The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability note CVE-2007-4223

Windows: privilege elevation via DebugView

Synthesis of the vulnerability

A local attacker can obtain administrator privileges by using the Dbgv.sys driver.
Impacted products: Windows (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 07/11/2007.
Identifiers: BID-26359, CVE-2007-4223, VIGILANCE-VUL-7314.

Description of the vulnerability

The Microsoft Sysinternals DebugView program displays debug messages generated on the system.

During its execution by the administrator, DebugView installs the Dbgv.sys driver, which becomes reachable by all users on the system.

However, this driver does not check ioctls it receives, which permits to corrupt memory.

A local attacker can therefore elevate his privileges when DebugView has been executed on the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-4997

Linux kernel: integer overflow of ieee80211_rx

Synthesis of the vulnerability

An attacker can send a malicious 802.11 packet in order to create a denial of service.
Impacted products: Debian, Linux, Mandriva Linux, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: radio connection.
Creation date: 06/11/2007.
Identifiers: BID-26337, CVE-2007-4997, DSA-1428-1, MDKSA-2007:226, MDKSA-2007:232, MDVSA-2008:008, MDVSA-2008:105, RHSA-2007:0993-01, RHSA-2007:1104-01, SUSE-SA:2007:059, SUSE-SA:2007:064, SUSE-SA:2008:006, VIGILANCE-VUL-7313.

Description of the vulnerability

The ieee80211_rx() function of net/ieee80211/ieee80211_rx.c file handles 802.11 frame reception.

This function checks data size ("skb->len < 10") before decoding them. It does not check if size indicated in hdrlen is valid ("skb->len < hdrlen"). This has generally no impact, however if the IEEE80211_STYPE_QOS_DATA flag is set, this error creates an integer overflow. A big integer is used to do a memcpy(). Attacker cannot control the integer overflow, which forbids code execution.

An attacker can therefore send a malicious 802.11 packet in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-2395 CVE-2007-3750 CVE-2007-3751

QuickTime: several vulnerabilities

Synthesis of the vulnerability

Several QuickTime vulnerabilities can lead to code execution.
Impacted products: QuickTime.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 06/11/2007.
Revision date: 15/11/2007.
Identifiers: BID-26338, BID-26339, BID-26340, BID-26341, BID-26342, BID-26344, BID-26345, BID-26443, CERTA-2007-AVI-477, CVE-2007-2395, CVE-2007-3750, CVE-2007-3751, CVE-2007-4672, CVE-2007-4674, CVE-2007-4675, CVE-2007-4676, CVE-2007-4677, TPTI-07-20, VIGILANCE-VUL-7312, VU#319771, VU#445083, VU#690515, VU#797875, ZDI-07-065, ZDI-07-066, ZDI-07-067, ZDI-07-068.

Description of the vulnerability

Several QuickTime vulnerabilities can lead to code execution.

When a video contains a malicious image description, a memory corruption occurs in QuickTime. [severity:3/4; BID-26340, CERTA-2007-AVI-477, CVE-2007-2395, VU#797875]

When a video contains a malicious STSD (Sample Table Sample Descriptor) field, a memory corruption occurs in QuickTime. [severity:3/4; BID-26341, CVE-2007-3750]

Several vulnerabilities of QuickTime for Java permit to obtain information or to execute code. [severity:3/4; BID-26339, CVE-2007-3751, VU#319771]

When QuickTime opens a PICT file with an invalid UncompressedQuickTimeData value, an overflow occurs. [severity:3/4; CVE-2007-4672, ZDI-07-068]

When QuickTime opens a PICT file with an invalid PackBitsRgn or Poly value, an overflow occurs. [severity:3/4; BID-26344, BID-26345, CVE-2007-4676, VU#690515, ZDI-07-066, ZDI-07-067]

The QTVR format (QuickTime Virtual Reality) contains panoramas which can be displayed under several angles. The QuickTime player does not validate panorama headers, which leads to an overflow. [severity:3/4; BID-26342, CVE-2007-4675]

A video contains a RVB color table named CTAB, which contains all colors. When size indicated by this table is incorrect, an overflow occurs in the QuickTime software. [severity:3/4; BID-26338, CVE-2007-4677, VU#445083, ZDI-07-065]

