| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
History of vulnerabilities analyzed by Vigil@nce:
ClamAV: bypassing via CAB RAR ZIP
Synthesis of the vulnerability
An attacker can create a CAB/RAR/ZIP archive containing a virus which is not detected by ClamAV.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/06/2009.
Identifiers: BID-35398, BID-35410, BID-35426, TZO-40-2009, TZO-43-2009, VIGILANCE-VUL-8799.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The ClamAV antivirus detects viruses contained in CAB/RAR/ZIP archives. However, an attacker can create a malformed archive, which can still be opened by extraction tools, but which cannot be opened by the antivirus.
The Winrar, Winzip and 7-Zip tools search the magic header (for example "PK" for a ZIP file) in the first 50000 bytes of the file. However, ClamAV only searches the magic header in the first bytes of a RAR/ZIP file, and thus does not uncompress the infected file to check it. [severity:2/4]
When a CAB file has an invalid size, ClamAV does not scan it. [severity:2/4; TZO-43-2009]
An attacker can therefore create a CAB/RAR/ZIP archive containing a virus which is not detected by ClamAV.
Full Vigil@nce bulletin... (Free trial) |
Apache httpd: bypassing AllowOverride
Synthesis of the vulnerability
A local attacker can create a .htaccess file in order to bypass restrictions of AllowOverride.
Severity: 1/4.
Creation date: 16/06/2009.
Identifiers: 44262, DSA-1816-1, VIGILANCE-VUL-8798.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The AllowOverride directive of the Apache httpd configuration file indicates if directives located in a .htaccess file are honoured. For example:
AllowOverride None : nothing is allowed
AllowOverride All : everything is allowed
AllowOverride Option : directives changing directory options are allowed
Since Apache httpd version 2.2, the Option parameter of the AllowOverride directive can restrict the list of allowed options. For example:
AllowOverride Options=Indexes,IncludesNOEXEC
However, due to a logic error, when at least one option is indicated in AllowOverride, they are all allowed (as it was the case before Apache httpd < 2.2).
An attacker can therefore for example enable the "Includes" option in a .htaccess file in order to use "#exec cmd" and "#exec cgi" commands.
Full Vigil@nce bulletin... (Free trial) |
Symantec Antivirus: bypassing via RAR TAR ZIP
Synthesis of the vulnerability
An attacker can create a RAR/TAR/ZIP archive containing a virus which is not detected by Symantec.
Severity: 2/4.
Creation date: 15/06/2009.
Identifiers: BID-35354, SYM09-009, VIGILANCE-VUL-8797.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Symantec products detect viruses contained in RAR/TAR/ZIP archives.
However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Untar/Unzip tools, but which cannot be opened by the antivirus.
An attacker can therefore create a RAR/TAR/ZIP archive containing a virus which is not detected by Symantec products.
Full Vigil@nce bulletin... (Free trial) |
Kaspersky Antivirus: bypassing via PDF
Synthesis of the vulnerability
An attacker can create a PDF archive containing a virus which is not detected by Kaspersky.
Severity: 2/4.
Creation date: 15/06/2009.
Identifiers: TZO-30-2009, VIGILANCE-VUL-8796.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The body of a PDF document starts with the "%PDF" tag and ends with the last "%%EOF" tag. Lines located before and after these tags are ignored by Adobe Acrobat and FoxitReader.
However, if an attacker creates a malicious PDF document containing a line before the "%PDF" tag, Kaspersky products do not recognize the PDF format.
An attacker can therefore create a PDF archive containing a virus which is not detected by Kaspersky products.
Full Vigil@nce bulletin... (Free trial) |
F-PROT Antivirus: bypassing via TAR
Synthesis of the vulnerability
An attacker can create a TAR archive containing a virus which is not detected by F-PROT products.
Severity: 2/4.
Creation date: 15/06/2009.
