Vulnerable HSQLDB; ARCServe and BorderManager

Posted on December 6, 2007 by Nathan Grandbois

Two different applications implementing HSQLDB contain vulnerabilities. The first is in OpenOffice, where there is an unspecified error in the HSQLDB database that can be exploited to execute Java code through a malicious database document. OpenOffice versions prior to 2.3.1 are affected. Next, JBOSS is affected by remote command injection vulnerability. Due to certain flaws, an attacker can pass commands to the HSQLDB component on TCP port 1701 (for JBOSS 3.2.1) or TCP port 1476 (for JBOSS 3.0.8). Multiple attacks can be performed leveraging this vulnerability, such as command execution in the database and potentially the OS, Denial of Service, etc. This issue is reported to exist with JBOSS 3.2.1/3.0.8 on any Java 1.4.x-enabled platforms. Other versions may also be affected.

CA BrightStor ARCServe BackUp R11.5 is affected by a remote stack overflow vulnerability. The flaw exists in the CA BrightStor Message Engine. This is a result of errors in the handling of RPC requests to TCP port 6504. Successful exploitation of this vulnerability will result in remote code execution. CA has released an update for this issue, available at http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp

Novell BorderManager 3.8 SP5 contains multiple vulnerabilities. An issue in the Novell Client Trust can be exploited to execute arbitrary code. An error in handling certain encoded HTTP traffic can be exploited to bypass security controls. Also, proxy authentication can be bypass when the traffic is sourced from another proxy. Novell has released Support Pack5 Interim Release 1, available at http://download.novell.com/Download?buildid=_E_defvCXnE~.

Cisco Vulns, OS X DoS, SWFIntruder

Posted on December 5, 2007 by Nathan Grandbois

A cross site scripting vulnerability has been found in CiscoWorks. The XSS is present in the initial login page. Attackers could use this to steal cookies or execute arbitrary html or script code on a remote user. CiscoWorks versions 2.6 and prior are vulnerable, and Cisco has released a patch for this issue.

The Cisco 7940 SIP Phone is vulnerable to an interesting denial of service. Sending malformed SIP INVITE messages to a 7940 phone can cause the device to reboot, or be put under the DoS condition. If INVITE packets are then sent at certain intervals, the DoS condition will persist. The phone will be in a seemingly working condition, where it continues to send REGISTER commands to the server, but will ring busy on incoming calls and return busy on any calls made by the user. There was no patch or update listed with the advisory.

Cisco Security Agent (CSA) for Windows and Cisco Security Manager are vulnerable to a remote buffer overflow attack. This can be exploited by sending a specially crafted TCP message to port 139 or 445 on a system running the CSA. This could result in a stop error (blue screen) or remote code execution. Cisco has released a free software update to address this vulnerability.

Two Denial of Service attacks for MacOS X have had their exploit code released. The first is in the vpnd which has been tested in Apple MACOS X 10.5.0. The second DoS in a local one in the kernel. This has been testing in Apple MACOS X 10.4 (xnu-792.22.5~1/RELEASE_I386), Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386) and Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_PPC).

WabiSabi Labs (the online exploit auction group), reportedly has a QuickTime vulnerability that could result in remote code execution that is different from the one we mention in “QuickTime 7.2/7.3 RTSP Exploits” (https://stateofsecurity.com/?p=162). We have no way to accurately verify this information though.

A new tool has been released yesterday. The tool, SWFIntruder, is “the first tool specifically developed for analyzing and testing security of Flash applications at runtime.” [1] This looks to be a powerful tool to test flash implementations for the presence of XSS of XSF issues in a semi automated manner. If you are responsible for testing web applications, this may be a tool you’ll want to have a look at.

1. https://www.owasp.org/index.php/Category:SWFIntruder

Multiple XSS Vulnerabilities and 27MHz Research

Posted on December 3, 2007 by Nathan Grandbois

Two cross site scripting vulnerabilities were announced today in F5 Firepass 4100 SSL VPN and Apache 2.2.3 and 2.0.46 and above. In the F5 device, input passed to my.activation.php3 and my.logon.php3 is not properly sanitized before returning to the user. In Apache, input via the HTTP method is not properly sanitized before being sent to the user when a “413 Request Entity Too Large” error page is displayed. Both issues can be exploited to execute script or HTML code in a user’s browser session.

A security research team has demonstrated the ability to intercept communications between 27 Mhz keyboards and a computer. The team was able to reverse engineer the packets and break the trivial encryption to sniff commands entered between the keyboard and the computer. Reportedly this can be performed up to 10 m away. Maybe it’s time to take a look at your company’s security policy and see what’s in it about wireless keyboards and reevaluate those decisions.

Avaya Products Multiple Vulnerabilities

Posted on November 29, 2007 by Nathan Grandbois

Avaya has released information on multiple vulnerabilities within their products. The first issue is an error in certain OpenSSL functions. A certain function can be exploited to cause a buffer overlow and a weakness in the RSA implementation can be exploited to reveal the private keys. The following products are affected:

Avaya Communication Manager (CM 3.0)
Avaya EMMC (1.017, 1.021)
Avaya CCS/SES (3.1 and earlier)
Avaya AES (AES 3.1.4 and earlier)

The next set of issues lies in the PCRE libraries. When parsing certain regular expressions an integer overflow can occur and result in a denial of service or potentially compromise an application using the library. Additionally, an error processing multiple unspecified character classes can be exploited to cause insufficient memory allocation.

