<< Previous Next >>
attacker
___________________________________________________________________________
Overview:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-004.txt
Vendor: McAfee (http://www.mcafee.com/)
Affected Products: McAfee LinuxShield <= 1.5.1
Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192
Remote Exploitable: Yes (attacker must be authenticated)
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Thanks to: Thierry Zoller: For the permission to use his
Policy
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-004.txt
Vendor: McAfee (http://www.mcafee.com/)
Affected Products: McAfee LinuxShield <= 1.5.1
Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192
Remote Exploitable: Yes (attacker must be authenticated)
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Thanks to: Thierry Zoller: For the permission to use his
Policy
> Mail: nso-research at sotiriu.de
> URL: http://sotiriu.de/adv/NSOADV-2010-004.txt
> Vendor: McAfee (http://www.mcafee.com/)
> Affected Products: McAfee LinuxShield <= 1.5.1
> Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192
> Remote Exploitable: Yes (attacker must be authenticated)
> Local Exploitable: Yes
> Patch Status: Vendor released a patch (See Solution)
> Discovered by: Nikolas Sotiriu
> Thanks to: Thierry Zoller: For the permission to use his
> Policy
Details follow:
USN-957-1 fixed vulnerabilities in Firefox and Xulrunner. Daniel Holbert
discovered that the fix for CVE-2010-1214 introduced a regression which did
not properly initialize a plugin pointer. If a user were tricked into
viewing a malicious site, a remote attacker could use this to crash the
browser or run arbitrary code as the user invoking the program.
(CVE-2010-2755)
This update fixes the problem.
SOAP Authentication Bypass
+-------------------------
An authentication bypass vulnerability exists that could allow a
remote, unauthenticated attacker to invoke arbitrary methods that are
available via the SOAP interface on the Cisco TelePresence Manager.
The attacker would need the ability to submit a malformed SOAP
request that is designed to trigger the vulnerability to the affected
device on TCP port 8080 or 8443.
A vulnerability in the way VMware libraries are referenced allows
for arbitrary code execution in the context of the logged on user.
This vulnerability is present only on Windows Guest Operating
Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to lure the user that is logged on a Windows Guest
Operating System to click on the attacker's file on a network
share. This file could be in any file format. The attacker will
need to have the ability to host their malicious files on a
network share.
A vulnerability in the way VMware libraries are referenced allows
for arbitrary code execution in the context of the logged on user.
This vulnerability is present only on Windows Guest Operating
Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to lure the user that is logged on a Windows Guest
Operating System to click on the attacker's file on a network
share. This file could be in any file format. The attacker will
need to have the ability to host their malicious files on a
network share.
taking advantage of the session management behavior in the application.
2. Authorization Bypass
-----------------------
Malicious users can access and manage content of other users, relying on the
lack of access control in the page management interface. Attackers can use
parameter tampering techniques to directly access the resource identifiers
of pages owned by other users, and delete or modify their content.
3. Persistent Cross Site Scripting
----------------------------------
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
The forms in SQL-Ledger are not protected against XSRF. They include the username
in the hidden field »login«, though, which has to be specified correctly. An
attacker is thus required to know the login name – it can be guessed, brute-forced
or retrieved using a Cross-Site-Scripting attack, though.
An example attack would be to send the following link to the user which unknowningly
changes his password to the application. Given network access to SQL-Ledger, the
attacker could then use the application with the user's account and the newly set
realize the automatic process of password cracking.
As you comment, using this feature exist a lock (for 2 hours) for
authentication attempts, and beyond this limit (100 requests) the
message returned by the application does not allow to known if the
analyzed password is correct or not. However, every 2 hours an attacker
could make 100 authentication attempts.
To overcome this limit (100 authentication attempts), it is sufficient
that the attacker has other Gmail accounts. Each account allows the
malicious user to make 100 new auhtentication attempts within 2 hours of
edi 0x4a4a4a4a 1246382666
eip 0x804fdca 0x804fdca <main+2362>
[...]
Because the ECX register can be controlled (0x47 is the ASCII code for
the letter "G"), the attacker can control the ESP register through the
"lea 0xfffffffc(%ecx),%esp" instruction at 0x0804fdc7. The attacker can
execute code in mapserv's process space by setting the ESP register to
an address that holds a reference to code and letting the "ret"
instruction execute at 0x0804fdca; this will assign the EIP register an
attacker-supplied value.
necessary changes.
Details follow:
Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious site, a remote attacker could use
this to crash the browser or possibly run arbitrary code as the user
invoking the program. (CVE-2010-1208, CVE-2010-1209, CVE-2010-1211,
CVE-2010-1212)
An integer overflow was discovered in how Firefox processed plugin
perform this as well.
