*************************************************************************

            @RISK: The Consensus Security Vulnerability Alert

October 16, 2008                                          Vol. 7. Week 42

*************************************************************************

 

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

 

Summary of Updates and Vulnerabilities in this Consensus

 

Platform                        Number of Updates and Vulnerabilities

------------------------        -------------------------------------

Windows                                       8 (#1, #2, #3, #6, #8, #9)

Microsoft Office                              3 (#7)

Other Microsoft Products                      8

Third Party Windows Apps                      9 (#11)

Mac Os                                       10 (#5)

Linux                                         3

Unix                                          2

Cross Platform                               29 (#4, #10)

Web Application - Cross Site Scripting        2

Web Application - SQL Injection              24

Web Application                              21

Network Device                                3

 

******************************************************************

 

Table Of Contents

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

(1) CRITICAL: Microsoft Active Directory Remote Code Execution (MS08-060)

(2) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS08-058)

(3) CRITICAL: Microsoft Host Integration Server RPC Service Remote Code Execution (MS08-059)

(4) CRITICAL: Apple CUPS Remote Code Execution Vulnerability

(5) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (Security Update 2008-007)

(6) CRITICAL: Computer Associates ARCServe Backup Multiple Vulnerabilities

(7) HIGH:  Microsoft Excel Multiple Vulnerabilities (MS08-057)

(8) HIGH: Microsoft Windows Internet Printing Service Remote Code Execution (MS08-062)

(9) HIGH: Microsoft Message Queueing Service Remote Code Execution (MS08-065)

(10) HIGH: Sun Java System Web Proxy Server Buffer Overflow

(11) MODERATE: Adobe CS3 SWF Parsing Multiple Vulnerabilities

 

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

- -- Windows

 

08.42.1  - Microsoft Windows Active Directory LDAP Request Handling Remote Code Execution

 

08.42.2  - Microsoft Windows SMB Buffer Underflow Code Execution

 

08.42.3  - Microsoft Windows Kernel Window Creation Local Privilege Escalation

 

08.42.4  - Microsoft Windows Kernel Memory Corruption Local Privilege Escalation

 

08.42.5  - Microsoft Windows Kernel Unhandled System Call Local Privilege Escalation

 

08.42.6  - Microsoft Windows AFD Driver Local Privilege Escalation

 

08.42.7  - Microsoft Windows VAD Local Privilege Escalation

 

08.42.8  - Microsoft Windows Internet Printing Service Integer Overflow

 

- -- Microsoft Office

 

08.42.9  - Microsoft Excel Calendar Object Validation Remote Code Execution

 

08.42.10 - Microsoft Excel BIFF File Format Parsing Remote Code Execution

 

08.42.11 - Microsoft Excel Formula Parsing Remote Code Execution

 

- -- Other Microsoft Products

 

08.42.12 - Microsoft PicturePusher "PipPPush.dll" ActiveX Control Arbitrary File Download

 

08.42.13 - Microsoft Internet Explorer HTML Element Cross-Domain Security Bypass

 

08.42.14 - Microsoft Internet Explorer Event Handling Cross-Domain Security Bypass

 

08.42.15 - Microsoft Internet Explorer Uninitialized Object Remote Memory Corruption

 

08.42.16 - Microsoft Internet Explorer HTML Objects Uninitialized Memory Corruption

 

08.42.17 - Microsoft Host Integration Server RPC Remote Code Execution

 

08.42.18 - Microsoft Message Queuing Service RPC Query Heap Corruption

 

08.42.19 - Microsoft Internet Explorer Cross-Domain Information Disclosure

 

- -- Third Party Windows Apps

 

08.42.20 - PC Tools Spyware Doctor Unspecified Denial of Service

 

08.42.21 - Avaya one-X Desktop Edition SIP Remote Denial of Service

 

08.42.22 - Cisco Unity Remote Administration Authentication Bypass

 

08.42.23 - Cisco Unity 7.0 Multiple Remote Vulnerabilities

 

08.42.24 - WinFTP Server "NLIST" Command Remote Denial of Service

 

08.42.25 - Lenovo Rescue and Recovery "tvtumon.sys" Heap Overflow

 

08.42.26 - RaidenFTPD "MLST" Command Remote Denial of Service

 

08.42.27 - Husdawg System Requirements Lab ActiveX Control Unspecified Remote Code Execution

 

08.42.28 - Titan FTP Server "SITE WHO" Command Remote Denial of Service

 

- -- Mac Os

 

08.42.29 - Apple OS X QuickLook Excel File Integer Overflow

 

08.42.30 - Apple Mac OS X "hosts.equiv" Security Bypass

 

08.42.31 - Apple Mac OS X "configd" EAPOLController Plugin Local Heap Based Buffer Overflow

 

08.42.32 - Apple Mac OS X ColorSync ICC Profile Remote Buffer Overflow

 

