*************************************************************************
@RISK: The Consensus Security Vulnerability Alert
October 9, 2008
Vol.
7. Week 41
*************************************************************************
@RISK is the SANS
community's consensus bulletin summarizing the most important vulnerabilities
and exploits identified during the past week and providing guidance on
appropriate actions to protect your systems (PART I). It also includes a
comprehensive list of all new vulnerabilities discovered in the past week (PART
II).
Summary of Updates and Vulnerabilities in this Consensus
Platform
Number
of Updates and Vulnerabilities
------------------------
-------------------------------------
Windows
1
Third Party Windows
Apps
6 (#4)
Mac Os
1
Linux
5
HP-UX
1
Cross Platform
27 (#1, #2, #3)
Web Application - Cross Site
Scripting
12
Web Application - SQL
Injection 21
Web Application
25
*************************************************************************
Table Of
Contents
Part I -- Critical
Vulnerabilities from TippingPoint (http://www.tippingpoint.com/)
Widely Deployed
Software
(1) CRITICAL: Novell
eDirectory Multiple Vulnerabilities
(2) CRITICAL: Opera Multiple
Vulnerabilities
(3) HIGH: Multiple TCP
Implementations Denial-of-Service
(4) HIGH: mIRC Private
Message Handling Buffer Overflow
Part II -- Comprehensive
List of Newly Discovered Vulnerabilities from Qualys (http://www.qualys.com/)
- --
Windows
08.41.1 - Microsoft Windows Vista Local Denial
of Service
- -- Third Party Windows
Apps
08.41.2 - Debian xsabre Insecure Temporary File
Creation
08.41.3 - ESET SysInspector "esiadrv.sys" Local
Privilege Escalation
08.41.4 - mIRC "PRIVMSG" Buffer
Overflow
08.41.5 - Vba32 Personal Antivirus Archive
Parsing Denial of Service
08.41.6 - AyeView GIF Image Handling Denial of
Service
08.41.7 - iseemedia "LPControl.dll" LPViewer
ActiveX Control Multiple Buffer Overflow Vulnerabilities
- -- Mac
Os
08.41.8 - Apple Mail S/MIME Draft Message
Encryption Weakness
- --
Linux
08.41.9 - Linux kernel "fs/direct-io.c" Local
Denial of Service
08.41.10 - Fedora 8/9 Linux
Kernel "utrace_control" NULL Pointer Dereference Denial of
Service
08.41.11 - Linux Kernel LDT
Selector Local Privilege Escalation and Denial of Service
08.41.12 - Linux Kernel
"generic_file_splice_write()" Local Privilege Escalation
08.41.13 - Debian mon
"alert.d/test.alert" Insecure Temporary File Creation
- --
HP-UX
08.41.14 - HP-UX NFS/ONCplus
Unspecified Remote Denial of Service
- -- Cross
Platform
08.41.15 - Multiple Vendors
IPv6 Neighbor Discovery Protocol Implementation Address
Spoofing
08.41.16 - Trend Micro
OfficeScan and Worry-Free Business Security Multiple
Vulnerabilities
08.41.17 - vxFtpSrv CWD
Command Buffer Overflow
08.41.18 - Xerces-C++
"maxOccurs" XML Parsing Remote Denial of Service
08.41.19 - Adobe Flash
Player SWF Version Null Pointer Dereference Denial of
Service
08.41.20 - TCP/IP Protocol
Stack Unspecified Remote Denial of Service
08.41.21 - Apple QuickTime
"STSZ" Atoms Memory Corruption
08.41.22 - Apple QuickTime
PICT Denial of Service
08.41.23 - Novell eDirectory
Multiple Buffer Overflow And Denial of Service
Vulnerabilities
08.41.24 - libxml2 Denial of
Service
08.41.25 - RhinoSoft Serv-U
FTP Server "sto con:1" Denial of Service
08.41.26 - Serv-U FTP Server
"rnto" Command Directory Traversal
08.41.27 - VMware Products
In-Guest Privilege Escalation and Information Disclosure
Vulnerabilities
08.41.28 - OpenNMS HTTP
Response Splitting
08.41.29 - Dovecot ACL
Plugin Multiple Security Bypass Vulnerabilities
08.41.30 - Simple Machines
Forum HTTP POST Request Filter Security Bypass
08.41.31 - MetaGauge Web
Server Directory Traversal
08.41.32 - Lighttpd URI
Rewrite/Redirect Information Disclosure
08.41.33 - Lighttpd
"mod_userdir" Case Sensitive Comparison Security Bypass
08.41.34 - D-Bus
"dbus_signature_validate()" Type Signature Denial of
Service
08.41.35 - Internet Download
Manager File Parsing Buffer Overflow
08.41.36 - KDE Konqueror
Font Color Assertion Denial of Service
08.41.37 - Mozilla Firefox
Internet Shortcut Same Origin Policy Violation
08.41.38 - PHP FastCGI
Module File Extension Denial of Service Vulnerabilities
08.41.39 - Skype Toolbars
