The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability bulletin CVE-2007-5391

HP-UX: privilege elevation via HP Select Identity

Synthesis of the vulnerability

A remote attacker can gain access to the system using a vulnerability in HP Select Identity.
Impacted products: HP-UX.
Severity: 3/4.
Consequences: user access/rights.
Provenance: LAN.
Creation date: 15/10/2007.
Identifiers: BID-26023, c01081130, CVE-2007-5391, HPSBMA02230, SSRT071436, VIGILANCE-VUL-7248.

Description of the vulnerability

The HP Select Identity tool permits to centralize user management on Unix systems.

A remote attacker can get round security controls set by HP Select Identity.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-5386

phpMyAdmin: Cross Site Scripting of setup.php

Synthesis of the vulnerability

An attacker can use parameters of setup.php script in order to inject HTML code in phpMyAdmin.
Impacted products: Debian, Fedora, phpMyAdmin.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 11/10/2007.
Identifiers: 071009a, BID-26020, CVE-2007-5386, DSA-1403-1, FEDORA-2007-2738, FEDORA-2007-3639, MDKSA-2007:199, PMASA-2007-5, VIGILANCE-VUL-7245.

Description of the vulnerability

The phpMyAdmin program is used to administer a MySQL database.

The setup.php script configures the environment. This script does not filter parameters its receives. An attacker can therefore use it to inject Javascript code.

This vulnerability therefore permits an attacker to conduct a Cross Site Scripting attack, when victim is authenticated on phpMyAdmin.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-5422

Solaris: denial of service during a BSM audit

Synthesis of the vulnerability

A local attacker can stop system during BSM audit on a network.
Impacted products: Solaris.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 11/10/2007.
Identifiers: 103096, 6573175, BID-26017, CVE-2007-5422, VIGILANCE-VUL-7244.

Description of the vulnerability

BSM audit (Basic Security Module) permits to log security events occurring on system:
  0x00000001:fr:file read
  0x00000002:fw:file write
  0x00000004:fa:file attribute access
  0x00000008:fm:file attribute modify
  0x00000010:fc:file create
  0x00000020:fd:file delete
  0x00000040:cl:file close
  0x00000100:nt:network
  0x00000200:ip:ipc
  0x00001000:lo:login or logout
  etc.

The au_getsonode() function of src/uts/common/c2/audit_event.c file handles audit of socket options. This audit is performed by the "nt" class (network).

A local attacker can use malicious socket options in order to generate an error in au_getsonode(). This error panics the system, but its technical details are unknown.

This vulnerability therefore permits a local attacker to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-5301

Alsaplayer: buffer overflow via a ogg file

Synthesis of the vulnerability

An attacker can construct a malicious ogg file in order to run code on computer of victims listening this file.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 11/10/2007.
Revision date: 10/04/2008.
Identifiers: CVE-2007-5301, DSA-1538-1, VIGILANCE-VUL-7243.

Description of the vulnerability

The alsaplayer player manages several file type, including the ogg file type. Ogg files possesses tags containing information about the encoded sound (title, artist, album, genre, year, track and comment).

At the opening of the ogg file, the vorbis_stream_info() function of the /alsaplayer/input/vorbis/vorbis_engine.c file stores in memory information contained in tags with the strcpy() function without making control on these information size.

Example: strcpy(info->tag, x ? x : "");

An attacker can thus construct an ogg file with very long information stored in tags, in order to create a buffer overflow in alsaplayer, and thus to run code on the computer of the victim listening the file.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-5358

Asterisk: buffer overflow of a voicemail via IMAP

Synthesis of the vulnerability

A local or remote attacker can send a voicemail in order to execute code on Asterisk when it is read via IMAP.
Impacted products: Asterisk Open Source.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/10/2007.
Identifiers: AST-2002-022, AST-2007-022, CVE-2007-5358, VIGILANCE-VUL-7242.