Identifiers: BID-35355, TZO-33-2009, VIGILANCE-VUL-8794.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
F-PROT products detect viruses contained in TAR archives.
However, an attacker can create a slightly malformed archive, which can still be opened by Winzip tools, but which cannot be opened by the antivirus.
An attacker can therefore create a TAR archive containing a virus which is not detected by F-PROT products.
Full Vigil@nce bulletin... (Free trial) |
OpenSolaris: file reading via smbfs
Synthesis of the vulnerability
A local attacker can read files mounted via smbfs.
Severity: 1/4.
Creation date: 12/06/2009.
Identifiers: 257548, 6800703, BID-35306, CVE-2009-2031, VIGILANCE-VUL-8793.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The smbfs filesystem is used to access a SMB/CIFS share.
The main() function of the usr/src/cmd/fs.d/smbclnt/mount/mount.c module mounts by default the smbfs system with active bits "S_IRWXU | S_IRWXG | S_IRWXO". Depending on the root's umask, this generally means that files have the "rwxr-xr-x" mode, so all local users can read them.
A local attacker can therefore read files located under the smbfs mounted directory. The attacker can then obtain potentially sensitive information.
Full Vigil@nce bulletin... (Free trial) |
Firefox, Thunderbird, SeaMonkey: several vulnerabilities
Synthesis of the vulnerability
Several vulnerabilities of Firefox, Thunderbird and SeaMonkey can be used by an attacker to obtain information, to create a denial of service or to execute code on victim's computer.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 10.
Creation date: 12/06/2009.
Identifiers: 495057, BID-35326, BID-35360, BID-35370, BID-35371, BID-35372, BID-35373, BID-35377, BID-35380, BID-35383, BID-35386, BID-35388, BID-35391, BID-35461, CERTA-2009-AVI-233, CERTA-2009-AVI-251, CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1834, CVE-2009-1835, CVE-2009-1836, CVE-2009-1837, CVE-2009-1838, CVE-2009-1839, CVE-2009-1840, CVE-2009-1841, CVE-2009-2210, DSA-1820-1, DSA-1830-1, FEDORA-2009-7567, FEDORA-2009-7614, FEDORA-2009-8535, MDVSA-2009:134, MDVSA-2009:141, MFSA 2009-24, MFSA 2009-25, MFSA 2009-26, MFSA 2009-27, MFSA 2009-28, MFSA 2009-29, MFSA 2009-30, MFSA 2009-31, MFSA 2009-32, MFSA 2009-33, RHSA-2009:1095-01, RHSA-2009:1096-01, RHSA-2009:1125-01, RHSA-2009:1126-01, RHSA-2009:1134-01, SSA:2009-167-01, SSA:2009-176-01, SSA:2009-178-01, SUSE-SA:2009:034, TLSA-2009-18, TLSA-2009-20, VIGILANCE-VUL-8792.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Several vulnerabilities were announced in Firefox, Thunderbird and SeaMonkey.
