Lotus Domino Cross Site Scripting and Buffer Overflows

At least two injection attack vectors have been discovered in IBM’s Lotus Domino Web Servers versions 6.x, 7.x and 8.x. These can lead to a stack based buffer overflow which may allow remote code execution and Cross Site Scripting attacks that can allow the execution of arbitrary HTML and script code. We recommend that you update your web servers as is appropriate.

The original advisories can be viewed at:



Lotus Notes Multiple Keyview Parsing Vulnerabilities

Vulnerabilities in various third-party file viewing applications can leave systems using Lotus Notes open to compromise. In specific situations, specially crafted files can allow for the execution of arbitrary code. Lotus Notes versions 7.0.3 and 8.0 are known to be vulnerable, other versions may also have issues. The file types that can be used to leverage this vulnerability are:
 Applix Presents (.ag)
 Folio Flat File (.fff)
 HTML speed reader (.htm)
 KeyView document viewing engine
 Text mail (MIME)

These issues were originally discovered by the Secunia Research team. More information can be found at: http://secunia.com/advisories/28210

IBM’s response, including remediation suggestions is available at: http://www.ibm.com/support/docview.wss?rs=463&uid=swg21298453

HP OpenView Network Node Manager Vulnerabilities

An independent researcher, Luigi Auriemma, has found several vulnerabilities in Version 7.53 of HP’s OpenView Network Node Manager. These include a format string error and stack based buffer overflows and Denial of Service issues. All of the vulnerabilities were discovered within the ovalarmsrv.exe process which listens on ports 2953 and 2954. If you are running this product you should ensure that access is limited to known and trusted parties. The original advisory can be found at: http://aluigi.altervista.org/adv/ovalarmsrv-adv.txt

Asterisk Vulnerabilities

Several vulnerabilities exist in various Asterisk products that can lead to Denial of Service conditions, the bypassing of security restrictions and may allow the compromise of an affected system.

Two of the vulnerabilities are a result of errors that can arise when RTP codecs are processed. If more than 32 RTP payloads are sent a stack-based buffer overflow may occur. In the other case a specially crafted SIP packet can be used to write 0 into certain memory locations. The final vulnerability is a result of problems that exist in SIP channel driver.

Make sure that you have updated to the releases below, as is applicable to your site:

Update to version 1.2.27.
Update to version

Asterisk Business Edition:
Update to version B.2.5.1 and C.1.6.2.

s800i (Asterisk Appliance):
Update to version

Asterisk Appliance Developer Kit:
Fixed in the SVN repository. Please see the vendor’s advisories for details.

RealPlayer Active Exploitation, MaxDB, others

A vulnerability has been reported in RealPlayer. An activex control, rmoc3260.dll, is vulnerable to remote code execution. This can be exploited when a user browses to a malicious page, and will execute code in the context of the user running the application. SANS reports that this vulnerability is being actively exploited in the wild. If you have RealPlayer installed on your system, it is highly recommended that you update to the latest version, however there is no patch available for the issue. The only current work around is to disable the affected activex control.
Two vulnerabilities have been reported in SAP’s MaxDB. These vulnerabilities can be exploited remotely and could result in code execution under the context of the running user. SAP AG has addressed this vulnerability by releasing a new version of MaxDB. For more information, consult SAP note 1140135.
Multiple vulnerabilities have been reported for IBM Informix Dynamic Server. These vulnerabilities can be exploited to cause a buffer overflow. These vulnerabilities can be exploited remotely. There is not currently a patch available. For more information see CVE-2008-0727 and CVE-2008-0949.

Thunderbird 2 MIME vulnerability

Mozilla Thunderbird has been found to contain a heap buffer overflow vulnerability due to the way it handles external-body MIME types. Systems running this version of Thunderbird are vulnerable to compromise or the execution of arbitrary code via specially crafted email messages. You should update to Thunderbird as soon as possible.

Mozilla’s advisory is located at: http://www.mozilla.org/security/announce/2008/mfsa2008-12.html

Symantec Veritas Storage Foundation Vulnerabilities

Two new vulnerabilites have been reported in Symantec’s Veritas Storage Foundation product. Both are primarily Denial of Sevice issues, but one may lead to the execution of arbitrary code. This more serious issue is caused by input validation issues in the Administrator Service and can be exploited by sending a specially crafted packet to one of the products default ports, 3207/UDP. This vulnerability affects version 5.0 on both Windows and Unix/Linux systems. The lesser vulnerability is also caused by an input validation issue, this time in the Veritas Scheduler service. It can be exploited by sending a specially crafted packet to the default port 4888/TCP.

The original Symantec advisories are available at:
SYM08-005: http://www.symantec.com/avcenter/security/Content/2008.02.20a.html



WS_FTP Buffer Overflow Vulnerability

A vulnerability has been identified in IpSwitch’s WS_FTP Server with SSH software. The vulnerability is a buffer overflow. It is possible to exploit this issue to cause a denial of server condition, and it may be possible to execute code. The vulnerability is confirmed in IpSwitch WS_FTP Server with SSH version 6.1. Other versions may also be affected.

Buffer Overflow Ouchies for Skype and HP OpenView

Two traditional buffer overflow vulnerabilities have emerged today. The first is in the Skype product. It suffers from a heap overflow in the skype4com module. Attackers can exploit this by getting users to visit a malicious page, triggering the overflow. Obviously, Skype users should beware of any links, files or other items sent to them through the Skype network. User awareness of issues with trusting Skype content is the best solution, if your organization allows Skype at all.

Skype users should ensure that they are running the most current version, which is protected from this attack.

The second buffer overflow, this one in HP OpenView’s Network Node Manager, only impacts the following versions:

HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, 7.51 running on HP-UX B.11.00, B.11.11, and B.11.23, Solaris, Windows NT, Windows 2000, Windows XP, and Linux

Attackers can leverage this issue to execute arbitrary code on the vulnerable system. Patches are available through the OpenView support site. Patches should be applied as soon as possible!