Next Page >>
data
Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based
terminals write scrollback buffer data to /tmp filesystem
Report date: 2011-03-06
Reported by: Mark Krenz
Severity: High depending on use and expectations
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01697543
Version: 2
HPSBMA02417 SSRT090031 rev.2 - HP Data Protector Express and HP Data Protector Express Single Server
Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01697543
Version: 1
HPSBMA02417 SSRT090031 rev.1 - HP Data Protector Express and HP Data Protector Express Single Server Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-05-13
Last Updated: 2009-05-12
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02498535
Version: 1
HPSBMA02576 SSRT090231 rev.1 - HP Data Protector Express and HP Data Protector Express Single Server Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-08
Last Updated: 2010-09-08
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02067559
Version: 1
HPSBMA02516 SSRT090232 rev.1 - HP Data Protector Express and HP Data Protector Express Single Server Edition (SSE), Local
Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2012-018: EMC Data Protection Advisor Multiple Vulnerabilities
EMC Identifier: ESA-2012-018, DPA-14718
CVE Identifier: CVE-2012-0406
CVE Identifier: CVE-2012-0407
Severity Rating: CVSS v2 Base Score: See below for CVSS Base Scores for individual issues.
<table width="90%">
<tbody>
<tr>
<td width="43%" align="left">
<form name="form1" action="'.$SERVER[PHP_SELF].'"
enctype="multipart/form-data" method="post">
<p></font><font color="#00ff00" > hostname
(ex:www.sitename.com): </font><input name="host" size="20"> <span
class="Stile5"><font color="#FF0000">*</span></p>
<p></font><font color="#00ff00" > path (ex: /joomla/ or
just / ): </font><input name="path" size="20"> <span
========================================================
Trend Micro Data Loss Prevention 5.2 (formerly LeakProof)
Data Leakage through certain HTTP/HTTPS channels
nitrus
http://www.brainoverflow.org
Mexico
###############################################################
I encourage you to take a look to the ilustrated advisory that you would
Background
==========
Each Cyrus SASL authentication mechanism is implemented with a) one
statically-allocated shared data structure containing data and
pointers to functions that implement the mechanism, and b)
dynamically-allocated session context data structures with
authentication state.
When the Postfix SMTP server receives "AUTH CRAM-MD5" (line 8 above),
- encoded bytes have been written.
+ encoded bytes have been written. P must point to a buffer of size
+ at least MAX_ENCODED_INT_LEN.
This encoding uses the high bit of each byte as a continuation bit
and the other seven bits as data bits. High-order data bits are
@@ -85,7 +98,7 @@ encode_int(char *p, svn_filesize_t val)
svn_filesize_t v;
unsigned char cont;
- assert(val >= 0);
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] = 0x98BADCFE;
ctx->state[3] = 0x10325476;
}
void md5_process( md5_context *ctx, uint8 data[64] )
{
uint32 X[16], A, B, C, D;
GET_UINT32( X[0], data, 0 );
GET_UINT32( X[1], data, 4 );
[...]
.text:000128BE loc_128BE:
.text:000128BE cmp [ebp+IOCTL_INPUT_SIZE], 1008h <-- (2)
.text:000128C5 jb loc_12A7D
[...]
.text:000128CB mov esi, [ebp+IOCTL_INPUT_DATA] <-- (3)
.text:000128CE cmp dword ptr [esi], 3F256B9Ah <-- (4)
.text:000128D4 jnz loc_12A7D
[...]
.text:000128FF xor eax, eax
.text:00012901 cmp [esi+8], eax <-- (5)
Additionally, the attacker can avoid displaying the dialogue that
notifies the user about the message and the attached files making the
attack invisible for the target.
The other bug is a logging file content manipulation vulnerability
allowing the attacker to use the data inside protocol's packet to
disrupt the log file with control characters like '\n' and others. This
bug is not very important alone, but could be combined with the
traversal bug to cover tracks about the file upload inserting false log
lines or control characters.
privileges of the application or the current user (depending on OS).
Technical Details:
The vulnerabilities in the .FLAC format are due to improperly handling
metadata values from malformed files. The file format is available here:
http://flac.sourceforge.net/format.html.
Vulnerability #1: Metadata Block Size Heap Overflow
The first notable vulnerability is the Metadata Block Size Overflow
vulnerability. Editing any Metadata Block Size value to a large value
> shows that in the context for those document properties there
> are also attributes like keywords, category and comments
> which are less misleading to the assumption those properties
> could be part of the signed document. So for example users
> of SharePoint Office Server are acquainted with the
> behavior of showing data that is managed and shown on
> server side in that area above the document.
