<< Previous Next >>
McAfee
> [ iViZ Security Advisory 08-010 17/09/2008 ]
> -----------------------------------------------------------------------
> iViZ Techno Solutions Pvt. Ltd.
> http://www.ivizsecurity.com
> -----------------------------------------------------------------------
> * Title: McAfee SafeBoot Device Encryption
> Plain Text Password Disclosure
> * Date: 17/09/2008
> * Software: McAfee SafeBoot Device Encryption v4, Build 4750 and below
> --[ Synopsis:
> The password checking routine of SafeBoot Device Encryption fails to
Vulnerabilities and Exposures project identifies the following
problems:
CVE-2008-1673
Wei Wang from McAfee reported a potential heap overflow in the
ASN.1 decode code that is used by the SNMP NAT and CIFS
subsystem. Exploitation of this issue may lead to arbitrary code
execution. This issue is not believed to be exploitable with the
pre-built kernel images provided by Debian, but it might be an
issue for custom images built from the Debian-provided source
Vulnerabilities and Exposures project identifies the following
problems:
CVE-2008-1673
Wei Wang from McAfee reported a potential heap overflow in the
ASN.1 decode code that is used by the SNMP NAT and CIFS
subsystem. Exploitation of this issue may lead to arbitrary code
execution. This issue is not believed to be exploitable with the
pre-built kernel images provided by Debian, but it might be an
issue for custom images built from the Debian-provided source
* F-Secure Internet Security 2010 10.00 build 246
* G DATA TotalCare 2010
* Kaspersky Internet Security 2010 9.0.0.736
* KingSoft Personal Firewall 9 Plus 2009.05.07.70
* Malware Defender 2.6.0
* McAfee Total Protection 2010 10.0.580
* Norman Security Suite PRO 8.0
* Norton Internet Security 2010 17.5.0.127
* Online Armor Premium 4.0.0.35
* Online Solutions Security Suite 1.5.14905.0
* Outpost Security Suite Pro 6.7.3.3063.452.0726
venue: Langham Place Hotel, Hong Kong
Program:
Attacking Telco Core Network - Philippe Langlois (TSTF)
Real World Kernel Pool Exploitation - Kostya Kortchinsky (Immunity)
Cyber Crime: Follow the Money - Pedro Bueno (McAfee)
The Powerful Evil on Mobile Phone - Nanik (COSEINC)
Securing Your Web Application Codes - Kurt Grutzmacher (Pacific Gas)
Hacking RFiD Devices: Octopus Card?? - Adam Laurie (RFIDI0T.org)
Attacking Anti-Virus - Sowhat (Nevis Lab)
Anti-Forensic: Leaving the Police No Trails (the Grugq)
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | August 7, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Wei Wang of McAfee AVERT Labs |
|--------------------+---------------------------------------------------|
| Posted On | August 7, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | August 7, 2007 |
|--------------------+---------------------------------------------------|
Please review the patch/release notes for your product and version
and verify the md5sum and/or the sha1sum of your downloaded file.
VMware Fusion 2.0.6 (for Intel-based Macs): Download including
VMware Fusion and a 12 month complimentary subscription to McAfee
VirusScan Plus 2009
md5sum: d35490aa8caa92e21339c95c77314b2f
sha1sum: 9c41985d754ac718032a47af8a3f98ea28fddb26
This release fixes a privilege escalation vulnerability in host
systems. Exploitation of this vulnerability allows users to run
arbitrary code on the host system with elevated privileges.
VMware would like to thank Sun Bing from McAfee, Inc. for
reporting this issue to us.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2008-3698 to this issue.
This year the ICCC (www.ccdcoe.org/ICCC) takes place on 7-10 June and will focus on the topic of Generating Cyber Forces. The initial agenda (www.ccdcoe.org/ICCC/agenda.html) and registration (www.ccdcoe.org/ICCC/registration ) are now available on the ICCC website.