Extension for Firefox BETA Clipboard Security Weakness
08.41.40 - Condor Prior to
7.0.5 Multiple Security Vulnerabilities
08.41.41 - Adobe Flash
Player Unspecified Clickjacking
- -- Web Application - Cross
Site Scripting
08.41.42 - Celoxis Multiple
Cross-Site Scripting Vulnerabilities
08.41.43 - H-Sphere WebShell
"actions.php" Multiple Cross-Site Scripting
Vulnerabilities
08.41.44 - WikyBlog Multiple
Cross-Site Scripting Vulnerabilities
08.41.45 - Blosxom
"blosxom.cgi" Cross-Site Scripting
08.41.46 - Dreamcost
HostAdmin "index.php" Cross-Site Scripting
08.41.47 - OpenNMS
"surveillanceView.htm" Cross-Site Scripting
08.41.48 - MediaWiki
"useskin" Cross-Site Scripting
08.41.49 - Blue Coat
WebFilter ICAP Patience Page Cross-Site Scripting
08.41.50 - AutoNessus
"bulk_update.pl" Cross-Site Scripting
08.41.51 - Website Directory
"index.php" Cross-Site Scripting
08.41.52 - VeriSign Kontiki
Delivery Management System "action" Parameter Cross-Site
Scripting
08.41.53 - Nucleus CMS
EUC-JP Cross-Site Scripting
- -- Web Application - SQL
Injection
08.41.54 - ASPapp Knowledge
Base "catid" Parameter SQL Injection
08.41.55 - Discussion Forums
2k Multiple SQL Injection Vulnerabilities
08.41.56 - noName CMS
Multiple SQL Injection Vulnerabilities
08.41.57 - BMForum
"plugins.php" SQL Injection
08.41.58 - eZoneScripts Link
Trader Script "ratelink.php" SQL Injection
08.41.59 - OpenX "bannerid"
SQL Injection
08.41.60 - AdaptCMS Lite
"check_user.php" SQL Injection
08.41.61 - Full PHP Emlak
Script "arsaprint.php" SQL Injection
08.41.62 - IP Reg
"login.php" SQL Injection
08.41.63 - XAMPP for Windows
"cds.php" SQL Injection
08.41.64 - PHP-Fusion
"triscoop_race_system" Module "raceid" Parameter SQL
Injection
08.41.65 - PHP-Fusion
"recept" Module "kat_id" Parameter SQL Injection
08.41.66 - PHP-Fusion
"raidtracker_panel" Module "INFO_RAID_ID" Parameter SQL
Injection
08.41.67 - PHP-Fusion
"manuals" Module "manual" Parameter SQL Injection
08.41.68 - geccBBlite
"leggi.php" Parameter SQL Injection
08.41.69 - XAMPP for Windows
"phonebook.php" SQL Injection
08.41.70 - AmpJuke
"index.php" SQL Injection
08.41.71 - Galerie "pic"
Parameter SQL Injection
08.41.72 - PHP Auto's
"searchresults.php" SQL Injection
08.41.73 - Select
Development Solutions Multiple Products "view_cat.php" SQL
Injection
08.41.74 - YourOwnBux
"usNick" Cookie Parameter SQL Injection
- -- Web
Application
08.41.75 - Crux Gallery
"index.php" Local File Include
08.41.76 - MySQL Quick Admin
"index.php" Local File Include
08.41.77 - phpScheduleIt
"reserve.php" Remote Code Execution
08.41.78 - RPortal "file_op"
Parameter Remote File Include
08.41.79 - phpscripts
Ranking Script Cookie Authentication Bypass
08.41.80 - Juniper ScreenOS
HTML Injection
08.41.81 - MediaWiki
"$wgGroupPermissions" Configuration Security Bypass
08.41.82 - Bux.to Clone
Script Cookie Authentication Bypass
08.41.83 - OLIB7 WebView
"infile" Parameter Local File Include
08.41.84 - Drupal Brilliant
Gallery Module SQL Injection and Cross-Site Scripting
Vulnerabilities
08.41.85 - CCMS "skin"
Parameter Multiple Local File Include Vulnerabilities
08.41.86 - Kwalbum
"UploadItems" Parameter Arbitrary File Upload
08.41.87 - pPIM "id"
Parameter Local File Include
08.41.88 - JMweb "src"
Parameter Multiple Local File Include Vulnerabilities
08.41.89 - FOSS Gallery
Arbitrary File Upload
08.41.90 - phpAbook Cookie
Local File Include
08.41.91 - Fastpublish CMS
Local File Include and SQL Injection Vulnerabilities
08.41.92 - K9 Web Protection
Authentication Bypass Vulnerabilities
08.41.93 - Phorum Image Tag
HTML Injection
08.41.94 - PHP Web Explorer
Multiple Local File Include Vulnerabilities
08.41.95 - asiCMS
"_ENV[asicms][path]" Parameter Multiple Remote File Include
Vulnerabilities
08.41.96 - Yerba "mod" Local
File Include
08.41.97 - IBM Quickr Denial
of Service and Security Bypass Vulnerabilities
08.41.98 - Atarone Version
1.2.0 Multiple Input Validation Vulnerabilities
08.41.99 - Yerba SACphp 6.3
Multliple Remote Vulnerabilities
______________________________________________________________________
PART I Critical
Vulnerabilities
Part I for this issue has
been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product
of that company's continuous effort to ensure that its intrusion prevention
products effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers from
twelve large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description of the
process may be found at http://www.sans.org/newsletters/cva/#process
*****************************
Widely Deployed
Software
*****************************
(1) CRITICAL: Novell
eDirectory Multiple Vulnerabilities
Affected:
Novell eDirectory versions
prior to 8.7.3 SP10 FTF1
Description: Novell
eDirectory is Novell's implementation of the Lightweight Directory Access
Protocol (LDAP). It contains multiple buffer and integer overflows in a variety
of subsystems. A specially crafted request to the server could exploit one of
these vulnerabilities. Successfully exploiting one of these vulnerabilities
would allow an attacker to execute arbitrary code with the privileges of the
vulnerable process (usually SYSTEM). The vulnerabilities exist in the server's
SOAP interface and Core Protocol interface. Technical details for these
vulnerabilities are publicly available.
Status: Vendor confirmed,
updates available.
References:
Zero Day Initiative
Advisories
http://zerodayinitiative.com/advisories/ZDI-08-066/
http://zerodayinitiative.com/advisories/ZDI-08-065/
http://zerodayinitiative.com/advisories/ZDI-08-064/
http://zerodayinitiative.com/advisories/ZDI-08-063/
Novell
Changelog
http://www.novell.com/support/viewContent.do?externalId=3477912
Wikipedia Article on LDAP
http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
Wikipedia Article on the
Netware Core Protocol
http://en.wikipedia.org/wiki/NetWare_Core_Protocol
Wikipedia Article on
SOAP
http://en.wikipedia.org/wiki/SOAP
Vendor Home
Page
SecurityFocus
BID
http://www.securityfocus.com/bid/31553
**********************************************************
(2) CRITICAL: Opera Multiple
Vulnerabilities
Affected:
Opera versions prior to
9.60
Description: Opera is a
popular cross-platform web browser and suite of internet applications. It
contains multiple vulnerabilities in its handling of addresses and Java applets.
A specially crafted address used in a redirection can result in a buffer
overflow vulnerability. Successfully exploiting this vulnerability would allow
an attacker to execute arbitrary code with the privileges of the current user.
Full technical details for this vulnerability are publicly available.
Additionally, a flaw in the handling of Java applets can result in an
information-disclosure vulnerability.
Status: Vendor confirmed,
updates available.
References:
Matasano
Advisory
http://www.matasano.com/log/1182/i-broke-opera/
Opera Security
Advisories
http://www.opera.com/support/search/view/901/
http://www.opera.com/support/search/view/902/
Vendor Home
Page
SecurityFocus
BIDs
http://www.securityfocus.com/bid/31643
http://www.securityfocus.com/bid/31631
**********************************************************
(3) HIGH: Multiple TCP
Implementations Denial-of-Service
Affected:
Multiple TCP
implementations
Description: TCP is the
Transmission Control Protocol, one of the fundamental protocols of the Internet.
Reports have surfaced indicating that several common implementations of the
protocol suffer from a denial-of-service condition. No concrete details have
been released for this vulnerability, but speculation has lead to various
guesses and attempts. Current reports indicate that at least Microsoft WIndows,
Apple Mac OS X, and Linux are vulnerable. It is unknown if firewalls can
mitigate this vulnerability. Details of the vulnerability are expected to be
revealed at the T2 security conference in mid-October.
Status: No
confirmation.
References:
Post from
Outpost24
http://www.outpost24.com/news/news-2008-10-02.html
T2 Security Conference
Talk
http://www.t2.fi/schedule/2008/#speech8
Slashdot
Story
http://it.slashdot.org/article.pl?sid=08/10/01/0127245
SecurityFocus
BID
Not yet
available.
**********************************************************
(4) HIGH: mIRC Private
Message Handling Buffer Overflow
Affected:
mIRC versions 6.34 and
prior
Description: mIRC is a
popular Internet Relay Chat (IRC) client for Microsoft Windows. It contains a
buffer overflow in its handling of the IRC "private message" (PRIVMSG) command.
