| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
History of vulnerabilities analyzed by Vigil@nce:
ClamAV: bypassing via CAB RAR ZIP
Synthesis of the vulnerability
An attacker can create a CAB/RAR/ZIP archive containing a virus which is not detected by ClamAV.
Impacted products: ClamAV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/06/2009.
Identifiers: BID-35398, BID-35410, BID-35426, TZO-40-2009, TZO-43-2009, VIGILANCE-VUL-8799.
Description of the vulnerability
The ClamAV antivirus detects viruses contained in CAB/RAR/ZIP archives. However, an attacker can create a malformed archive, which can still be opened by extraction tools, but which cannot be opened by the antivirus.
The Winrar, Winzip and 7-Zip tools search the magic header (for example "PK" for a ZIP file) in the first 50000 bytes of the file. However, ClamAV only searches the magic header in the first bytes of a RAR/ZIP file, and thus does not uncompress the infected file to check it. [severity:2/4]
When a CAB file has an invalid size, ClamAV does not scan it. [severity:2/4; TZO-43-2009]
An attacker can therefore create a CAB/RAR/ZIP archive containing a virus which is not detected by ClamAV.
Full Vigil@nce bulletin... (Free trial) |
Apache httpd: bypassing AllowOverride
Synthesis of the vulnerability
A local attacker can create a .htaccess file in order to bypass restrictions of AllowOverride.
Impacted products: Apache httpd, Debian.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: user account.
Creation date: 16/06/2009.
Identifiers: 44262, DSA-1816-1, VIGILANCE-VUL-8798.
Description of the vulnerability
The AllowOverride directive of the Apache httpd configuration file indicates if directives located in a .htaccess file are honoured. For example:
AllowOverride None : nothing is allowed
AllowOverride All : everything is allowed
AllowOverride Option : directives changing directory options are allowed
Since Apache httpd version 2.2, the Option parameter of the AllowOverride directive can restrict the list of allowed options. For example:
AllowOverride Options=Indexes,IncludesNOEXEC
However, due to a logic error, when at least one option is indicated in AllowOverride, they are all allowed (as it was the case before Apache httpd < 2.2).
An attacker can therefore for example enable the "Includes" option in a .htaccess file in order to use "#exec cmd" and "#exec cgi" commands.
Full Vigil@nce bulletin... (Free trial) |
Symantec Antivirus: bypassing via RAR TAR ZIP
Synthesis of the vulnerability
An attacker can create a RAR/TAR/ZIP archive containing a virus which is not detected by Symantec.
Impacted products: Norton Antivirus, Norton Internet Security, Symantec AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 15/06/2009.
Identifiers: BID-35354, SYM09-009, VIGILANCE-VUL-8797.
Description of the vulnerability
Symantec products detect viruses contained in RAR/TAR/ZIP archives.
However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Untar/Unzip tools, but which cannot be opened by the antivirus.
An attacker can therefore create a RAR/TAR/ZIP archive containing a virus which is not detected by Symantec products.
Full Vigil@nce bulletin... (Free trial) |
Kaspersky Antivirus: bypassing via PDF
Synthesis of the vulnerability
An attacker can create a PDF archive containing a virus which is not detected by Kaspersky.
Impacted products: Kaspersky AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 15/06/2009.
Identifiers: TZO-30-2009, VIGILANCE-VUL-8796.
Description of the vulnerability
The body of a PDF document starts with the "%PDF" tag and ends with the last "%%EOF" tag. Lines located before and after these tags are ignored by Adobe Acrobat and FoxitReader.
However, if an attacker creates a malicious PDF document containing a line before the "%PDF" tag, Kaspersky products do not recognize the PDF format.
An attacker can therefore create a PDF archive containing a virus which is not detected by Kaspersky products.
Full Vigil@nce bulletin... (Free trial) |
F-PROT Antivirus: bypassing via TAR
Synthesis of the vulnerability
An attacker can create a TAR archive containing a virus which is not detected by F-PROT products.
Impacted products: F-PROT AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 15/06/2009.
Identifiers: BID-35355, TZO-33-2009, VIGILANCE-VUL-8794.
Description of the vulnerability
F-PROT products detect viruses contained in TAR archives.
However, an attacker can create a slightly malformed archive, which can still be opened by Winzip tools, but which cannot be opened by the antivirus.
An attacker can therefore create a TAR archive containing a virus which is not detected by F-PROT products.
Full Vigil@nce bulletin... (Free trial) |
OpenSolaris: file reading via smbfs
Synthesis of the vulnerability
A local attacker can read files mounted via smbfs.
Impacted products: OpenSolaris.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 12/06/2009.
Identifiers: 257548, 6800703, BID-35306, CVE-2009-2031, VIGILANCE-VUL-8793.
Description of the vulnerability
The smbfs filesystem is used to access a SMB/CIFS share.
The main() function of the usr/src/cmd/fs.d/smbclnt/mount/mount.c module mounts by default the smbfs system with active bits "S_IRWXU | S_IRWXG | S_IRWXO". Depending on the root's umask, this generally means that files have the "rwxr-xr-x" mode, so all local users can read them.
A local attacker can therefore read files located under the smbfs mounted directory. The attacker can then obtain potentially sensitive information.
Full Vigil@nce bulletin... (Free trial) |
Firefox, Thunderbird, SeaMonkey: several vulnerabilities
Synthesis of the vulnerability
Several vulnerabilities of Firefox, Thunderbird and SeaMonkey can be used by an attacker to obtain information, to create a denial of service or to execute code on victim's computer.
