Your daily source of Pwnage, Policy and Politics.

ISD Episode 21

Play

Vulnerabilities of Interest:

  1. Apache mod_perl ‘Apache::Status’ and ‘Apache2::Status’ Cross Site Scripting Vulnerability – The Apache ‘mod_perl’ module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.  To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI. Example URI: http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E
  2. Mod_Perl Path_Info Remote Denial Of Service Vulnerability – The ‘mod_perl’ module is prone to a remote denial-of-service vulnerability. Successful exploits may allow remote attackers to cause denial-of-service conditions on the webserver running the mod_perl module. Attackers can use a browser to exploit this issue.
  3. Wget NULL Character CA SSL Certificate Validation Security Bypass Vulnerability – Wget is prone to a security-bypass vulnerability because the application fails to properly validate the domain name in a signed CA certificate, allowing attackers to substitute malicious SSL certificates for trusted ones. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. Wget 1.11.4 is vulnerable; other versions may also be affected.  Attackers use man-in-the-middle attacks to exploit this issue.
  4. Samba Oplock Break Notification Remote Denial of Service Vulnerability – Samba is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the application to consume excessive CPU resources, denying service to legitimate users.  Versions prior to Samba 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are vulnerable. To exploit this issue, attackers can use readily available network utilities.
  5. Samba setuid ‘mount.cifs’ Verbose Option Information Disclosure Vulnerability – Samba is prone to an information-disclosure vulnerability because it fails to properly validate access privileges. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks. Versions prior to Samba 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are vulnerable.  Attackers can use readily available tools to exploit this issue.
  6. Samba Format String And Security Bypass Vulnerabilities – Samba is prone to multiple vulnerabilities. Attackers can leverage these issues to execute arbitrary code within the context of the vulnerable application or to bypass certain security restrictions. Samba 3.0.31 through 3.3.5 are affected.  The following proof of concept is available: smb: \> put aa%3Fbb
  7. Samba Misconfigured ‘/etc/passwd’ File Security Bypass Vulnerability – Samba is prone to a vulnerability that may allow attackers to bypass certain security restrictions.  Successful exploits may allow attackers to gain access to resources that aren’t supposed to be shared. Versions prior to Samba 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are vulnerable. Attackers can use standard tools to exploit this issue.
  8. Security Readiness Review Evaluation Scripts Local Privilege Escalation Vulnerability – Department of Defense Security Readiness Review Evaluation Scripts are prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Successful exploits will result in the complete compromise of affected computers. Security Readiness Review Scripts dated October, 2009 are vulnerable; other versions may also be affected. An attacker can exploit this issue by enticing an unsuspecting administrator to run the affected application.
  9. Corel Paint Shop Pro PNG File Handling Remote Buffer Overflow Vulnerability – Corel Paint Shop Pro is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects Corel Paint Shop Pro 8; other versions may be vulnerable as well. Exploit code is available.
  10. Apple Mac OS X Java Applet Certificate Validation Security Bypass Vulnerability – Apple Mac OS X is prone to a security-bypass vulnerability because of an error in verifying Java applet certificates.  Successful exploits will allow attackers to bypass certain security restrictions and trick users into running untrusted Java applets with the privileges of trusted applets. The issue affects Mac OS X v10.5.8, OS X Server v10.5.8, OS X v10.6.2, and OS X Server v10.6.2.   An attacker can exploit this issue by enticing a user into opening a malicious applet.  There is proof of concept code available.
  11. UBB.threads Multiple File Include Vulnerabilities – UBB.threads is prone to multiple file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible. UBB.threads 7.5.4.2 is vulnerable; other versions may also be affected. An attacker can exploit these issues via a browser.  Example URLs are as follows:

    http://www.example.com/path/ubb/libs/smarty/Smarty_Compiler.class.php?_plugins_params=[RFI]

    http://www.example.com/path/ubb/libs/html.inc.php?[USER_LANGUAGE]=[RFI]

    http://www.example.com/path/ubb/ubbthreads.php?file=../../../../../../../../etc/passwd%00

