Next Page >>
Windows 2003
Compact Font Format (CFF) driver "ATMFD.dll" when processing certain
operands within an OpenType font, which could be exploited by remote
attackers to execute arbitrary code on a vulnerable Windows 7, Windows
Server 2008, Windows Server 2008 R2, and Windows Vista systems via a
malicious font, or by local attackers to gain elevated privileges on
Windows XP and Windows Server 2003 systems via a malicious application.
CVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
III. AFFECTED PRODUCTS
Citrix Metaframe Presentation Server and Citrix Metaframe XP.
The icabar.exe file which is designed to startup the Citrix MetaFrame
administration toolbar allows an attacker to escalate privilege in
Windows 2000 and below in the default configuration and in Windows
2003 in some special circumstances.
IV - ANALISYS:
---------------
--------------------
This vulnerability was verified by the authors on the following platforms:
Windows NT4 SP1
Windows Server 2003 SP2
Windows XP SP3
Windows Vista x32
Windows 7 x32 RC
However, all versions of Windows implementing NTLMv1 are suspected to be
EXPLOITATION
------------
This section gives a detailed account of how these emulation flaws can
be exploited on Windows XP x64 and Windows Server 2003 x64.
Exploitation on x64 versions of *BSD is also believed to be possible,
but has not yet been proven, so a brief discussion of the BSD x64
kernel and also the Linux x64 kernel (which is believed to prevent
exploitation) is presented first.
EXPLOITATION
------------
This section gives a detailed account of how this emulation flaw can
be exploited on Windows XP x64 and Windows Server 2003 x64.
Exploitation on x64 versions of *BSD is also believed to be possible,
but has not yet been proven, so a brief discussion of the BSD x64
kernel and also the Linux x64 kernel (which is believed to prevent
exploitation) is presented first.
III. AFFECTED PRODUCTS
---------------------------
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Potential security vulnerability has been identified with HP System Management Homepage running PHP. These vulnerabilities could be exploited remotely to allow Cross Site Scripting (XSS) , to create a Denial of Service (DoS), or to execute arbitrary code.
References: CVE-2004-1019, CVE-2004-1020, CVE-2004-1063, CVE-2004-1064, CVE-2004-1065
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
System Management Homepage Version 2.0.0 through Version 2.0.2 for Microsoft Windows 2000, Windows Server 2003, Windows Server 2003 x64 Edition, Windows Server 2003 64-bit and Linux.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (Itanium) Service Pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows 2000 Service Pack 4
III. AFFECTED PRODUCTS
---------------------------
Microsoft Windows 7 (32-bit)
Microsoft Windows 7 (x64)
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (32-bit) Service Pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows 7 (32-bit)
Microsoft Windows 7 (64x)
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (32-bit) Service Pack 2
Microsoft Windows Server 2008 (64x)
5. *Non-vulnerable packages*
. Windows XP SP3
. Windows XP Professional x64 Edition SP2
. Windows Server 2003 SP2
. Windows Server 2003 x64 Edition SP2
. Windows Server 2003 with SP2 for Itanium-based Systems
. Windows Vista SP1 and Windows Vista SP2
. Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
. Windows Server 2008 for 32-bit Systems and Windows Server 2008 for
post-commit stage. Using the VdmContext installed using NtVdmControl(), an
invalid context can be created that causes iret to fail pre-commit, thus
forging a trap frame.
The final requirement involves predicting the address of the second-stage BIOS
call handler. The address is static in Windows 2003, XP and earlier operating
systems, however, Microsoft introduced kernel base randomisation in Windows
Vista. Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module list
via NtQuerySystemInformation().
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows XP Service Pack 3
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01682739
Version: 1
HPSBMA02413 SSRT080040 rev.1 - HP WMI Mapper for Windows Server 2003 and Windows Server 2008 for Itanium-based Servers, Remote Unauthorized Access to Data, Local Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-03-02
Last Updated: 2009-03-09
solution to their pshtoolkit-related problems :).
WHATSNEW.What's new?:
-Improved support for windows xpsp2 german/french, windows 2003
sp1/sp2, both for
IAM.EXE and WHOSTHERE.EXE
-Added to IAM.EXE and WHOSTHERE.EXE the -B switch. If IAM.EXE or
WHOSTHERE.EXE is
not working in your configuration, please run the tools again
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Windows XP SP 3
Windows XP Professional x64 Edition SP 2
Windows Server 2003 SP 2
Windows Server 2003 x64 Edition SP 2
Windows Server 2003 with SP2 for Itanium-based Systems
III. AFFECTED PRODUCTS
---------------------------
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
IV. Binary Analysis & Exploits/PoCs
. Internet Explorer 6sp2 on Windows XP sp3
. Internet Explorer 7 on Windows XP sp2
. Internet Explorer 7 on Windows XP sp3
. Internet Explorer 7 on Windows Vista sp1
. Internet Explorer 7 on Windows Vista sp2
. Internet Explorer 7 on Windows Server 2003 sp2 if
Protected Mode is OFF and not using Enhanced Security Configuration
. Internet Explorer 7 on Windows Server 2008 i
if Protected Mode is OFF and
not using Enhanced Security Configuration
. Internet Explorer 8 on Windows XP sp2
III. AFFECTED PRODUCTS
---------------------------
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
IV. Binary Analysis & Exploits/PoCs
III. AFFECTED PRODUCTS
---------------------------
Internet Explorer 6 for Windows XP Service Pack 3
Internet Explorer 6 for Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2
Internet Explorer 6 for Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 SP2 (Itanium)
IV. Binary Analysis & Exploits/PoCs
CA CMDB 11.1
CA CMDB 11.2
Affected Platforms:
Microsoft Windows 2003 R2
Microsoft Windows 2003 SP1
Microsoft Windows 2003 SP2
Microsoft Windows 2000 Server Family with SP4 applied (32 bit only)
Red Hat Enterprise Linux 3.0 x86
Red Hat Enterprise Linux 4.0 x86
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for Itanium-based Systems
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Mail
Platforms: Windows 2000
Windows XP
Windows Vista
Windows server 2003
Windows Server 2008 SR2
Exploitation: Remote Exploitable
CVE Number: CVE-2010-0816
. Windows 7
. Windows Vista
. Windows Server 2008 R2
. Windows Server 2008
. Microsoft Windows XP
. Microsoft Windows Server 2003
5. *Non-vulnerable packages*
. Windows 7 with MS10-048
. 2009-04-22:
MSRC asks additional details about the attack vectors discussed between
Core and the Secure Windows Initiative (SWI) in the last conference call
(16th, April). MSRC indicates that it has identified two workarounds for
the original issue: Disabling scripting (which is default for Enhanced
Security Configuration on Windows 2003 and Windows Server 2008) and
disabling "Run ActiveX Controls and plugins". The IE team has
investigated the second PoC and determined that the functionality
appears the same but when debugged the actions performed by the system
are different. The differences are considered significant enough to
perform further investigation. MSRC proposes to release the fix for the
transferring local audio and video information to remote and so on.
Affected Software Versions:
Microsoft Windows Live Messenger 4.7 on Windows XP and Windows Server 2003
Microsoft Windows Live Messenger 5.1 on Windows 2000, Windows XP
and Windows Server 2003
Next Page>>
|