When QuickTime opens malicious video, an overflow occurs. [severity:3/4; BID-26443, CVE-2007-4674, TPTI-07-20]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-1659 CVE-2007-1660 CVE-2007-1661

Perl, PCRE: vulnerabilities of regular expressions

Synthesis of the vulnerability

When attacker can change the regular expression used by a program, he can corrupt its memory in order for example to execute code.
Impacted products: Debian, Fedora, Tru64 UNIX, AIX, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, Perl Core, PHP, RHEL, Snort, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 05/11/2007.
Revision date: 06/11/2007.
Identifiers: 231524, 315871, 315881, 323571, 6629836, BID-26346, BID-26350, c01362465, CERTA-2007-AVI-481, CERTA-2008-AVI-053, CERTA-2008-AVI-239, CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-5116, DSA-1399-1, DSA-1400-1, DSA-1570-1, FEDORA-2007-2944, FEDORA-2007-3255, FEDORA-2007-748, HPSBTU02311, IZ10220, IZ10244, IZ10245, MDKSA-2007:207, MDKSA-2007:211, MDKSA-2007:212, MDKSA-2007:213, RHSA-2007:0966-01, RHSA-2007:0967-01, RHSA-2007:0968-01, RHSA-2007:1011-01, RHSA-2007:1063-01, RHSA-2007:1065-01, RHSA-2007:1068-01, RHSA-2007:1126-01, RHSA-2008:0546-01, RHSA-2010:0602-02, SSRT080001, SUSE-SA:2007:062, SUSE-SA:2008:004, SUSE-SR:2007:024, SUSE-SR:2007:025, VIGILANCE-VUL-7311, VMSA-2008-0001, VMSA-2008-0001.1, VMSA-2008-0007, VMSA-2008-0007.1, VMSA-2008-0007.2.

Description of the vulnerability

The PCRE library implements Perl compatible regular expressions (opposed to POSIX). Several vulnerabilities affect this type of regular expressions.

A Perl regular expression can contain "\L...\E" to convert to lowercase, "\U...\E" to convert to uppercase and "\Q...\E" to disable metacharacters. However, the "\Q...\E" case is not correctly handled, which desynchronizes the regular expression engine and corrupts its memory. [severity:2/4; 315871, BID-26346, CVE-2007-1659]

The "[...]" brackets define character classes. In some cases, the memory allocated to store them is too short, which corrupts memory. [severity:2/4; 315881, BID-26346, CVE-2007-1660]

The "\X" sequence matches extended Unicode characters. The "\pL" sequences matches lowercases. The "\d" sequence matches integers. By combining these sequences in non UTF-8, an attacker can read memory. [severity:2/4; BID-26346, CVE-2007-1661]

Several functions can read past the end of string searching for parentheses or brackets. [severity:2/4; BID-26346, CVE-2007-1662]

Several integer overflows can occur during the handling of escape sequences. [severity:2/4; BID-26346, CVE-2007-4766]

The "\PX" or "\P{X}" sequence matches the property X. Several infinite loops and overflows occur during the handling of these sequences. [severity:2/4; BID-26346, CVE-2007-4767]

When string contains a unique Unicode sequence, an optimization is incorrectly done and leads to an overflow. [severity:2/4; BID-26346, CERTA-2008-AVI-053, CVE-2007-4768]

The Perl regular expression compiler uses two phases: the first one to compute the necessary size and the second to store data. However, by using Unicode characters, an attacker can store longer data. [severity:2/4; 323571, BID-26350, CERTA-2007-AVI-481, CVE-2007-5116]

When attacker can change the regular expression used by a program, he can thus corrupt its memory in order for example to execute code. In some cases, he can also read memory contents or create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-5740

Perdition: format string attack of IMAP proxy

Synthesis of the vulnerability

A non authenticated attacker can create a format string attack in Perdition IMAPD in order to execute code.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Creation date: 05/11/2007.
Identifiers: BID-26270, CVE-2007-5740, DSA-1398-1, SEC Consult SA-20071031-0, VIGILANCE-VUL-7310.

Description of the vulnerability

The Perdition server is a POP3 and IMAP4 server.