A specially crafted PRIVMSG command sent to a vulnerable client could trigger
this buffer overflow, allowing an attacker to execute arbitrary code with the
privileges of the current user. Full technical details and a proof-of-concept
are publicly available for this vulnerability. Private messages can be sent
unsolicited in some networks.
Status: Vendor has not
confirmed, no updates available.
References:
Proof-of-Concept
http://milw0rm.com/exploits/6666
Wikipedia Article on
Internet Relay Chat
http://en.wikipedia.org/wiki/Internet_Relay_Chat
Vendor Home
Page
SecurityFocus
BID
Not yet
available.
*******************************************************
Part II: Weekly
Comprehensive List of Newly Discovered Vulnerabilities
Week 41,
2008
This list is compiled by
Qualys ( http://www.qualys.com/ ) as part
of that company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of this week
Qualys scans for 5549 unique vulnerabilities. For this special SANS community
listing, Qualys also includes vulnerabilities that cannot be scanned
remotely.
______________________________________________________________________
08.41.1 CVE: Not
Available
Platform:
Windows
Title: Microsoft Windows
Vista Local Denial of Service
Description: Microsoft
Windows Vista is exposed to a local denial of
service issue that arises
due to an access violation in the exception
handling routines of the
operating system. Windows Vista Home Premium
and Ultimate editions are
affected.
Ref: http://www.securityfocus.com/bid/31570
______________________________________________________________________
08.41.2 CVE: Not
Available
Platform: Third Party
Windows Apps
Title: Debian xsabre
Insecure Temporary File Creation
Description: Debian xsabre
is a game for the X11 windows system. Debian
xsabre creates temporary
files in an insecure manner. Specifically,
the script "XRunSabre"
writes to the file "/tmp/sabre.log" in an
insecure fashion. Debian
xsabre version 0.2.4b-23 is affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433996
______________________________________________________________________
08.41.3 CVE: Not
Available
Platform: Third Party
Windows Apps
Title: ESET SysInspector
"esiadrv.sys" Local Privilege Escalation
Description: ESET
SysInspector is a diagnostic tool for the Windows NT
operating system. ESET
SysInspector is exposed to a local privilege
escalation issue. This issue
is a result of the application failing to
sufficiently validate
user-supplied pointers passed to input/output
control (IOCTL) functions.
ESET SysInspector version 1.1.1.0 is
affected.
Ref: http://www.securityfocus.com/bid/31521/references
______________________________________________________________________
08.41.4 CVE: Not
Available
Platform: Third Party
Windows Apps
Title: mIRC "PRIVMSG" Buffer
Overflow
Description: mIRC is a chat
client for the IRC protocol. It is
designed for Microsoft
Windows based operating systems. mIRC is
exposed to a buffer overflow
issue that arises when the client handles
a malformed "PRIVMSG"
request from a server. mIRC version 6.34 is
affected.
Ref: http://www.securityfocus.com/bid/31552
______________________________________________________________________
08.41.5 CVE: Not
Available
Platform: Third Party
Windows Apps
Title: Vba32 Personal
Antivirus Archive Parsing Denial of Service
Description: Vba32 Personal
Antivirus is an antivirus application for
the Microsoft Windows
platform. The application is exposed to a denial
of service issue due to an
unspecified memory corruption error. An
attacker can exploit this
issue by supplying a malicious archive file.
Vba32 Personal Antivirus
versions in the 3.12.8 branch are affected.
Ref: http://www.securityfocus.com/bid/31560
______________________________________________________________________
08.41.6 CVE: Not
Available
Platform: Third Party
Windows Apps
Title: AyeView GIF Image
Handling Denial of Service
Description: AyeView is an
image viewer, converter and browser. It is
available for Microsoft
Windows platforms. AyeView is exposed to a
remote denial of service
issue. A specially-crafted GIF image may
result in a crash when
viewed in the application. AyeView version 2.20
is
affected.
Ref: http://www.securityfocus.com/archive/1/497045
______________________________________________________________________
08.41.7 CVE:
CVE-2008-4384
Platform: Third Party
Windows Apps
Title: iseemedia
"LPControl.dll" LPViewer ActiveX Control Multiple
Buffer Overflow
Vulnerabilities
Description: iseemedia
LPViewer is an ActiveX component included in
the file "LPControl.dll".
This ActiveX component was formerly
developed by MGI Software
and Roxio. The application is exposed to
multiple buffer overflow
issues because it fails to perform adequate
boundary checks on
user-supplied data.
Ref: http://www.kb.cert.org/vuls/id/848873
______________________________________________________________________
08.41.8 CVE: Not
Available
Platform: Mac
Os
Title: Apple Mail S/MIME
Draft Message Encryption Weakness
Description: Apple Mail is
an email client application for OS X. Apple