<< Previous Next >>
DoS
http://www.debian.org/security/ dann frazier
May 24, 2011 http://www.debian.org/security/faq
- ----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service/information leak
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2010-3875 CVE-2011-0695 CVE-2011-0711 CVE-2011-0726
CVE-2011-1016 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080
CVE-2011-1090 CVE-2011-1160 CVE-2011-1163 CVE-2011-1170
>>> which I called by general name DoS via protocol handlers, to which
>>> belonged
>>> and previous DoS attack via mailto handler.
>>>
>>> Now I'm informing about DoS in different browsers via protocols news and
>>> nntp. These Denial of Service vulnerabilities belongs to type
>>> (http://websecurity.com.ua/2550/) blocking DoS and resources consumption
>>> DoS. These attacks can be conducted as with using JS, as without it (via
>>> creating of page with large quantity of iframes).
>>>
>>> DoS:
the package.xml file, related to the (1) download_dir, (2) cache_dir,
(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072,
CVE-2011-1144)
Ben Schmidt discovered that a use-after-free vulnerability in the PHP
Zend engine could allow an attacker to cause a denial of service (heap
memory corruption) or possibly execute arbitrary code. (CVE-2010-4697)
Martin Barbella discovered a buffer overflow in the PHP GD extension
that allows an attacker to cause a denial of service (application crash)
via a large number of anti- aliasing steps in an argument to the
the package.xml file, related to the (1) download_dir, (2) cache_dir,
(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072,
CVE-2011-1144)
Ben Schmidt discovered that a use-after-free vulnerability in the PHP
Zend engine could allow an attacker to cause a denial of service (heap
memory corruption) or possibly execute arbitrary code. (CVE-2010-4697)
Martin Barbella discovered a buffer overflow in the PHP GD extension
that allows an attacker to cause a denial of service (application crash)
via a large number of anti- aliasing steps in an argument to the
Summary
=======
The Cisco IOS Software network address translation (NAT) feature
contains multiple denial of service (DoS) vulnerabilities in the
translation of the following protocols:
* NetMeeting Directory (Lightweight Directory Access Protocol,
LDAP)
* Session Initiation Protocol (Multiple vulnerabilities)
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00571568
Version: 11
HPSBUX01137 SSRT5954 rev.11 - HP-UX Running TCP/IP (IPv4), Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2005-04-24
Last Updated: 2007-10-03
>> which I called by general name DoS via protocol handlers, to which
>> belonged
>> and previous DoS attack via mailto handler.
>>
>> Now I'm informing about DoS in different browsers via protocols news and
>> nntp. These Denial of Service vulnerabilities belongs to type
>> (http://websecurity.com.ua/2550/) blocking DoS and resources consumption
>> DoS. These attacks can be conducted as with using JS, as without it (via
>> creating of page with large quantity of iframes).
>>
>> DoS:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Unified Communications Manager Denial
of Service Vulnerabilities
Advisory ID: cisco-sa-20110824-cucm
Revision 1.0
I was carried away because the author used scripts (in a global script tag)
in the PoC of the issue in question which made unconditional recursion
possible.
Without scripts enabled, if iframe's src property is set to itself(?), it is
parsed upto 1 level (i.e. not recursed). Hence it doesn't affect or DoS the
latest browsers (the best I can say...).
A few other points:
1. if a links/ads or any other content-syndication provider allow unverified
Team Vexillium
Security Advisory
http://vexillium.org/
Name : WinImage 8.10 Multiple Vulnerabilities
Class : Denial of Service and Directory Traversal
Threat level : LOW (DoS), MED (Dir. traversal vuln)
Discovered : 2007-08-31
Published : 2007-09-15
Credit : j00ru//vx
Vulnerable : WinImage 8.10,
Hello Bugtraq!
I want to warn you about File Download and Denial of Service vulnerabilities
in Mozilla Firefox, Internet Explorer, Google Chrome and Opera. Earlier I
already wrote about DoS vulnerabilities in different browsers via different
protocol handlers. And now I'll tell about research concerned with attacks
via protocols http and ftp which I made already in 2008 and published at
30.06.2010.
