HP InfoCenter POC, Adobe Flash Player

Posted on by
Reply

On Wednesday, 12 December, we posted about a vulnerability in HP software installed on laptops. Well, we now have reports that a working POC exploit that grants remote access exists. HP has provided a workaround by disabling the HP Info Center. More information, including the workaround, can be found at the following URLs:

ftp://ftp.hp.com/pub/softpaq/sp38001-38500/
ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

Clam AntiVirus is vulnerable to remote exploitation of an integer overflow. This error is in the processing of PE files packed with the MEW packer. Exploitation of this vulnerability can result in execution of code in the context of the application running libclamav. If the clamd process is exploited, code can be executed under the context of the clamav user.  This vulnerability exists within ClamAV 0.91.2. There is a workaround available by setting –no-pe when starting the clamscan. There is also an update available, which is version 0.92.

Multiple vulnerabilities have been reported in Adobe’s Flash Player. These affect Adobe Flash CS3, Adobe Flash Player 9.x, Adobe Flex 2.x, Macromedia Flash 8.x, Macromedia Flash Player 7.x, and Macromedia Flash Player 8.x. The vulnerabilities can result in a variety of outcomes, including Denial of Service and compromising users systems. There are updates available for each of the Flash players affected. Note that this will be the last update for Adobe Flash Player 7.

Additionally, there is a vulnerability that could allow system compromise in AIX 5.2, 5.3, and 6.1. The vulnerability is related to Perl Regular Expressions Unicode Data Buffer Overflow. There are interim fixes available here ftp://aix.software.ibm.com/aix/efixes/security/perl_ifix.tar.

Citrix Web Interface is vulnerable to an unspecified cross site scripting attack. The cross site scripting is in the online help portion of the software. More information can be found in the original advisory http://support.citrix.com/article/CTX115283

Apple Security Update, Various Overflows

Posted on by
Reply

Apple has released security update 2007-009. This update contains fixes for several critical vulnerabilities, plus fixes for other issues.  Updates are available for 10.4.11 and 10.5.1. For a complete list of vulnerabilities fixed, please visit http://docs.info.apple.com/article.html?artnum=307179.

There is buffer overflow in HP-UX. The issue lies in a function call to sw_rpc_agent_init within swagentd that if given malformed arguments, could result in a buffer overflow. This could allow attackers to execute arbitrary code. Authentication is not required. Hewlett-Packard has released an update to address this vulnerability, available from HP document ID #SB2294r1.

Trend Micro ServerProtect contains an insecure method exposure in the StRpcSrv.dll. The bug exists in the SpntSvc.exe daemon running on TCP port 5168. An attack against this vector could result in full file system access that could be leveraged to execute arbitrary code. An update to this issue has been release, and more information can be found at http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt.

The perl package Net::DNS is vulnerable to a denial of service. By sending a malformed DNS reply to a server or application running Net::DNS, it is possible to cause the package to crash. This would in turn crash any application running the Net::DNS module.  Net::DNS version 0.60 build 654 is vulnerable. This issue has been assigned CVE-2007-6341.

St. Bernard Open File Manager is vulnerable to a heap-based buffer overflow. This is due to a boundary error in ofmnt.exe, in which an attacker can send a malicious packet to the service and cause the overflow. This could result in the execution of code as a SYSTEM user. Version 9.6 build 602 available to customers addresses this issue. Other vendors using this software may have made updates available as well.

Mac Java, JUNOS, and a Samba Exploit

Posted on by
Reply

Mac OS X has multiple vulnerabilities in Java. An error in a Java access check could be exploited to add or remove items from a Keychain without prompting the user. This could be achieved by a specially crafted Java packet. This affects Mac OS X versions prior to 10.5. The next issue is in Java 1.4 and J2SE 5.0 that could allow for a denial of service, bypassing security mechanisms, or compromise a users system. Users of Mac OS X systems should update to Java release 6.

A vulnerability in Juniper JUNOS can be exploited to cause a denial of service. This can occur due to an error processing BGP UPDATE messages, and can be triggered by a specially crafted BGP message. Administrators of Juniper devices should apply the vender recommended updates, available at https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view.

 The samba_mailslot() vulnerability reported earlier this month now has public exploit code available. Samba 3.0.27a is vulnerable to stack-based buffer overflow when processing “SAMLOGON” domain logon packets. Code is now available to exploit this vulnerability, although it currently only causes a denial of service. Samba 3.0.28 is currently available.

Ohio Voting Systems Review (EVEREST)

Posted on by
Reply

MicroSolved, Inc. announced today that it has completed its assessment of the security of Ohio’s electronic voting systems. The testing, a part of project EVEREST, was lead by the Ohio Secretary of State’s office and was designed to seek a comprehensive, independent and objective assessment of the risks to elections integrity associated with Ohio’s voting systems. The project leveraged MicroSolved’s advanced methodologies and in-depth experience to perform “red team” penetration testing of the voting systems. MicroSolved emulated various attacks against the voting systems and analyzed the impact of these attacks on the confidentiality, integrity and availability of the voting systems and their elections data.