The following versions are affected:

Avaya Communication Manager (CM 3.1, CM 4.x)
Avaya Intuity AUDIX LX (IALX 2.0)
Avaya Messaging Storage Server (MSS 3.x)
Avaya Message Networking (MN 3.1)
Avaya CCS/SES (3.1.1, 3.1.2, 4.0)
Avaya AES (AES 4.0.1)

Symantec Backup Exec DoS and Phishing Survey

Posted on November 28, 2007 by Nathan Grandbois

Symantec Backup Exec for Windows Servers is vulnerable to denial of service. There are two different issues that could cause a denial of service, one being a NULL pointer reference that can cause the backup exec job engine service to crash with a specially crafted packet sent to TCP port 5633. Two integer overflows within the engine, triggered by a specially crafted packet to port 5633 can cause the service to enter an infinite loop consuming large amounts of CPU time. Backup Exec version 11d build 11.0.7170 and version 11d build 11.0.6.6235 are affected. Users should upgrade to versions Build 11.0.7170 and Build 11.0.6235 respectively.

We found a survey published today that some of you may be interested in. Cloudmark Inc., an anti-spam, anti-phishing outfit, released a survey about phishing sites, and the effects on the perception of the company being phished. It seems that some people (42% of the people surveyed) would have their trust in the brand “greatly reduced” after receiving a phishing email claiming to be from them. Now, of course the phishing email has absolutely nothing to do with the actual company, but it still seems to leave an impression. If the results of this survey can be trusted, it looks like some consumers need to be educated about phishing attacks and the relation to the brand.

Quicktime 7.2/7.3 RTSP Exploits

Posted on November 26, 2007 by Nathan Grandbois

Quicktime versions 7.2 and 7.3 are vulnerable to a stack based overflow. This vulnerability is caused by a boundary error when processing RTSP (Real Time Streaming Protocol) replies. This can be exploited by sending a specially crafted RTSP reply with a long “Content-Type” header. Exploitation requires that a user visits a malicious URL or open a malicious QTL file. Working exploit code is available to the public. There is no update available at this time, so users should beware suspicious links or Quicktime files (qtl).

Linksys XSS

Posted on November 21, 2007 by Nathan Grandbois

Bit Defender Online Scanner is vulnerable to remote code execution. A vulnerable ActiveX control can be exploited to execute code on a users system. The vulnerability is reported in version 8.0. There is an updated version available.

Linksys WAG54GS has some cross site scripting issues. Two separate issues can result in either script code execution in a user’s browser, or result in administrative function being performed by others when a logged in administrator visits a malicious site. These vulnerabilities are present in 1.00.06

Perl and PHP Issues, Citrix XSS

Posted on November 20, 2007 by Nathan Grandbois

Perl 5.8.8 contains a buffer overflow when processing certain regular expressions. The overflow can occur when switching between byte and Unicode characters. This affects currently installed versions of dev/lang. Users should apply their distributions’ updated version or rebuild the source with a patch applied.

PHP 5.2.4 is vulnerable to multiple issues. Successful exploitation could result in a denial of service condition, could allow an attacker to bypass security restrictions, or ultimately execute arbitrary code. PHP has released version 5.2.5 to address these issues.

Citrix NetScaler contains a XSS bug in the management interface. The vulnerability has been identified in version 8.0, build 47.8 and other versions may be affected. Users of this software should not remain logged in to the management interface while browsing other web sites.

Don’t Open that Jar:

Posted on November 9, 2007 by Nathan Grandbois

A vulnerability in the handling of the jar: URI handler has been announced. The way that browsers, notably Firefox, handle the jar: handler allows for persistent cross site scripting. Any file with the MIME type of zip can be used to exploit this vulnerability, even without the .zip extension. There’s no workaround for this issue right now. Some options include never visiting jar: links in web pages, or installing the development version of NoScript extension for Firefox. The Firefox development team is working on a resolution, but one is not available at this time. For more information, visit the Mozilla bugs page at https://bugzilla.mozilla.org/show_bug.cgi?id=369814.

In other vulnerability news, a PoC has been released for a stack overflow in Adobe Shockwave. Sun Solaris’ version of Mozilla (1.7) is vulnerable to several issues and should be upgraded.

Oracle 10gR2 Vuln, Old AIX Vuln Exploited

Posted on November 8, 2007 by Nathan Grandbois

Oracle Database 10g Release 2 is vulnerable to a buffer overflow. This vulnerability is due to an error in the processing of the NAME and OWNER arguments sent to the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure. If the combined length of the two arguments is of a certain length, a buffer overflow will occur and allow the execution of arbitrary code. This vulnerability can only be exploited by authenticated users. Oracle has a fix slated for release in the next Critical Patch Update.

An exploit has been released for an AIX format string vulnerability. The exploit is coded to address CVE-2006-4254. A patch has been available for quite some time. If you’re an admin of an AIX system and haven’t applied any APAR’s lately, now would be the time to consider doing it.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Nathan Grandbois