-----------------------------
Synopsis
========
Multiple vulnerabilities have been discovered in Ruby that allow for
attacks including arbitrary code execution and Denial of Service.
Background
==========
Ruby is an interpreted object-oriented programming language. The
advisory outlines details of these vulnerabilities:
* Crafted TCP ACK Packet Vulnerability
* Crafted TLS Packet Vulnerability
* Instant Messenger Inspection Vulnerability
* Vulnerability Scan Denial of Service
* Control-plane Access Control List Vulnerability
The first four vulnerabilities may lead to a denial of service (DoS)
condition and the fifth vulnerability may allow an attacker to bypass
control-plane access control lists (ACL).
Summary
=======
Cisco Unified Contact Center Express (UCCX or Unified CCX) contains a denial of
service (DoS) vulnerability and a directory traversal vulnerability. These
vulnerabilities are independent of each other.
Exploitation of these vulnerabilities could result in a DoS condition or an
information disclosure.
exploitation of the SQL injection vulnerability may allow an
authenticated attacker to execute SQL statements that can cause
instability of the product or changes in the configuration.
Additionally, the Cisco Security Agent is affected by a denial of
service (DoS) vulnerability. Successful exploitation of the Cisco
Security Agent agent DoS vulnerability may cause the affected system
to crash. Repeated exploitation could result in a sustained DoS
condition.
These vulnerabilities are independent of each other.
http://www.debian.org/security/ dann frazier
November 26, 2010 http://www.debian.org/security/faq
- ----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service/information leak
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2010-2963 CVE-2010-3067 CVE-2010-3296 CVE-2010-3297
CVE-2010-3310 CVE-2010-3432 CVE-2010-3437 CVE-2010-3442
CVE-2010-3448 CVE-2010-3477 CVE-2010-3705 CVE-2010-3848
Cisco Unity Connection contains two vulnerabilities:
* Cisco Unity Connection Privilege Escalation Vulnerability
* Cisco Unity Connection Denial of Service Vulnerability
Exploitation of the Cisco Unity Connection Privilege Escalation
Vulnerability may allow an authenticated, remote attacker to elevate
privileges and obtain full access to the affected system.
3APA3A wrote:
> Can you, please explain why is this security bug?
I think you mistake my posting. I did not want to say that this issue is a (real) *security* vulnerability but I definitely would call it a DoS bug.
> DoS is not software crash, DoS is Denial of Service. It means,
> security impact of DoS vulnerability should be preventing (blocking)
> access of legitimate user to some data or service (via data
> corruption, service malfuction, etc).
It seems we have a different understanding of the term "Denial Of Service". In my opinion your explanation exactly matches this issue. As you said DoS is the attempt to make a (computer) resource unavailable to its user via data corruption etc. Here Winamp is the computer resource and the M3U file is the corrupted data. Sure the user can easily recover from this "DoS" by restarting the audio player and to be exact the M3U file is not a great example for corrupted data but I would still call this issue a DoS bug.
== The problem ==
Even though MIME is pretty old, many people have not yet learned how to
parse MIME correctly. The problem is that the number of MIME-parts of an
email and the depth of recursion is potentially unlimited. Some software
like the popular rfc2045 library of the courier-mta solve this problem by
discarding mails with too many MIME-parts as a Denial of Service attack.
This is probably the best approach to handle this problem.
== Proof-of-Concept: Nesty ==
The nesty attack abuses the message/rfc822 type. The following example
crashes a lot of software, which tries to parse it recursively and
Hello Bugtraq!
I want to warn you about Denial of Service vulnerabilities in Firefox,
Internet Explorer, Chrome and Opera. Which belong to type of DoS via
protocol handlers. Earlier I already wrote about DoS vulnerabilities in
Firefox, Internet Explorer, Chrome and Opera and DoS attacks on email
clients via protocol handlers. This new advisory will show you the situation
of browsers behavior with other protocol handlers.