Key speakers include:
Dmitri Alperovich, McAfee - Towards Establishment of Cyberspace Deterrence Strategy
Jart Armin, HostExploit - Handling Botnets
Jeff Bardin, Treadstone71 - Augmenting Cyber Forces
Susan Brenner, University of Dayton - Conscription and Cyber Conflict: Legal Issues
Raoul Chiesa, United Nations - Underground of Hacking
Luc Dandurand, NATO C3 Agency - Rationale and Blueprint for a Cyber Red Team Within NATO
‣ Kurt Grutzmacher ; Pacific Gas & Electric ; USA
‣ Luciano Bello ; CITEFA/Si6 , Debian Project ; Argentina
‣ Marc Schoenefeld ; University of Bamberg ; Germany
‣ Matt Jonkman ; Emerging Threats.net (formerly bleedingthreats.net) ; USA
‣ Morgan Marquis-Boire ; Security-Assessment.com ; New Zealand
‣ Neelay S. Shah ; Foundstone Inc., A Division of McAfee ; USA
‣ Paolo Perego ; Spike Reply srl, Owasp Orizon Project leader ; Italy
‣ Peter Panholzer ; SEC Consult Unternehmensberatung GmbH ; Austria
‣ Rafael Dominguez Vega ; MWR InfoSecurity ; UK
‣ Saumil Udayan Shah ; CEO, Net-Square ; India
‣ Scott Lambert, Jason Geffner ; Microsoft, NGSSoftware Ltd. ; USA
Andrew Blyth (University of Glamorgan, UK)
Paolo Milani Comparetti (Technical University of Vienna, Austria)
Marco Cova (University of California, Santa Barbara, USA)
Sven Dietrich (Stevens Institute of Technology, USA)
Toralv Dirro (McAfee, Germany)
Ulrich Flegel (SAP Research, Germany)
Felix Freiling (University of Mannheim, Germany)
Carrie Gates (CA Labs, USA)
Thorsten Holz (Technical University of Vienna, Austria)
Sotiris Ioannidis (FORTH-ICS, Greece)
Download Manager provides a simplified method of distributing,
downloading,and installing digitized assets via the Internet. Download
Manager is available as an ActiveX component or Java applet. The ActiveX
control persists on the user's system unless it is deleted
manually. Download Manager is used by many vendors including Microsoft,
McAfee, Symantec, Citrix and Adobe.
Over the years, browser vendors have added measures to their browsers to
prevent users from running unwanted software. Download managers on the
other hand have not adopted these measures as they generally want to
make this task as easy as possible for end users. The process of
Conference agenda for HITBSecConf2010 - Dubai has been announced!
Welcoming Address by H.E Mohammed Nasser Al-Ghanim (Director General, UAE Telecom Regulatory Authority - TRA) -- TBC
Keynote 1: John Viega (CTO, SaaS, McAfee Inc.) -- A/V Vendors Aren't As Dumb As They Look
Keynote 2: Matt Watchinski (Senior Director of Vulnerability Research, Sourcefire Inc.) -- TBA
1.) Daniel Mende (ERNW GmbH) with Oliver Roeschke (ERNW GmbH) -- Attacking CISCO WLAN Solutions
2) Dino Covotsos (Managing Director, Telspace Systems) -- Hiding a Giant: Analysis of a Next Generation Botnet
Andrew Blyth (University of Glamorgan, UK)
Paolo Milani Comparetti (Technical University of Vienna, Austria)
Marco Cova (University of California, Santa Barbara, USA)
Sven Dietrich (Stevens Institute of Technology, USA)
Toralv Dirro (McAfee, Germany)
Ulrich Flegel (SAP Research, Germany)
Felix Freiling (University of Mannheim, Germany)
Carrie Gates (CA Labs, USA)
Thorsten Holz (Technical University of Vienna, Austria)
Sotiris Ioannidis (FORTH-ICS, Greece)
>
> The only access control that the proxy server can perform is based on the CONNECT method request and the server identified in it by either IP number or FQDN and port.
>
> You do not say what the acl is that you have asked Squid to apply but it cannot involve any examination of the Host: header of a request if the CONNECT method is used; only the far end server can see that.
>
> The same conclusion also applies to your other post about a vulnerability with "McAfee Web Gateway URL Filtering Bypass"
>
> On 16 Apr 2012, at 23:11, Gabriel Menezes Nunes wrote:
>
> > # Exploit Title: Squid URL Filtering Bypass
> > # Date: 16/04/2012
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Rafal Wojtczuk of McAfee AVERT Research found that e2fsprogs contained
multiple integer overflows in memory allocations, based on sizes
taken directly from filesystem information. These flaws could result
in heap-based overflows potentially allowing for the execution of
arbitrary code.
The only access control that the proxy server can perform is based on the CONNECT method request and the server identified in it by either IP number or FQDN and port.
You do not say what the acl is that you have asked Squid to apply but it cannot involve any examination of the Host: header of a request if the CONNECT method is used; only the far end server can see that.
The same conclusion also applies to your other post about a vulnerability with "McAfee Web Gateway URL Filtering Bypass"
On 16 Apr 2012, at 23:11, Gabriel Menezes Nunes wrote:
> # Exploit Title: Squid URL Filtering Bypass
> # Date: 16/04/2012
VMware Fusion 2.0.4
-------------------
http://www.vmware.com/download/fusion/
VMware Fusion 2.0.4: with McAfee VirusScan Plus 2009
md5sum:5b63c7ca402588bda6aa590a26d29adf
sha1sum:e575ada73da996bd00b880ae2d0bfcef2daf9f8e
VMware Fusion 2.0.4: Download including only VMware
md5sum:689eaf46746cdc89a595e0ef81b714b3
>= 1.3.5
Description
===========
Wei Wang (McAfee AVERT Research) discovered an integer underflow in the
asn1_get_string() function of the SNMP backend, leading to a
stack-based buffer overflow when handling SNMP responses
(CVE-2007-5849). Elias Pipping (Gentoo) discovered that the alternate
pdftops filter creates temporary files with predictable file names when
reading from standard input (CVE-2007-6358). Furthermore, the
1 sys-fs/e2fsprogs < 1.40.3 >= 1.40.3
Description
===========
Rafal Wojtczuk (McAfee AVERT Research) discovered multiple integer
overflows in libext2fs, that are triggered when processing information
from within the file system, resulting in heap-based buffer overflows.