This might be true, but in my opinion, still builds on either the
assumption
- that MetaData (like category) is not part of the
Does this same issue appear in OpenOffice ODF format? Though it does not l=
ook like a huge issue, of itself, it is similar to the way Microsoft ignore=
s metadata in all files, which is a way to add executable code to applicati=
ons with the names of known MS utilities, like notepad.exe. If the metadat=
a file can be modified in the MS word properties dialog, it is also possibl=
e to modify the file in a text editor, and probably get a MS document to ru=
n arbitrary code when you open it. This is the impact that the original po=
st does not make clear.
Dear Mr. Poehls,
yes, I can see your point and I agree that there's a risk for an unexperienced user to be spoofed by showing an Author, Time Stamps and State that could have been tampered with after the original owner has signed the document.
But in my opinion, this again emphasizes the need for sufficient knowledge of users about the way how applications may change the appearance of signed documents in a way not intended by the author at the time of signing and that's a question far beyond the considerations concerning the behavior of individual applications like MS Office.
In fact the visual clue you gave for a signed document in Word 2007 shows that in the context for those document properties there are also attributes like keywords, category and comments which are less misleading to the assumption those properties could be part of the signed document. So for example users of SharePoint Office Server are acquainted with the behavior of showing data that is managed and shown on server side in that area above the document. You should also mention that the label on the menu for showing this area reads "Prepare Document for Publishing" which also in my opinion gives a clue that this data is not part of the signed document.
Although I would appreciate if Word 2007 would give more visual clue for the fact that this data isn't part of the signed document, I still believe that this is not a major security issue.
Regards,
H.-D. Naujoks
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
1. *Advisory Information*
Title: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Multiple vulnerabilities in HP Data Protector
1. *Advisory Information*
Title: Multiple vulnerabilities in HP Data Protector
IPP request packet.
/-----------
1016 ipp_state_t /* O - Current state */
1017 ippReadIO(void *src, /* I - Data source */
1018 ipp_iocb_t cb, /* I - Read callback function */
1019 int blocking, /* I - Use blocking IO? */
1020 ipp_t *parent, /* I - Parent request, if any */
1021 ipp_t *ipp) /* I - IPP data */
1022 {
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2011-010: EMC Data Protection Advisor Collector arbitrary code execution with elevated privileges vulnerability
EMC Identifier: ESA-2011-010
CVE Identifier: CVE-2011-1420
Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
According to the .MBM format [3], the structure of an MBM is the
following (beginning with a Header Section):
/-----
Offset Size Data Description
0000 ID 37 00 00 10 UID1: Header Section layout
0004 ID 42 00 00 10 UID2: File kind
III. INTRODUCTION
-------------------------
For a good understanding of the vulnerabilities it is necessary to be
familiar
with the way IPB handles input data. Below is a quick trace of input
validation process. The code snippets come from IPB version 3.0.4.
line | file: admin/sources/base/ipsRegistry.php
352 | static public function init()
353 | {
Date Reported:
October 5, 2008
Severity:
Medium-High (Execute scripts, Turning Protection Off, Transfer data Cross
Domains)
Vendor:
Microsoft
The administrative interface, DkService.exe, runs as a system
service that is by default configured to automatically start. It
listens on TCP port 31038 and has three RPC functions available.
Calling the opcode 0x01 RPC function (MIDL below) allows a remote,
anonymous memory comparison at an attacker provided address.
Simply pass the size of the data, the data, and the address to make
use of this.
MIDL
/* opcode: 0x01, address: 0x004922F0 (address from 2007
ProPremier)*/
or (2) that appears to cause an out-of-bounds memory operation or (3)
which most likely has one hell of a race condition?
> All of the testing involved
> intentionally corrupted target data that highlighted a few relatively
> minor bugs.
Yes, and pretty much every exploit on the planet involves intentionally
corrupted data.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03229235
Version: 1
HPSBMU02746 SSRT100781 rev.1 - HP Data Protector Express, Remote Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-03-12
Last Updated: 2012-03-12
Google SketchUp is a 3D modeling program designed for architects, civil
engineers, filmmakers, game developers, and related professions. Google
SketchUp bundles an old version of 'lib3ds', a library used to process
3DS files. This library is being compiled in a way that leads to
improper validation of data when importing 3DS files; this condition can
be exploited by remote attackers to trigger a memory corruption
vulnerability by enticing an unsuspecting user to open a specially
crafted 3DS file, possibly leading to arbitrary code execution.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Multicast Virtual Private Network
(MVPN) Data Leak
Advisory ID: cisco-sa-20080326-mvpn
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
*Technical Description / Proof of Concept Code*
First some information from Quicktime File Format Specification (may 1996):
"A QuickTime file stores the description of the media separately from
the media data. The description, or meta-data, is called the movie and
contains information such as the number of tracks, video compression
format, and timing information. The movie also contains an index of
where all the media data is stored. The media data is all of the actual
sample data, such as video frames and audio samples. The media data may
be stored in the same file as the QuickTime movie, in a separate file,
Next Page>>
|
