
Disclosure Date: Mar 16, 2006
Description:
Remote overflow exists in Microsoft Internet Explorer. The product fails to properly check bounds for handling HTML tags with multiple event handlers resulting in a buffer overflow. With a specially crafted HTML document, an attacker can cause affected web browsers to crash or remote code execution resulting in a loss of integrity, and/or availability.
Vulnerability Classification:
Remote/Network Access Required
Denial Of Service Attack
Input Manipulation
Loss Of Integrity
Loss Of Availability
Exploit Available
Verified
Products:
Microsoft Corporation Internet Explorer 6.0 SP2
Microsoft Corporation Internet Explorer 7.0 beta 2
Microsoft Corporation Internet Explorer 7.0 beta 1
Solution:
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Manual Testing Notes:
The following HTML content demonstrates this issue by crashing the browser:
<script>
for(s='<a onclick=',i=0;i<8||(document.write(s+'>'));i++)s+=s;
</script>
External References:
Snort Signature ID: http://www.snort.org/pub-bin/sigs.cgi?sid=100000238
CVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1245
National Vulnerability Database: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1245
Bugtraq ID: http://www.securityfocus.com/bid/17131
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx
Generic Exploit URL: http://lcamtuf.coredump.cx/iedie.html
ISS X-Force ID: http://xforce.iss.net/xforce/xfdb/25292
Secunia Advisory ID: http://secunia.com/advisories/18957
Secunia Advisory ID: http://secunia.com/advisories/19269
Microsoft Knowledge Base Article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;912812
Other Solution URL: http://snort.org/rules/advisories/ie-issue-js-v2.txt
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0303.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0304.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0310.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0325.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0048.html
Security Tracker: http://securitytracker.com/id?1015794
Credit:
Michal Zalewski (lcamtuf@dione.ids.pl) - Personal page (http://lcamtuf.coredump.cx/)
Labels: Advisory, Bug, http, Microsoft