Several memory corruptions lead to code execution. [severity:4/4; BID-35370, BID-35371, BID-35372, CERTA-2009-AVI-233, CERTA-2009-AVI-251, CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, MFSA 2009-24]
Some invalid Unicode characters are displayed as spaces in the address bar, which can deceive the victim. [severity:1/4; BID-35388, CVE-2009-1834, MFSA 2009-25]
An attacker can invite the victim to open a local file in order to read all his cookies. [severity:2/4; BID-35391, CVE-2009-1835, MFSA 2009-26]
An attacker can intercept a CONNECT query to a proxy and send an answer different than 200-Ok in order to inject code in victim's web browser (VIGILANCE-VUL-8806). [severity:3/4; BID-35380, CVE-2009-1836, MFSA 2009-27]
An attacker can create an HTML page containing a Java applet using a freed memory in NPObjWrapper_NewResolve(). [severity:4/4; BID-35360, CVE-2009-1837, MFSA 2009-28]
After the garbage collection, JavaScript code can run with chrome privileges. [severity:4/4; BID-35383, CVE-2009-1838, MFSA 2009-29]
An attacker can invite the victim to open a local file in order to execute JavaScript code in the context of the previous page. [severity:2/4; BID-35386, CVE-2009-1839, MFSA 2009-30]
The security policy is not checked when loading a file containing JavaScript code. [severity:1/4; CVE-2009-1840, MFSA 2009-31]
An attacker can use the Sidebar or FeedWriter to execute code with chrome privileges. [severity:4/4; BID-35373, BID-35377, CVE-2009-1841, MFSA 2009-32]
An email in the MIME multipart/alternative format containing a text/enhanced part corrupts the memory. [severity:3/4; 495057, BID-35461, CVE-2009-2210, MFSA 2009-33]
Full Vigil@nce bulletin... (Free trial) |
Solaris: denial of service of NIS
Synthesis of the vulnerability
An attacker located on a NIS client can create a denial of service on the NIS+ server.
Severity: 2/4.
Creation date: 10/06/2009.
Identifiers: 256748, 6466160, BID-35276, CVE-2009-2029, VIGILANCE-VUL-8791.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The rpc.nisd daemon implements the NIS+ service.
An attacker located on a NIS client can create a denial of service on the NIS+ server. Then, other clients cannot use the service.
Full Vigil@nce bulletin... (Free trial) |
Mutt: incorrect validation of certification chain
Synthesis of the vulnerability
An attacker can offer an invalid certification chain for SSL, which is not detected by Mutt.
Severity: 1/4.
Creation date: 10/06/2009.
Identifiers: BID-35288, CVE-2009-1390, FEDORA-2009-6465, VIGILANCE-VUL-8790.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The version 1.5.19 of the Mutt email client supports X.509 certification chains, with intermediary certification authorities.
Mutt checks each individual certificate in the chain, but does not check if the chain itself is valid.
An attacker can therefore offer an invalid certification chain for SSL, which is not detected by Mutt. The attacker can therefore read data of a Mutt session.
Full Vigil@nce bulletin... (Free trial) |
FreeBSD: memory reading via pipe
Synthesis of the vulnerability
A local attacker can use the pipe() function to read a memory area which should be unreadable.
Severity: 1/4.
Creation date: 10/06/2009.
Identifiers: BID-35279, CVE-2009-1935, FreeBSD-SA-09:09.pipe, VIGILANCE-VUL-8789.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The pipe() system call can be used by two processes to exchange data.
To optimize its performances, the FreeBSD kernel directly copies data between both processes, without using an intermediary buffer. In order to do so, virtual memory pages are used.
However, the number of pages is rounded, and thus the user obtains memory pages, that he should not have access to.
A local attacker can thus obtain sensitive information belonging to other users or to the system.
Full Vigil@nce bulletin... (Free trial) |
Previous page Next page Direct access to page
1
21
41
61
81
101
121
141
161
181
201
221
241
261
281
301
321
341
361
381
401
421
441
461
481
501
521
541
561
581
601
621
641
661
681
701
721
741
761
781
801
821
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
861
881
901
921
941
961
981
1001
1021
1041
1061
1081
1101
1121
1141
1161
1181
1201
1221
1241
1261
1281
1301
1321
1341
1361
1381
1401
1421
1441
1461
1481
1501
1521
1541
1561
1581
1601
1621
1641
1661
1681
1701
1721
1741
1761
1781
1801
1821
1841
1861
1881
1901
1921
1941
1961
1981
2001
2021
2041
2061
2081
2101
2121
2141
2161
2181
2201
2221
2241
2261
2281
2301
2321
2341
2361
2381
2401
2421
2441
2461
2481
2501
2521
2541
2561
2581
2601
2621
2641
2661
2681
2701
2721
2741
2761
2781
2801
2821
2841
2861
2881
2901
2921
2926
|