While the study revealed several critical security issues in the various elections systems, MicroSolved also identified specific strategies for mitigating or managing these risks. “By applying the identified mitigation strategies, all of the administrative stakeholders in the elections process have an opportunity to demonstrate their commitment to the integrity of Ohio’s elections.”, said Brent Huston, CEO of MicroSolved. “While these strategies require hard work, significant investment in resources and continued vigilance, they represent the best approach to creating truly secure mechanisms for electronic voting in Ohio.”

“We appreciate the opportunity to participate in the EVEREST project and to help the Secretary of State further her goal of restoring trust in Ohio’s elections.”, Huston added.

For information about the specifics of the project, MicroSolved’s role and findings, please see http://www.microsolved.com/everest/.

QuickTime version 7.3.1

Posted on by
Reply

Apple has released QuickTime version 7.3.1 to address the RTSP vulnerability we talked about earlier. Coinciding with the release of this latest version, Apple has released information for two addition vulnerabilities. Both of the new vulnerabilities allow for the execution of code, so everyone with Quicktime on their systems should apply the update.

HP-UX, Solaris and Avaya

Posted on by
Reply

HP-UX DCE Denial of Service

An unspecified issue has been reported in HP-UX programs that run DCE. One such program is Software Distributor (SD). A successful exploit can cause a remote Denial of Service. Additionally, systems running some versions of OpenSSL are also prone to DoS and possibly system compromise.

For more details see: HP Support Document HPSBUX02294 SSRT071451 DCE DoS

HPSBUX02296 SSRT071504 OpenSSL DoS/Code Execution

Solaris 10 NFS Privilege Escalation
Solaris 10 systems running with kernel patches 120011-04 or later for SPARC and 120012-04 or later for x86 may allow unauthorized root access to files served by NFS. To be vulnerable the system must be running an NFS server and have one or more netgroups configured with root privileges. Full details can be found in the Sunsolve document 103162.

Avaya Products Using Samba
Avaya products that use samba may be at risk for system compromise. The affected products are: Intuity Audix LX, Messaging Storage Server and Message Networking. Full details can be found at ASA-2007-520

SquirrelMail 1.4.12 Package Was Compromised

Posted on by
Reply

After reports of squirrelly package checksums the developers have discovered that the distribution for version 1.4.12 was compromised by some third party. The compromised code involves PHP though the effect of the changes has not yet been determined. The development team “strongly recommend everybody that has downloaded the 1.4.12 package after the 8th December, to redownload the package.”

For full details and correct checksums see http://www.squirrelmail.org

Avaya PCRE, IBM AIX Multiple Vulns

Posted on by
Reply

Certain Avaya products are affected by a vulnerability in PCRE (perl compatible regular expressions). This could cause a denial of service on the Avaya system, or lead to compromise using the affected library. The following applications are affected:

* Avaya Communication Manager (CM 3.x and 4.x)
* Avaya CCS/SES (3.1.1, 3.1.2 and 4.0)
* Avaya AES (4.0.1, 4.1)
* Avaya Intuity AUDIX LX (2.0)
* Avaya Message Networking (3.1)
* Avaya Messaging Storage Server (MSS 3.x)

For more information, see the original advisory at http://support.avaya.com/elmodocs2/security/ASA-2007-505.htm.

IBM AIX 5.x contains multiple, unspecified vulnerabilities. There are too many to list here, so if you are a user of AIX 5.x, please visit IBM support and obtain the latest updates for your specific version.

In Other News

Posted on by
Reply

WordPress – Another SQL injection vector has been discovered. This time the vulnerability is in the search function.  At this time it is known to be exploitable using the character sets Big5 and GBK. Other character sets may that use a backslash as a part of the character may also be exploitable. Successful attacks can reveal the contents of the underlying database or be used in conjunction with other vulnerabilities to gain administrative privileges on the host server.

HP Laptops – Multiple Hewlett-Packard notebooks are vulnerable to a remote code execution via the pre-loaded “HP Info Center” software. An ActiveX control within the software is the cause of the vulnerability. A patch is not yet available for this issue.

SquirrelMail GPG Plugin – Two vulnerabilities have been discovered in this plugin. The first issue can allow a user to delete or modify files that are owned by the web site user. The second issue allows users to modify the html of the displayed message.

Latest Set of Microsoft Patches

Posted on by
Reply

A total of seven new Microsoft patches were released yesterday. Three were rated by MS as being Critical with the remaining four being rated as Important. There are exploits available for MS07-065, MS07-067 and MS07-069. Below is a quick summary of the releases. More details can be obtained from the original MS advisories:
http://www.microsoft.com/protect/computer/updates/bulletins/200712.mspx

Rated Critical
MS07-069 Cumulative Security Update for Internet Explorer [Could Allow Remote Code Execution] (942615)
MS07-064 Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
MS07-068 Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
MS07-069 Cumulative Security Update for Internet Explorer (942615)

Rated Important
MS07-063 Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
MS07-065 Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)
MS07-066 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)
MS07-067 Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)