The IMAP protocol uses a tag at the beginning of lines to associate the request and its answer. For example:
  A123 RENAME dir dir2
  A123 OK RENAME completed

The __str_vwrite() function of str.c file of Perdition ensures a string does not contain an additional format parameter. When this check is done, the string is used as format of vsnprintf(). However, the __str_vwrite() function does not correctly handle the null character ('\0'), which permits attacker to bypass this protection.

An attacker can thus for example use a special IMAP tag in order to generate a format string attack on the IMAP proxy. This vulnerability can be exploited before authentication, and leads to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-5795

Emacs: code execution via enable-local-variables

Synthesis of the vulnerability

The enable-local-variables directive of Emacs is ignored, which permits to execute code when victim opens a malicious file.
Impacted products: Fedora, Mandriva Linux, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 05/11/2007.
Identifiers: 449008, BID-26327, CERTA-2007-AVI-479, CVE-2007-5795, FEDORA-2007-2946, FEDORA-2007-3056, MDVSA-2008:034, VIGILANCE-VUL-7309.

Description of the vulnerability

A text file can contain local variables for Emacs. For example (ignore the '_'):
 _Local Variables:
 _comment-column: 0
 _End:

The enable-local-variables directive of Emacs can contain:
 - t : asks user to approve local variables
 - nil : ignores all local variables
 - all : accepts all local variables
 - safe : accepts safe variables such as "comment-column", but rejects variables such as "load-path"

However, when enable-local-variables is set to "safe", it is interpreted as "all". All local variables indicated in the file are thus allowed.

An attacker can therefore create a malicious file, which executes code on victim's computer when it is opened.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2007-3880

Solaris: privilege elevation via SRS Net Connect

Synthesis of the vulnerability

A local attacker can use a format string attack of a SRS Net Connect tool in order to obtain root privileges.
Impacted products: Solaris, Trusted Solaris.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 05/11/2007.
Identifiers: 103119, 6582431, BID-26313, CVE-2007-3880, VIGILANCE-VUL-7308.

Description of the vulnerability

The SUNWsrspx package (Sun Remote Services Net Connect) installs the srsexec program suid root in the /opt/SUNWsrspx/bin directory.

A format string attack was announced in srsexec, related to syslog() usage. Its technical details are unknown.

A local attacker can use this vulnerability to obtain root privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-5603 CVE-2007-5660 CVE-2007-5722

IE: vulnerabilities of several ActiveX of November 2007

Synthesis of the vulnerability

Several ActiveX permit a remote attacker to generate a denial of service or to execute code.
Impacted products: IE.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 19.
Creation date: 02/11/2007.
Revisions dates: 07/11/2007, 13/11/2007, 23/11/2007.
Identifiers: 20071101-0, AD20071120, BID-26244, BID-26247, BID-26280, BID-26288, BID-26308, BID-26356, BID-26388, BID-26396, BID-26414, BID-26467, BID-26536, BID-26573, BID-26586, BID-26594, BID-26630, CERTA-2007-AVI-472, CVE-2007-5603, CVE-2007-5660, CVE-2007-5722, CVE-2007-5755, CVE-2007-5775, CVE-2007-5807, CVE-2007-5814, CVE-2007-5815, CVE-2007-5826, CVE-2007-5892, CVE-2007-5911, CVE-2007-5941, CVE-2007-6028, CVE-2007-6144, CVE-2007-6189, VIGILANCE-VUL-7307, VU#298521.

Description of the vulnerability

Several ActiveX permit a remote attacker to generate a denial of service or to execute code.

The FileDelete() method of SonicWall NetExtender NELaunchCtrl NELaunchX.dll ActiveX permits attacker to delete a file from user's computer. [severity:2/4; 20071101-0, BID-26288, CVE-2007-5814, CVE-2007-5815]

An attacker can generate an overflow in the AddRouteEntry() method of SonicWall NetExtender NELaunchCtrl NELaunchX.dll ActiveX in order to execute code. [severity:2/4; 20071101-0, BID-26288, CERTA-2007-AVI-472, CVE-2007-5603, VU#298521]

An attacker can execute code via a vulnerability of Macrovision InstallShield Update Service isusweb.dll. [severity:2/4; BID-26280, CVE-2007-5660]

An attacker can use an overflow of ConnectAndEnterRoom() method from GlobalLink ConnectAndEnterRoom GLChat.ocx ActiveX in order to execute code. [severity:2/4; BID-26244, CVE-2007-5722]