  12. Neon NULL Character CA SSL Certificate Validation Security Bypass Vulnerability – Neon is prone to a security-bypass vulnerability because it fails to properly validate the domain name in a signed CA certificate, allowing attackers to substitute malicious SSL certificates for trusted ones. This issue affects Neon when compiled against OpenSSL. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. Versions prior to Neon 0.28.6 are vulnerable. Additional applications that use the affected library may also be vulnerable.  Attackers use man-in-the-middle attacks to exploit this issue.
  13. Sun Java SE November 2009 Multiple Security Vulnerabilities – Sun has released updates to address multiple security vulnerabilities in Java SE. Successful exploits may allow attackers to bypass certain security restrictions, run untrusted applets with elevated privileges, execute arbitrary code, and cause denial-of-service conditions. Other attacks are also possible. These issues are addressed in  JDK and JRE 6 Update 17, 5.0 Update 22, SDK and JRE 1.4.2_24, 1.3.1_27. Some of these issues may not require explicit exploit code and may be trivial to exploit. Working commercial exploits are available through VUPEN Security – Exploit and PoCs Service. These exploits are not otherwise publicly available or known to be circulating in the wild.
  14. Expat UTF-8 Character XML Parsing Remote Denial of Service Vulnerability – The Expat library is prone to a denial-of-service vulnerability because it fails to properly handle crafted XML data. Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an application using the vulnerable XML parsing library. Expat 2.0.1 is vulnerable; other versions may also be affected.  Exploit code is available.
  15. Postfix Local Information Disclosure and Local Privilege Escalation Vulnerabilities – Postfix is prone to a local privilege-escalation vulnerability and a local information-disclosure vulnerability.  Local attackers can exploit this issue to read other users’ mail or execute arbitrary commands with superuser privileges.  Versions prior to Postfix 2.5.4 Patchlevel 4 are vulnerable.  An attacker uses readily available commands to exploit these issues. Proof-of-concept shell script is available.
  16. Invision Power Board Local File Include and SQL Injection Vulnerabilities – Invision Power Board is prone to a local file-include vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the webserver process. Information harvested may aid in further attacks. The attacker can exploit the SQL-injection vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Invision Power Board 3.0.4 and 2.3.6 are vulnerable; other versions may also be affected. Attackers can exploit these issues via a browser. Proof of concept URLs are available:

    http://www.example.com/forum/index.php?app=core&module=global&section=register&any=?section=../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/inc

    http://www.example.com/forum/index.php?app=core&module=global&section=register/register/page__section__../../../../../../../../../../../../../../../../../../../.././tmp/inc__

    http://www.example.com/?app=forums&module=moderate&section=moderate&f=1&do=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(15)%20–%20skip%20&auth_key=c4276b77602767228faa9760eb4a5abd

    http://www.example.com/forum/?act=mod&f=1&CODE=prune_move&df=3&pergo=50&dateline=0&state=open&ignore_pin=1&max=0&starter=1%20AND%20starter_id=1%20OR%20substr(version(),1,1)=5%20AND%20sleep(16)%20–%20skip%20&auth_key=040c4a6e768d626b4c05a4bb0fbf315c

  17. Yoast Google Analytics for WordPress Plugin 404 Error Page Cross Site Scripting Vulnerability – Yoast Google Analytics for WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This issue affects version 3.2.4 of the plugin.  Attackers can exploit this issue by enticing an unsuspecting user to follow a malicious URI. Example URLs are available: http://www.example.com/wp/?s=</script><script>alert(0)</script>

    http://www.example.com/wp/?s=");alert(0);document.write("