Description of the vulnerability

The Asterisk software can read voicemails stored on a messaging server. Voicemails are emails containing an attached audio file encapsulated with MIME. User can read his voicemail via the IMAP protocol. Two overflows were announced in the handling of voicemails via IMAP.

A local attacker, allowed to change the astspooldir directive of asterisk.conf configuration file, can then send a malicious voicemail in order to generate a buffer overflow. [severity:3/4]

When Content-type or Content-description header of a voicemail is longer than 1024 characters, a buffer overflow occurs. [severity:3/4]

An attacker can therefore send a voicemail in order to execute code on Asterisk when it is read via IMAP.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 7241

PHP: bypassing disable_functions via aliases

Synthesis of the vulnerability

An attacker can use alias names of functions in order to bypass disable_functions.
Impacted products: PHP.
Severity: 1/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 11/10/2007.
Identifiers: VIGILANCE-VUL-7241.

Description of the vulnerability

Several PHP functions have an alias name. For example:
 - fputs() is an alias of fwrite()
 - msql_dropdb() is an alias of msql_drop_db()
 - etc.

The disable_functions directive indicates the list of functions to deactivate. This directive is used to forbid access to potentially dangerous functions.

For example, msql_drop_db() can be blocked. However, if its alias function is not forbidden, an attacker can use it.

This vulnerability therefore permits a local attacker to bypass the disable_functions directive.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-3896

Windows XP, 2003, IE 7: program execution via mailto

Synthesis of the vulnerability

An attacker can create a special mailto uri, which executes a command when user clicks on it.
Impacted products: Acrobat, IE, Windows 2003, Windows XP.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 11/10/2007.
Revisions dates: 16/10/2007, 26/10/2007, 14/11/2007.
Identifiers: 943460, 943521, APSA07-04, CERTA-2007-AVI-489, CVE-2007-3896, MS07-061, VIGILANCE-VUL-7240, VU#403150.

Description of the vulnerability

When user navigates on a web page and clicks on a mailto uri, the associated program (generally Outlook Express) is called to send an email to the indicated address.

However, if the mailto uri contains:
 - an invalid '%' encoding, and
 - a quote character, and
 - a ".cmd" extension
then, the command indicated between the percent and the quote is run. The run command has to be located on victim's computer, such as the calculator for example.

This vulnerability only affects Windows XP or 2003 with Internet Explorer 7 installed. The attack can be exploited from Internet Explorer, Outlook Express and other software supporting uris such as Adobe Reader.

An attacker can therefore create a special mailto uri, which executes a command when user clicks on it.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-5191

util-linux: privilege elevation via mount or umount

Synthesis of the vulnerability

The mount and umount programs do not correctly loose their privilege when an external helper is called.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, openSUSE, RHEL, Unix (platform) ~ not comprehensive, ESX.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: user shell.
Creation date: 11/10/2007.
Identifiers: BID-25973, CVE-2007-5191, DSA-1449-1, DSA-1450-1, FEDORA-2007-2462, FEDORA-2007-722, MDKSA-2007:198, RHSA-2007:0969-01, SUSE-SR:2007:022, VIGILANCE-VUL-7239, VMSA-2008-0001, VMSA-2008-0001.1.

Description of the vulnerability

When the (u)mount command is run to (u)mount some type of filesystem, it calls external helpers such as /sbin/mount.nfs or /sbin/mount.cifs.

These external helpers have to be called with the real uid/gid of user (and not the effective uid/gid of mount command). The check_special_mountprog() function thus looses its privileges before calling a program with a name like "/sbin/mount._type_".

However, this privilege dropping operation is not correctly done:
 - user privileges are lost before group privileges
 - error codes are not checked

A local attacker, who can create a malicious /sbin/mount._type_ file can therefore use mount in order to execute code with effective group of mount (if mount is installed sgid).
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2007-5273 CVE-2007-5274 CVE-2007-5275

Java JRE, Flash: bypassing DNS pinning

Synthesis of the vulnerability

An attacker can create a HTML page calling a plugin and bypassing the DNS pinning protection included in web browsers.
Impacted products: Flash Player, Windows (platform) ~ not comprehensive, NLD, OES, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 1/4.
Consequences: data reading, data flow.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/10/2007.
Identifiers: 103078, 6569621, 6609269, APSB07-20, CVE-2007-5273, CVE-2007-5274, CVE-2007-5275, CVE-2007-5375, RHSA-2007:1126-01, SUSE-SA:2008:025, VIGILANCE-VUL-7238, VMSA-2008-00010.3.