All those who doubt that these DoS vulnerabilities in browsers and email
Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory
Manipulation and Denial-of-Service Vulnerabilities
Advisory-ID: 200801162
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.2 to and including 2.3(Beta Build
#174)
Non-Affected Applications: HFS 2.1d and earlier versions
Class: Arbitrary File/Directory Manipulation, Denial of Service
brlc> == The problem ==
brlc> Even though MIME is pretty old, many people have not yet learned how to
brlc> parse MIME correctly. The problem is that the number of MIME-parts of an
brlc> email and the depth of recursion is potentially unlimited. Some software
brlc> like the popular rfc2045 library of the courier-mta solve this problem by
brlc> discarding mails with too many MIME-parts as a Denial of Service attack.
brlc> This is probably the best approach to handle this problem.
brlc> == Proof-of-Concept: Nesty ==
brlc> The nesty attack abuses the message/rfc822 type. The following example
brlc> crashes a lot of software, which tries to parse it recursively and
The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL
certificates, which makes it easier for remote attackers to trick
a user into accepting an invalid server certificate for a spoofed
service. (CVE-2008-3532)
Pidgin 2.4.1 allows remote attackers to cause a denial of service
(crash) via a long filename that contains certain characters, as
demonstrated using an MSN message that triggers the crash in the
msn_slplink_process_msg function. (CVE-2008-2955)
The UPnP functionality in Pidgin 2.0.0, and possibly other versions,
http://www.debian.org/security/ Dann Frazier
May 2, 2009 http://www.debian.org/security/faq
- ----------------------------------------------------------------------
Package : linux-2.6.24
Vulnerability : denial of service/privilege escalation/information leak
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2008-4307 CVE-2008-5079 CVE-2008-5395 CVE-2008-5700
CVE-2008-5701 CVE-2008-5702 CVE-2009-0028 CVE-2009-0029
CVE-2009-0031 CVE-2009-0065 CVE-2009-0269 CVE-2009-0322
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02560655
Version: 2
HPSBMA02598 SSRT100314 rev.2 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Cross Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-25
Last Updated: 2010-10-28
http://www.debian.org/security/ dann frazier
January 30, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service/information leak
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2010-0435 CVE-2010-3699 CVE-2010-4158 CVE-2010-4162
CVE-2010-4163 CVE-2010-4242 CVE-2010-4243 CVE-2010-4248
CVE-2010-4249 CVE-2010-4258 CVE-2010-4342 CVE-2010-4346
to the bottom page of a shared memory segment, as demonstrated by a
memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)
The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel
does not properly restrict TCP_MAXSEG (aka MSS) values, which allows
local users to cause a denial of service (OOPS) via a setsockopt call
that specifies a small value, leading to a divide-by-zero error or
incorrect use of a signed integer. (CVE-2010-4165)
The copy_shmid_to_user function in ipc/shm.c in the Linux kernel
does not initialize a certain structure, which allows local users to
Multiple vulnerabilities has been identified and fixed in php:
The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause
a denial of service (application crash) via an empty ZIP archive
that is processed with a (1) locateName or (2) statName operation
(CVE-2011-0421).
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
performs an incorrect cast, which allows remote attackers to cause a
=======
Cisco Unified Communications Manager (previously known as Cisco
CallManager) contains the following vulnerabilities:
* Three (3) denial of service (DoS) vulnerabilities that affect
Session Initiation Protocol (SIP) services
* Directory transversal vulnerability
* Two (2) SQL injection vulnerabilities
Cisco has released free software updates for affected Cisco Unified
However, I just tested the vulnerability in chrome and the incidents were different. In Google Chrome it appears to perform a deadlock of the browser while on FireFox it performs a starvation "attack" by opening a huge amount of windows and thereby eventually "killing" all the ram making Windows completely useless (almost).
The only thing I could do was to logout and then log back in. Task Manager was unable to help me even though it was set to "Always On Top". If the Task Manager was opened first then I might have had a chance but if it weren't then 4 out of 5 times the best option would be to logout and then re-login.
I believe this is a kind of functionality bug versus denial of service bug in FireFox which unfortunately is not related to the Chrome Bug.
This was tested at my work since I don't have Google chrome installed on my linux installation at home. However I believe this can be used / triggered against any other application installed that FireFox knows exists on the target operating system. :-)
F.ex. I just tested your script, but with a small modification:
<script>
<<Previous Next>>
|