Impacted products: Debian, Fedora, Mandriva Linux, Firefox, SeaMonkey, Thunderbird, openSUSE, RHEL, Slackware, SLES, TurboLinux.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 12/06/2009.
Identifiers: 495057, BID-35326, BID-35360, BID-35370, BID-35371, BID-35372, BID-35373, BID-35377, BID-35380, BID-35383, BID-35386, BID-35388, BID-35391, BID-35461, CERTA-2009-AVI-233, CERTA-2009-AVI-251, CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1834, CVE-2009-1835, CVE-2009-1836, CVE-2009-1837, CVE-2009-1838, CVE-2009-1839, CVE-2009-1840, CVE-2009-1841, CVE-2009-2210, DSA-1820-1, DSA-1830-1, FEDORA-2009-7567, FEDORA-2009-7614, FEDORA-2009-8535, MDVSA-2009:134, MDVSA-2009:141, MFSA 2009-24, MFSA 2009-25, MFSA 2009-26, MFSA 2009-27, MFSA 2009-28, MFSA 2009-29, MFSA 2009-30, MFSA 2009-31, MFSA 2009-32, MFSA 2009-33, RHSA-2009:1095-01, RHSA-2009:1096-01, RHSA-2009:1125-01, RHSA-2009:1126-01, RHSA-2009:1134-01, SSA:2009-167-01, SSA:2009-176-01, SSA:2009-178-01, SUSE-SA:2009:034, TLSA-2009-18, TLSA-2009-20, VIGILANCE-VUL-8792.
Description of the vulnerability
Several vulnerabilities were announced in Firefox, Thunderbird and SeaMonkey.
Several memory corruptions lead to code execution. [severity:4/4; BID-35370, BID-35371, BID-35372, CERTA-2009-AVI-233, CERTA-2009-AVI-251, CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, MFSA 2009-24]
Some invalid Unicode characters are displayed as spaces in the address bar, which can deceive the victim. [severity:1/4; BID-35388, CVE-2009-1834, MFSA 2009-25]
An attacker can invite the victim to open a local file in order to read all his cookies. [severity:2/4; BID-35391, CVE-2009-1835, MFSA 2009-26]
An attacker can intercept a CONNECT query to a proxy and send an answer different than 200-Ok in order to inject code in victim's web browser (VIGILANCE-VUL-8806). [severity:3/4; BID-35380, CVE-2009-1836, MFSA 2009-27]
An attacker can create an HTML page containing a Java applet using a freed memory in NPObjWrapper_NewResolve(). [severity:4/4; BID-35360, CVE-2009-1837, MFSA 2009-28]
After the garbage collection, JavaScript code can run with chrome privileges. [severity:4/4; BID-35383, CVE-2009-1838, MFSA 2009-29]
An attacker can invite the victim to open a local file in order to execute JavaScript code in the context of the previous page. [severity:2/4; BID-35386, CVE-2009-1839, MFSA 2009-30]
The security policy is not checked when loading a file containing JavaScript code. [severity:1/4; CVE-2009-1840, MFSA 2009-31]
An attacker can use the Sidebar or FeedWriter to execute code with chrome privileges. [severity:4/4; BID-35373, BID-35377, CVE-2009-1841, MFSA 2009-32]
An email in the MIME multipart/alternative format containing a text/enhanced part corrupts the memory. [severity:3/4; 495057, BID-35461, CVE-2009-2210, MFSA 2009-33]
Full Vigil@nce bulletin... (Free trial) |
Solaris: denial of service of NIS
Synthesis of the vulnerability
An attacker located on a NIS client can create a denial of service on the NIS+ server.
Impacted products: OpenSolaris, Solaris, Trusted Solaris.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 10/06/2009.
Identifiers: 256748, 6466160, BID-35276, CVE-2009-2029, VIGILANCE-VUL-8791.
Description of the vulnerability
The rpc.nisd daemon implements the NIS+ service.
An attacker located on a NIS client can create a denial of service on the NIS+ server. Then, other clients cannot use the service.
Full Vigil@nce bulletin... (Free trial) |
Mutt: incorrect validation of certification chain
Synthesis of the vulnerability
An attacker can offer an invalid certification chain for SSL, which is not detected by Mutt.
Impacted products: Fedora, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet server.
Creation date: 10/06/2009.
Identifiers: BID-35288, CVE-2009-1390, FEDORA-2009-6465, VIGILANCE-VUL-8790.
Description of the vulnerability
The version 1.5.19 of the Mutt email client supports X.509 certification chains, with intermediary certification authorities.
Mutt checks each individual certificate in the chain, but does not check if the chain itself is valid.
An attacker can therefore offer an invalid certification chain for SSL, which is not detected by Mutt. The attacker can therefore read data of a Mutt session.
Full Vigil@nce bulletin... (Free trial) |
FreeBSD: memory reading via pipe
Synthesis of the vulnerability
A local attacker can use the pipe() function to read a memory area which should be unreadable.
Impacted products: FreeBSD.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 10/06/2009.
Identifiers: BID-35279, CVE-2009-1935, FreeBSD-SA-09:09.pipe, VIGILANCE-VUL-8789.
Description of the vulnerability
The pipe() system call can be used by two processes to exchange data.
To optimize its performances, the FreeBSD kernel directly copies data between both processes, without using an intermediary buffer. In order to do so, virtual memory pages are used.
However, the number of pages is rounded, and thus the user obtains memory pages, that he should not have access to.
A local attacker can thus obtain sensitive information belonging to other users or to the system.
Full Vigil@nce bulletin... (Free trial) |
Previous page Next page Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2868
|