Description of the vulnerability

A "DNS rebinding" attack has the objective to force the web browser to connect to a server different than the one which provided the HTML document. This vulnerability for example permits to scan ports or to obtain information without going through the firewall.

This attack uses the following method:
 - Attacker setups a DNS server for his "attacker.dom" domain. This server answers that IP address of www.attacker.dom is 1.2.3.4, with a TTL of 10 seconds.
 - Attacker setups a web server to host a HTML page containing a script creating a connection to the originating server.
 - Attacker invites victim to connect to his web server.
 - When the HTML page is displayed, the script tries to access to the server: as the TTL expired, the web browser sends a new DNS query. However, this time, attacker's DNS server indicates the IP address of www.attacker.dom is 192.168.1.1.
 - Script thus connects to the 192.168.1.1 address which is an internal address.

To protect against this attack, web browsers implement "DNS pinning" which consists in storing IP addresses in the cache whatever the duration indicated by the TTL. However, cache of plugins is different than cache of web browser, which permits to bypass this protection.

An attack can be created on the JVM by using LiveConnect, an Applet with an HTTP proxy or Relative Paths. [severity:1/4; 103078, 6569621, 6609269, CVE-2007-5273, CVE-2007-5274, CVE-2007-5375]

An attack can be created on the Flash plugin which also uses a separate cache. [severity:1/4; CVE-2007-5275]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-5276 CVE-2007-5277

IE, Firefox, Opera: bypassing DNS pinning

Synthesis of the vulnerability

An attacker can create a HTML page bypassing the DNS pinning protection included in web browsers.
Impacted products: IE, Firefox, SeaMonkey, Opera.
Severity: 1/4.
Consequences: data reading, data flow.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 4.
Creation date: 11/10/2007.
Identifiers: CVE-2007-5276, CVE-2007-5277, VIGILANCE-VUL-7237.

Description of the vulnerability

A "DNS rebinding" attack has the objective to force the web browser to connect to a server different than the one which provided the HTML document. This vulnerability for example permits to scan ports or to obtain information without going through the firewall.

This attack uses the following method:
 - Attacker setups a DNS server for his "attacker.dom" domain. This server answers that IP address of www.attacker.dom is 1.2.3.4, with a TTL of 10 seconds.
 - Attacker setups a web server to host a HTML page containing a script creating a connection to the originating server.
 - Attacker invites victim to connect to his web server.
 - When the HTML page is displayed, the script tries to access to the server: as the TTL expired, the web browser sends a new DNS query. However, this time, attacker's DNS server indicates the IP address of www.attacker.dom is 192.168.1.1.
 - Script thus connects to the 192.168.1.1 address which is an internal address.

To protect against this attack, web browsers implement "DNS pinning" which consists in storing IP addresses in the cache whatever the duration indicated by the TTL. However, several vulnerabilities permit to bypass this protection.

Internet Explorer 7 keeps addresses in its cache during 30 minutes. However, if attacker's DNS server indicates several addresses, and if the first one becomes unreachable, the cache is cleared. [severity:1/4]

Internet Explorer 6 keeps addresses in its cache during 30 minutes. However, if the HTML page indicates to connect to an unreachable port, the cache is cleared. [severity:1/4; CVE-2007-5277]

Firefox keeps addresses in its cache during at most 2 minutes, which is too short: a script can wait. [severity:1/4]

Internet Explorer 6 keeps addresses in its cache during 12 minutes. However, if the HTML page indicates to connect to an unreachable port, the cache is cleared. [severity:1/4; CVE-2007-5276]
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2869