08.42.33 - Apple Script Editor Unspecified Insecure Temporary File Creation

 

08.42.34 - Apple Mac OS X Server Weblog Access Control List Security Bypass

 

08.42.35 - Apple PSNormalizer PostScript Buffer Overflow

 

08.42.36 - Apple Finder Denial of Service

 

08.42.37 - Apple Mac OS X 10.5 Postfix Security Bypass

 

08.42.38 - Apple Mac OS X 10.5 "launchd" Unspecified Security Bypass

 

- -- Linux

 

08.42.39 - Gentoo "sys-apps/portage" Search Path Local Privilege Escalation

 

08.42.40 - Linux Kernel SCTP INIT-ACK AUTH Extension Remote Denial of Service

 

08.42.41 - Debian chm2pdf Insecure Temporary File Creation

 

- -- Unix

 

08.42.42 - CUPS "HP-GL/2" Filter Remote Code Execution

 

08.42.43 - CUPS Multiple Heap Based Buffer Overflow Vulnerabilities

 

- -- Cross Platform

 

08.42.44 - HP OpenView Network Node Manager "ovtopmd" Variant Unspecified Denial of Service

 

08.42.45 - Hero DVD Player ".m3u" File Buffer Overflow

 

08.42.46 - Opera Web Browser Remote Code Execution and Security Bypass Vulnerabilities

 

08.42.47 - Nortel MCS 5100 UFTP Multiple Denial of Service Vulnerabilities

 

08.42.48 - Avaya IP Softphone Remote Denial of Service

 

08.42.49 - Avaya Communication Manager Web Server Configuration Unauthorized Access

 

08.42.50 - Opera Cached Java Applet Privilege Escalation

 

08.42.51 - DFFFrameworkAPI "DFF_config[dir_include]" Parameter Multiple Remote File Include Vulnerabilities

 

08.42.52 - Graphviz Graph Parser Remote Stack Buffer Overflow

 

08.42.53 - Drupal EveryBlog Module Multiple Unspecified Vulnerabilities

 

08.42.54 - YaCy Multiple Unspecified Vulnerabilities

 

08.42.55 - Computer Associates ARCserve Backup Multiple Remote Vulnerabilities

 

08.42.56 - Sun Java System Web Proxy Server FTP Subsystem Heap Based Buffer Overflow

 

08.42.57 - OpenSSL "zlib" Compression Memory Leak Remote Denial of Service

 

08.42.58 - KDE Konqueror JavaScript "load" Function Denial of Service

 

08.42.59 - NoticeWare Email Server NG "PASS" Command Remote Denial of Service

 

08.42.60 - Apache Tomcat "RemoteFilterValve" Security Bypass

 

08.42.61 - Ruby "resolv.rb" Predictable Transaction ID and Source Port DNS Spoofing

 

08.42.62 - Nokia Web Browser for S60 Infinite Array Sort Denial of Service

 

08.42.63 - GuildFTPd "LIST" Command Heap Overflow

 

08.42.64 - XM Easy Personal FTP Server "NSLT" Command Remote Denial of Service

 

08.42.65 - Oracle Database Server "CREATE ANY DIRECTORY" Privilege Escalation

 

08.42.66 - Websense Reporter "CreateDbInstall.log" Local Information Disclosure

 

08.42.67 - Mozilla Firefox ".url" Shortcut Processing Information Disclosure

 

08.42.68 - IBM ENOVIA Security Bypass

 

08.42.69 - Sun Solstice AdminSuite "sadmind" "adm_build_path()" Remote Stack Buffer Overflow

 

08.42.70 - Etype Eserv FTP "ABOR" Command Remote Stack-Based Buffer Overflow

 

08.42.71 - VLC Media Player XSPF Playlist Memory Corruption

 

08.42.72 - Oracle Weblogic Server Apache Connector Stack-Based Buffer Overflow

 

- -- Web Application - Cross Site Scripting

 

08.42.73 - Microsoft Office CDO Protocol Cross-Site Scripting

 

08.42.74 - EEB-CMS "index.php" Cross-Site Scripting

 

- -- Web Application - SQL Injection

 

08.42.75 - Pre News Manager "news_detail.php" SQL Injection

 

08.42.76 - GForge Multiple SQL Injection Vulnerabilities

 

08.42.77 - TorrentTrader Classic Edition "completed-advance.php" SQL Injection

 

08.42.78 - Built2Go Real Estate Listings "event_detail.php" SQL Injection

 

08.42.79 - Brain Book Software AdMan "editCampaign.php" SQL Injection

 

08.42.80 - HispaH Text Link ADS "index.php" SQL Injection

 

08.42.81 - Joomtracker "id" Parameter SQL Injection

 

08.42.82 - IranMC Arad Center "news.php" SQL Injection

 