  18. 427BB ‘showpost.php’ SQL Injection Vulnerability – 427BB can be compromised via SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 427BB 2.3.2 is vulnerable; other versions may also be affected.  Attackers can use a browser to exploit this issue. Example URL is available: http://www.example.com/[path]/showpost.php?ForumID=1amppost=1%20union%20select%201,UserName,3,4,5,Password,7%20FROM%20427bb_personal%20WHERE%20ID=1–
  19. Achievo Document Types Section Arbitrary File Upload Vulnerability – Achievo is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.  An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.  Versions prior to Achievo 1.4.3 are vulnerable.  Attackers can use readily available tools to exploit this vulnerability.
  20. Achievo Scheduler Category HTML Injection Vulnerability – Achievo is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.  Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Versions prior to Achievo 1.4.3 are vulnerable.  Attackers can use a browser to exploit this issue.
  21. Mozilla Firefox ‘document.getSelect’ Cross Domain Information Disclosure Vulnerability – Mozilla Firefox is prone to a cross-domain information-disclosure vulnerability because the application fails to properly enforce the same-origin policy. An attacker can exploit this issue to access local files or content from a browser window in another domain or security zone. This may allow the attacker to obtain sensitive information that may aid in further attacks. Attackers can use readily available tools to exploit this issue.
  22. Mozilla Firefox Remote Memory Corruption Vulnerability – Mozilla Firefox is prone to a remote memory-corruption vulnerability.  Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. Proof-of-concept code is available.
  23. Linux Kernel ‘exit_notify()’ CAP_KILL Verification Local Privilege Escalation Vulnerability – The Linux kernel is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with superuser privileges, resulting in a complete compromise of the affected computer. Versions prior to Linux kernel 2.6.29-git14 are vulnerable.  Exploit code is available.
  24. Linux Kernel ‘sendmsg()’ Local Denial of Service Vulnerability – The Linux kernel is prone to a local denial-of-service vulnerability.  Attackers can exploit this issue to create a soft lockup of the vulnerable kernel or to invoke the ‘oom-killer’ kernel functionality, which may halt unrelated processes. This may result in a denial-of-service condition. NOTE: This issue was either caused or revealed by the fix for the Linux Kernel ‘__scm_destroy()’ Local Denial of Service Vulnerability. The Linux kernel 2.6.27 and prior versions are affected. Exploit code is available.
  25. Linux Kernel Multiple Protocols Local Information Disclosure Vulnerabilities – The Linux kernel is prone to multiple local information-disclosure vulnerabilities. Local attackers can exploit these issues to obtain sensitive information that may lead to further attacks. Exploit code is available.
  26. Linux Kernel ‘/drivers/net/r8169.c’ Out-of-IOMMU Error Local Denial of Service Vulnerability – The Linux kernel is prone to a local denial-of-service vulnerability that attackers can exploit to cause an affected computer to panic.  Versions prior to the Linux kernel 2.6.26.4 are affected.  Attackers can exploit this issue with readily available commands. The following example is available: ping -f -s 3000 <IP>
  27. Linux Kernel ‘PER_CLEAR_ON_SETID’ Incomplete Personality List Access Validation Weakness – The Linux Kernel is prone to an unauthorized-access weakness because of an error in the definition of the ‘PER_CLEAR_ON_SETID’ personalities mask, which is defined in the ‘include/linux/personality.h’ source file. An attacker can exploit this issue to perform unsafe operations on a vulnerable computer, which may aid in further attacks.  An attacker can use standard tools to exploit this issue.
  28. Linux Kernel ‘pipe.c’ Local Privilege Escalation Vulnerability – Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference. Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.  Proofs of concept and exploits are available.
  29. Ghostscript ‘gdevpdtb.c’ Buffer Overflow Vulnerability – Ghostscript is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it into a finite-sized buffer. Exploiting this issue allows remote attackers to overwrite a sensitive memory buffer with arbitrary data, potentially allowing them to execute malicious machine code in the context of the affected application. This vulnerability may facilitate the compromise of affected computers. Versions prior to Ghostscript 8.64 are affected. A proof-of-concept PostScript file is available.
  30. Ghostscript ‘CCITTFax’ Decoding Filter Denial of Service Vulnerability – Ghostscript is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied input. Exploiting this issue allows remote attackers to crash the application and possibly to execute code, but this has not been confirmed. Exploit code is available.

News Items of Interest:

News item 1: http://www.investors.com/NewsAndAnalysis/Article.aspx?id=514450

Tech Segment:
Unless you’ve been living under a rock for the last few months, then you’ve probably already heard of Kon-Boot. This tech segment is for those that have never heard of it. Kon-Boot is an prototype piece of software which allows to change contents of a Linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a Linux system as