Impact
======
It has the following mechanism according to McAfee:
http://vil.nai.com/vil/content/v_148955.htm
They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally discovered this threat) uses name Net-Worm.Win32.Koobface.b.
More information here too:
http://www.pcmag.com/article2/0,2817,2327272,00.asp
Juha-Matti
Andrew Blyth (University of Glamorgan, UK)
Paolo Milani Comparetti (Technical University of Vienna, Austria)
Marco Cova (University of California, Santa Barbara, USA)
Sven Dietrich (Stevens Institute of Technology, USA)
Toralv Dirro (McAfee, Germany)
Ulrich Flegel (SAP Research, Germany)
Felix Freiling (University of Mannheim, Germany)
Carrie Gates (CA Labs, USA)
Thorsten Holz (Technical University of Vienna, Austria)
Sotiris Ioannidis (FORTH-ICS, Greece)
VMware Fusion 2.0.6
-------------------
VMware Fusion 2.0.6 (for Intel-based Macs): Download including
VMware Fusion and a 12 month complimentary subscription to McAfee
VirusScan Plus 2009
md5sum: d35490aa8caa92e21339c95c77314b2f
sha1sum: 9c41985d754ac718032a47af8a3f98ea28fddb26
VMware Fusion 2.0.6 (for Intel-based Macs): Download including only
and ESAT
The Death of AV Defense in Depth: Revisiting Anti-Virus Software -
Thierry Zoller and Sergio Alvarez, nRuns
VMWare Issues - Sun Bing, McAfee
Intrusion Detection Systems Correlation: a Weapon of Mass
Investigation - Sebastien Tricaud and Pierre Chifflier, INL
Web Wreck-utation - Dan Hubbard and Stephan Chenette, WebSense
products. Neel Mehta and Ryan Smith (IBM ISS X-Force) discovered that
the DHCP server contains an integer overflow vulnerability
(CVE-2007-0062), an integer underflow vulnerability (CVE-2007-0063) and
another error when handling malformed packets (CVE-2007-0061), leading
to stack-based buffer overflows or stack corruption. Rafal Wojtczvk
(McAfee) discovered two unspecified errors that allow authenticated
users with administrative or login privileges on a guest operating
system to corrupt memory or cause a Denial of Service (CVE-2007-4496,
CVE-2007-4497). Another unspecified vulnerability related to untrusted
virtual machine images was discovered (CVE-2007-5617).
* Alex Rice (Facebook) facebook.com/rice
* Pedram Amini @pedramamini
* Erik Cabetas (Include Security)
* Dino A. Dai Zovi (Trail Of Bits) @dinodaizovi
* Alexander Sotirov @alexsotirov
* Barnaby Jack (McAfee) @barnaby_jack
* Charlie Miller (Accuvant) @0xcharlie
* David Litchfield (Accuvant) @dlitchfield
* Lurene Grenier (Harris) @pusscat
* Alex Ionescu @aionescu
* Nico Waisman (Immunity) @nicowaisman
before the end of August for those who have already submitted.
cheers,
--dr
P.s. To the gentleman from McAfee who phoned me about his
submission, whose name I've forgotten: we didn't get your
mail, please get back in touch.
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
In 2009 we examined the effects of manipulating synchronization
objects in security software suites frequently found on personal
computers running Windows XP and Vista. The synchronization objects
were mutexes and events, and the security software included products
from AVG, Avast, Avira, BitDefender, BullGuard, CheckPoint, Eset,
F-Prot, F-Secure, Kaspersky, McAfee, Microsoft (Security Essentials),
Norman, Norton, Panda, PC Tools, Quick Heal, Symantec, and Trend
Micro.
The examinations revealed that nearly all suites suffered non-trivial
faults originating from both standard and administrator accounts. The
F-Secure Anti-Virus 2011 10.51 build 106
Kaspersky Anti-Virus 2012 12.0.0.374
McAfee AbtiVirus Plus 11.0 build 11.0.623
Panda Antivirus Pro 2012
Trend Micro Titanium 2012 5.0.1280
McAfee stated:
[quote]
Impact of Vulnerability:
Disabling Anti-Virus, adding unwanted exclusions
[/quote]
When submitting this bug to ZDI, I made availiable two reliable post-bypass proof-of-concepts:
- a static perl code injection exploit using the 'args' argument of saveTopImagelogos.cgi
- an upload and execute exploit using uploadFile.cgi
<<Previous Next>>
|