Details follow:
It was discovered that KVM did not correctly initialize certain CPU
registers. A local attacker could exploit this to crash the system, leading
to a denial of service. (CVE-2010-3698)
Thomas Pollet discovered that the RDS network protocol did not check
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
- firefox-3.0: safe and easy web browser from Mozilla
Details:
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0081)
It was discovered that Firefox incorrectly handled certain JavaScript
requests. An attacker could exploit this to possibly run arbitrary code as
the user running Firefox. (CVE-2011-0069)
- thunderbird: mail/news client with RSS and integrated spam filter support
Details:
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0081)
It was discovered that Thunderbird incorrectly handled certain JavaScript
requests. If JavaScript were enabled, an attacker could exploit this to
possibly run arbitrary code as the user running Thunderbird.
This update provides the corresponding fixes for Natty.
Original advisory details:
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0081)
It was discovered that Thunderbird incorrectly handled certain JavaScript
requests. If JavaScript were enabled, an attacker could exploit this to
possibly run arbitrary code as the user running Thunderbird.
Status: Published
============
Introduction
============
This paper discusses how an unprivileged local attacker can elevate their
privileges during an initial installation or update of iTunes for Windows. This
vulnerability was responsibly disclosed to Apple Inc. and this advisory was not
released until a fixed build of iTunes was released.
==========
Details follow:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
Original advisory details:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
Details follow:
Liu Die Yu discovered an information disclosure vulnerability in Firefox
when using saved .url shortcut files. If a user were tricked into
downloading a crafted .url file and a crafted HTML file, an attacker
could steal information from the user's cache. (CVE-2008-4582)
Georgi Guninski, Michal Zalewsk and Chris Evans discovered that the
same-origin check in Firefox could be bypassed. If a user were tricked
into opening a malicious website, an attacker could obtain private
In general, a standard system update will make all the necessary changes.
Details follow:
Auke van Slooten discovered that PHP incorrectly handled certain xmlrpc
requests. An attacker could exploit this issue to cause the PHP server to
crash, resulting in a denial of service. This issue only affected Ubuntu
6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-0397)
It was discovered that the pseudorandom number generator in PHP did not
provide the expected entropy. An attacker could exploit this issue to
* Cross-Site-Scripting (XSS) (CVE-2010-3890)
The GET parameter »command« used inside the administration interface is
embedded directly into the HTML source without any input validation or
output sanitization. Using this parameter the attacker can inject arbitrary
Javascript code which will be run in the session context of other users.
As session credentials are stored within cookies, an attacker can steal
the cookie information and impersonate (CVE-2010-3893) the session and
control the web application within the browser context of the victim.
all the necessary changes.
Details follow:
Tavis Ormandy discovered that the Linux kernel did not properly implement
exception fixup. A local attacker could exploit this to crash the kernel,
leading to a denial of service. (CVE-2010-3086)
Dan Rosenberg discovered that the Linux kernel TIPC implementation
contained multiple integer signedness errors. A local attacker could
exploit this to gain root privileges. (CVE-2010-3859)
Administration Web Interfaces.
SUMMARY
A persistent Cross Site Scripting vulnerability (XSS) was discovered
where an attacker
could plant an AP with maliciously crafted SSID in the general
vicinity of the wireless LAN
and might be able to trigger a XSS vulnerability in the reporting
sections of the ArubaOS
and AirWave Administration WebUIs.
- you have created a user account with limited privileges (this is
not the default configuration).
Studio is by default shipped with the root user account and no other
user accounts. For this reason, exploitation of the vulnerability
would not yield any gain for an attacker since the attacker would
need to know the credentials of the root user account in order to
launch an attack. If an attacker knows the credentials of the root
user, the attacker will have other avenues to compromise Studio.
In case another user account with limited privileges has been added
============
Introduction
============
This paper discusses how an anonymous remote attacker can execute arbitrary
code on the computers of Alien Arena's networked players. This vulnerability
was responsibly disclosed to the authors of the game and this advisory was not
released until a fixed build of the game was released.
IV. DESCRIPTION
-------------------------
It is possible for a malicious website to place arbitrary sites into your
Top Sites view through automated actions. The attack technique makes use of
javascript windows where in a small window is used to repeatedly browse to
different sites that the attacker wants to add in your Top Sites list. This
window is completely hidden using the window.blur function and user won't
know that is happening in the background. Please note that this attack is
not possible using invisible iframes as Safari does not use iframe urls to
decide Top Sites content.
Document ID: ASPR #2009-01-27-1-PUB
Vendor: ORACLE (http://www.oracle.com)
Target: Oracle WebLogic Server 10.0
Impact: There is an HTML Injection vulnerability in WebLogic
Server 10 Administration Console that allows the
attacker to gain administrative access to the server.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Sasa Kos of ACROS Security
Current version
<<Previous Next>>
|