08.42.83 - Stash "news.php" SQL Injection

 

08.42.84 - Ayco Okul Portali "default.asp" SQL Injection

 

08.42.85 - Easynet4u Forum Host "forum.php" SQL Injection

 

08.42.86 - Easynet4u Faq Host "faq.php" SQL Injection

 

08.42.87 - Joomla! and Mambo Mad4Joomla Mailforms Component SQL Injection

 

08.42.88 - Ignite Gallery "gallery" Parameter SQL Injection

 

08.42.89 - Easynet4u Link Host "directory.php" SQL Injection

 

08.42.90 - Real Estate Classifieds "index.php" SQL Injection

 

08.42.91 - Absolute Poll Manager "xlacomments.asp" SQL Injection

 

08.42.92 - OwnBiblio Joomla! Component "catid" Parameter SQL Injection

 

08.42.93 - NewLife Blogger "nlb3" Cookie SQL Injection

 

08.42.94 - "com_jeux" Joomla! Component "id" Parameter SQL Injection

 

08.42.95 - IndexScript "sug_cat.php" SQL Injection

 

08.42.96 - ParsBlogger "links.asp" SQL Injection

 

08.42.97 - XOOPS xhresim Module "index.php" SQL Injection

 

08.42.98 - Webscene eCommerce "productlist.php" SQL Injection

 

- -- Web Application

 

08.42.99 - Drupal Multiple Remote Access Validation Vulnerabilities and Weaknesses

 

08.42.100 - Proxim Tsunami MP.11 2411 Wireless Access Point "system.sysName.0" SNMP HTML Injection

 

08.42.101 - Kusaba "paint_save.php" Remote Code Execution

 

08.42.102 - Avaya Communication Manager Web Administration Multiple Security Vulnerabilities

 

08.42.103 - WebBiscuits Modules Controller Multiple Local and Remote File Include Vulnerabilities

 

08.42.104 - Drupal Multiple Modules Security Bypass Vulnerabilities

 

08.42.105 - HP System Management Homepage (SMH) for Linux and Windows Cross-Site Scripting

 

08.42.106 - ModSecurity Transformation Caching Security Bypass

 

08.42.107 - Kusaba "load_receiver.php" Remote Code Execution

 

08.42.108 - Camera Life SQL Injection and Cross-Site Scripting Vulnerabilities

 

08.42.109 - Scriptsez Easy Image Downloader "main.php" Local File Include

 

08.42.110 - Scriptsez Mini Hosting Panel "members.php" Local File Include

 

08.42.111 - My PHP Indexer "index.php" Directory Traversal

 

08.42.112 - Globsy "globsy_edit.php" Arbitrary File Overwrite

 

08.42.113 - LokiCMS "index.php" Information Disclosure

 

08.42.114 - mini-pub Multiple Information Disclosure Vulnerabilities

 

08.42.115 - mini-pub "cat.php" Remote Command Execution

 

08.42.116 - SlimCMS "redirect.php" Security Bypass

 

08.42.117 - LokiCMS "admin.php" Local File Include

 

08.42.118 - WP Comment Remix 1.4.3 SQL Injection and HTML Injection Vulnerabilities

 

08.42.119 - SezHoo "SezHooTabsAndActions.php" Parameter Remote File Include

 

- -- Network Device

 

08.42.120 - Nortel Networks Multimedia Communications Server Authentication Bypass

 

08.42.121 - Linksys WAP4400N Marvell Wireless Chipset Driver Remote Denial of Service

 

08.42.122 - Multiple Telecom Italia Routers Authentication Bypass

 

______________________________________________________________________

 

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

 

*****************************

Widely Deployed Software

*****************************

 

(1) CRITICAL: Microsoft Active Directory Remote Code Execution (MS08-060)

Affected:

Microsoft Windows 2000

 

Description: Active Directory is Microsoft's implementation of the Lightweight Directory Access Protocol (LDAP) and is an integral part of several Microsoft products and operating systems. It contains a buffer overflow vulnerability in its handling of LDAP requests. A specially crafted LDAP request could trigger this vulnerability, allowing an attacker to execute arbitrary code with the privileges of the vulnerable process (SYSTEM). Some technical details are publicly available for this vulnerability. Note that only systems running Microsoft Windows 2000 and that are configured to be domain controllers are vulnerable.

 

Status: Vendor confirmed, updates available.

 

References:

Microsoft Security Bulletin

http://www.microsoft.com/technet/security/Bulletin/MS08-060.mspx

Wikipedia Article on LDAP

http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

Microsoft Active Directory Home Page

http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx

SecurityFocus BID

http://www.securityfocus.com/bid/31609

 

******************************************************

 

(2) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS08-058)

Affected:

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003

Microsoft Windows Vista

Microsoft Windows Server 2008

 

Description: Microsoft