The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability announce 6732

OpenLDAP: connexion as root via ldapi

Synthesis of the vulnerability

Under HP-UX, AIX and Solaris, a local attacker can connect as root via ldapi.
Impacted products: OpenLDAP.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: user shell.
Creation date: 12/04/2007.
Identifiers: ITS#4893, VIGILANCE-VUL-6732.

Description of the vulnerability

Under Unix, when client and server are on the same computer, LDAP sessions can be established on IPC. The "ldapi://%26var%26run%26ldapi/" uri indicates to use the "/var/run/ldapi" Unix socket.

On moderns Unix, server authenticates client connecting to this socket via getpeereid(), getpeerucred() or SO_PEERCRED of getsockopt(). On HP-UX <= 11, AIX <= 5.1 and Solaris <= 9, client creates a pipe and its descriptor is sent to server. Server then uses fstat() to obtain descriptor's owner, and thus client's identity.

However, an attacker can use fchown(pipe_descriptor, 0, 0) to change uid/gid to root. Other attack variants exist, such as using pipes created by other softwares (ssh).

A local attacker can therefore use these design errors to spoof identity of root when connecting via ldapi.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-1741 CVE-2007-1742 CVE-2007-1743

Apache httpd: several vulnerabilities of suEXEC

Synthesis of the vulnerability

In some particular cases, vulnerabilities of suEXEC permit a local attacker to elevate his privileges or to create files.
Impacted products: Apache httpd.
Severity: 1/4.
Consequences: privileged access/rights, data creation/edition.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 12/04/2007.
Identifiers: BID-23438, CVE-2007-1741, CVE-2007-1742, CVE-2007-1743, VIGILANCE-VUL-6731.

Description of the vulnerability

The suEXEC program can be installed on Apache web server in order to execute a script with rights of a specific user. This program has several errors.

An attacker who can alter the root directory of website (directly of with a symbolic link) can use a race condition to force suEXEC to run another script. [severity:1/4; CVE-2007-1741]

Directories starting with the same prefix can contain scripts (if root is "/var/www/html", then "/var/www/html_backup" is accepted). [severity:1/4; CVE-2007-1742]

An attacker with rights of apache user can create files with arbitrary uid/gid (but superior to AP_UID_MIN/AP_GID_MIN). [severity:1/4; CVE-2007-1743]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-1206 CVE-2007-1973

Windows: privilege elevation via VDM Zero Page

Synthesis of the vulnerability

A local attacker can alter the zero page in order to elevate his privileges on systems with a x86 processor.
Impacted products: Windows 2000, Windows 2003, Windows NT, Windows XP.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/04/2007.
Identifiers: 931784, BID-23367, CERTA-2007-AVI-169, CVE-2007-1206, CVE-2007-1973, MS07-022, VIGILANCE-VUL-6730, VU#337953.

Description of the vulnerability

First bytes of physical memory, which are on page zero, contain the IDT (Interrupt Descriptor Table, on a computer with a x86 processor).

When a VDM (Virtual DOS Machine) is initialized by VdmpInitialize() function, page zero is copied to virtual address zero. The virtual machine then uses this copy.

However, during the copy operation, a thread can access to page zero and alter its content, because area is mapped as PAGE_READWRITE.

This vulnerability then permits a local attacker to obtain system privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-1209

Windows Vista: privilege elevation via CSRSS

Synthesis of the vulnerability

A local attacker can elevate his privileges via ApiPort of CSRSS.
Impacted products: Windows 2000, Windows 2003, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 11/04/2007.
Identifiers: 930178, BID-23338, CVE-2007-1209, MS07-021, VIGILANCE-VUL-6729, VU#219848.

Description of the vulnerability

The csrss.exe (Client-Server Run-time Subsystem) process notably manages windows and threads. It runs with system privileges.

The "\Windows\ApiPort" or "\Sessions\id\Windows\ApiPort" port permits to communicate with CSRSS via ALPC (Advanced Local Procedure Call, introduced with Windows Vista).

The CsrApiRequestThread() function of CSRSRV.DLL assumes that each process establishes at most one connexion to ApiPort. However, an attacker can create a process establishing two connexions in order to prematurely free memory, then to use an invalid pointer.

This vulnerability thus permits a local attacker to execute code with system privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-6797

Windows: memory reading and denial of service via NtRaiseHardError

Synthesis of the vulnerability

A local attacker can read memory or stop system via NtRaiseHardError() function of CSRSS.
Impacted products: Windows 2000, Windows 2003, Windows Vista, Windows XP.
Severity: 1/4.
Consequences: data reading, denial of service on server.
Provenance: user shell.
Creation date: 11/04/2007.
Identifiers: 930178, CVE-2006-6797, MS07-021, VIGILANCE-VUL-6728, VU#740636.