An attacker can use the HttpDownloadFile() method of EDraw Flowchart ActiveX Control EDImage.ocx ActiveX in order to overwrite a file. [severity:2/4; BID-26308, CVE-2007-5826]

An attacker can create an overflow in SSReader Ultra Star Reader in order to execute code. [severity:2/4; BID-26247, CVE-2007-5807]

An attacker can create an overflow in BroadcastKey(), BroadcastKeyFileURL(), Component(), ComponentClassID(), ComponentFileName(), ExtraProperty(), Properties(), RequiredVersions(), Source() and XMLText() methods of Viewpoint Media Player AxMetaStream.dll ActiveX in order to execute code. [severity:2/4; BID-26356, CVE-2007-5911]

An attacker can create an overflow in the ShockwaveVersion() method of Adobe Shockwave SWCtl.SWCtl ActiveX. [severity:2/4; BID-26388, CVE-2007-5941]

An attacker can generate an overflow in the Register() method of SSReader pdg2.dll. [severity:2/4; CVE-2007-5892]

An attacker can create several overflows in methods of AOL AmpX.dll ActiveX. [severity:2/4; BID-26396, CVE-2007-5755]

An attacker can generate an overflow in the GetProfileString() method of Microsoft Remote Help SAFRCFileDlg.RASetting safrcdlg.dll ActiveX. [severity:2/4]

An attacker can generate several errors in the Microsoft Forms 2.0 Controls FM20.dll ActiveX. [severity:2/4; BID-26414]

An attacker can use Text, EditSelText, EditText and CellFontName parameters of ComponentOne FlexGrid VSFlexGrid ActiveX in order to create an overflow. [severity:2/4; BID-26467, CVE-2007-6028]

An attacker can create an overflow in GotoFolder() and CanGotoFolder() methods of Aurigma Image Uploader ActiveX. [severity:2/4]

An attacker can create an overflow in Import() and PlayerProperty() methods of RealNetworks RealPlayer ierpplug.dll ActiveX. [severity:2/4; BID-26586, BID-26594]

An attacker can create an overflow in DoInstall() and QueryComponents() methods of RichFX nprfxins.dll ActiveX. [severity:2/4; BID-26573]

An attacker can create an overflow in the BitDefender Online Scanner OScan8.ocx/Oscan81.ocx ActiveX. [severity:2/4; AD20071120, CVE-2007-5775, CVE-2007-6189]

An attacker can create an overflow in the StoreLicense() method of Microsoft Windows Media Digital Rights Management ActiveX. [severity:2/4; BID-26630]

An attacker can create an overflow in the FlvPlayerUrl property of Xunlei Thunder PPlayer.XPPlayer.1 ActiveX. [severity:2/4; BID-26536, CVE-2007-6144]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2007-5798 CVE-2007-5799

WebSphere AS: vulnerabilities of navigateTree.do

Synthesis of the vulnerability

One Cross Site Scripting attack and several Cross Site Request Forgery attacks can be exploited via UDDI.
Impacted products: WebSphere AS Traditional.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/11/2007.
Identifiers: BID-26276, CVE-2007-5798, CVE-2007-5799, PK50245, VIGILANCE-VUL-7306.

Description of the vulnerability

The UDDI Registry (Universal Description, Discovery and Integration) stores information about web services. Several vulnerabilities affect the uddigui/navigateTree.do page.

The keyField, nameField, valueField and frameReturn parameters are not filtered. An attacker can therefore execute Javascript code in the browser of user connected to the web site (Cross Site Scripting). [severity:2/4]

Some sensitive operations can be done without user confirmation (Cross Site Request Forgery). [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-5751

Liferea: feed list disclosure

Synthesis of the vulnerability

A local attacker can obtain the list of RSS feeds of Liferea users.
Impacted products: Fedora, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 02/11/2007.
Identifiers: CVE-2007-5751, FEDORA-2007-2725, FEDORA-2007-2853, VIGILANCE-VUL-7304.

Description of the vulnerability

The Liferea program is a RSS feed reader.

The list of RSS feeds tracked by user is stored in the feedlist.opml file. When this file is modified, a backup copy is created. However, permissions on this copy are 0644, which permits all local users to read the file.

A local attacker can therefore obtain the list of feeds tracked by Liferea users.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2780