Description of the vulnerability

The csrss.exe (Client-Server Run-time Subsystem) process notably manages windows and threads. It runs with system privileges.

The NtRaiseHardError() function of ntdll.dll asks CSRSS to display an error message:
  NtRaiseHardError(ErrorStatus, NumberOfParameters, UnicodeStringParameterMask, *Parameters, ResponseOption, Response);

However, this function does not correctly check address indicated in "Parameters". Depending on address, a local attacker can read a memory fragment or create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-1205

Microsoft Agent: memory corruption via an url

Synthesis of the vulnerability

An attacker can use a malicious url leading to code execution in Microsoft Agent.
Impacted products: Windows 2000, Windows 2003, Windows XP.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 11/04/2007.
Identifiers: BID-23337, CERTA-2007-AVI-167, CVE-2007-1205, MS07-020, VIGILANCE-VUL-6727, VU#728057.

Description of the vulnerability

Microsoft Agent (AgentSvr.exe) creates help characters. By default, Microsoft provides 4 characters:
 - Genie : a blue genie
 - Merlin : Merlin the enchanter
 - Peedy : a green parrot
 - Robby : a robot

An HTML page can use the Microsoft Agent ActiveX to load and display a character. However, if url indicated in some of its methods is malformed, a memory corruption occurs.

This vulnerability therefore permits a remote attacker to execute code on computer of victim displaying a HTML page.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-1204

Windows: buffer overflow of UPnP

Synthesis of the vulnerability

A network attacker can exploit an overflow in UPnP in order to execute code.
Impacted products: Windows XP.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Creation date: 11/04/2007.
Identifiers: 931261, BID-23371, CERTA-2007-AVI-166, CVE-2007-1204, MS07-019, VIGILANCE-VUL-6726.

Description of the vulnerability

The UPnP protocol, used for automatic device discovery, uses 1900/udp and 2869/tcp ports. The 2869 port implements HTTP protocol.

The HTTP service does not correctly validate HTTP headers before copying them in a fixed size array. An overflow can therefore occur.

A network attacker can thus corrupts memory via UPnP in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-0938 CVE-2007-0939

Microsoft Content Management Server: multiple vulnerabilities

Synthesis of the vulnerability

Two vulnerabilities affect Microsoft Content Management Server, the worst one leads to code execution.
Impacted products: IIS.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/04/2007.
Identifiers: 925939, BID-22860, BID-22861, CERTA-2007-AVI-165, CVE-2007-0938, CVE-2007-0939, MS07-018, VIGILANCE-VUL-6725, VU#434137.

Description of the vulnerability

The Microsoft Content Management Server product is used to deploy and maintain websites. It has two vulnerabilities.

An attacker can connect to CMS and send a HTTP GET query with a malicious url. This query corrupts memory and leads to code execution. [severity:3/4; BID-22861, CERTA-2007-AVI-165, CVE-2007-0938]

An attacker can use a HTTP redirect to create a Cross Site Scripting. [severity:3/4; BID-22860, CVE-2007-0939],
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-1994

HP-UX: denial of service of get_mib_info

Synthesis of the vulnerability

A local attacker can stop system by depleting its memory with get_mib_info().
Impacted products: HP-UX.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 10/04/2007.
Identifiers: BID-23410, c00944467, CVE-2007-1994, HPSBUX02205, SSRT061120, VIGILANCE-VUL-6724.

Description of the vulnerability

The libnm library defines get_mib_info() to obtain information from MIB associated to a device, and store them in a nmparms structure:
  int get_mib_info(int fd, struct nmparms *parm);

During usage of this function, kernel does not correctly free used memory.

A local attacker can therefore create a program calling this function in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-1993

HP-UX: privilege elevation via PFS

Synthesis of the vulnerability

A remote attacker can elevate his privileges via PFS.
Impacted products: HP-UX.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Creation date: 10/04/2007.
Revision date: 13/04/2007.
Identifiers: BID-23401, c00913684, CVE-2007-1993, HPSBUX02203, SSRT071339, VIGILANCE-VUL-6723.

Description of the vulnerability

The PFS (Portable File System) protocol is used in old HP-UX versions to support cdroms in iso9660, High Sierra or RockRidge format. The pfs_mountd.rpc daemon is reachable locally or remotely via RPC. The pfs_mount and pfs_umount commands mount or umount a cdrom by contacting the daemon. Recent versions of HP-UX use CDFS which is directly supported by mount/umount commands.

An attacker can send two UDP packets to pfs_mountd.rpc. The second one generates an overflow, then code execution with root privileges.

A remote attacker can therefore execute code on system.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2794