Next Page >>
flaws
VMware Emulation Flaw x64 Guest Privilege Escalation (2/2)
Derek Soeder
ds.adv.pub@gmail.com
Discovered: January 18, 2008 (Flaw #1), and February 27, 2008 (Flaw #2)
Reported: June 26, 2008
Published: November 7, 2008
VMware Emulation Flaw x64 Guest Privilege Escalation (1/2)
Derek Soeder
ds.adv.pub@gmail.com
Discovered: January 18, 2008
Reported: June 26, 2008
Published: October 3, 2008
ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the
following security issue. Note that the same security issue is
present in the ESX Service Console as described in section d. of
this advisory.
A buffer overflow flaw was discovered in the ntpd daemon's NTPv4
authentication code. If ntpd was configured to use public key
cryptography for NTP packet authentication, a remote attacker could
use this flaw to send a specially-crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the
privileges of the "ntp" user.
This is a writeup about a flaw that I found recently, and that
existed in multiple implementations of SMTP (Simple Mail Transfer
Protocol) over TLS (Transport Layer Security) including my Postfix
open source mailserver. I give an overview of the problem and its
impact, how to find out if a server is affected, fixes, and draw
lessons about where we can expect similar problems. A time line
is at the end.
For further reading:
http://www.kb.cert.org/vuls/id/555316
Newt is a programming library for color text mode, widget based
user interfaces. Newt can be used to add stacked windows, entry
widgets, checkboxes, radio buttons, labels, plain text fields,
scrollbars, etc., to text mode user interfaces.
A heap-based buffer overflow flaw was found in the way newt
processes content that is to be displayed in a text dialog box.
A local attacker could issue a specially-crafted text dialog box
display request (direct or via a custom application), leading to a
denial of service (application crash) or, potentially, arbitrary
code execution with the privileges of the user running the
Problem Description:
Multiple security vulnerabilities has been identified and fixed in
Little cms library embedded in OpenJDK:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
Problem Description:
Multiple security vulnerabilities has been identified and fixed in
Little cms library embedded in OpenJDK:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
After a standard system upgrade you need to restart firefox to effect
the necessary changes.
Details follow:
Various flaws were discovered in the browser and JavaScript engine.
By tricking a user into opening a malicious web page, an attacker
could execute arbitrary code with the user's privileges.
(CVE-2008-0412, CVE-2008-0413)
Flaws were discovered in the file upload form control. A malicious
Insufficient argument validation of hooked SSDT functions on multiple
Antivirus and Firewalls (BitDefender Antivirus [1], Comodo Firewall [2],
Sophos Antivirus [3] and Rising Antivirus [4]) have been found that
could lead to a Denial of Service (DoS) and possibly to code execution
attacks. An attacker, utilizing these flaws, could be able to locally
reboot the whole system shutting down the firewall or anti-virus
protection. However, in some cases it may be possible to extend the
impact of these bugs, and they could lead to the execution of arbitrary
code in the privileged kernel mode.
The VMware Tools Package provides support required for shared folders
(HGFS) and other features.
An input validation error is present in the Windows-based VMware
HGFS.sys driver. Exploitation of this flaw might result in
arbitrary code execution on the guest system by an unprivileged
guest user. It doesn't matter on what host the Windows guest OS
is running, as this is a guest driver vulnerability and not a
vulnerability on the host.
Linkedin, Facebook, Hi5, etc.
II. DESCRIPTION
This CMS is affected by multiple remote security flaws,
such as SQL Injection, Arbitrary File upload, etc.
These security flaws DO NOT require authentication. Other
files may be vulnerable.
Problem Description:
Several vulnerabilities were found in the vim editor:
A number of input sanitization flaws were found in various vim
system functions. If a user were to open a specially crafted file,
it would be possible to execute arbitrary code as the user running vim
(CVE-2008-2712).
Ulf Härnhammar of Secunia Research found a format string flaw in
Problem Description:
Several vulnerabilities were found in the vim editor:
A number of input sanitization flaws were found in various vim
system functions. If a user were to open a specially crafted file,
it would be possible to execute arbitrary code as the user running vim
(CVE-2008-2712).
Ulf Härnhammar of Secunia Research found a format string flaw in
third-party application is, so far, the unique possible attack vector
to exploit this issue.
This advisory covers the attack vector found in a widely extended
licensed application, GearSoftware Recording SDK, which was exposing the
kernel flaw to user-mode attackers through one of its filter drivers:
GEARAspiWDM.sys
Since this driver is a licensed solution, it is bundled with several
well-known products. To clarify as much as possible this vulnerability,
3. Problem description:
~ I Updated aacraid driver
~ This patch fixes a flaw in how the aacraid SCSI driver checked
~ IOCTL command permissions. This flaw might allow a local user
~ on the service console to cause a denial of service or gain
~ privileges. Thanks to Adaptec for reporting this issue.
~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
Aaron Plattner discovered a buffer overflow in the Composite extension
of the X.org X server, which if exploited could lead to local privilege
escalation (CVE-2007-4730).
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
crafted requests causing a heap overflow, which may have led to the
ability to execute arbitrary code on the server. (CVE-2007-2446)
Unescaped user input parameters were being passed as arguments to
/bin/sh. A remote, authenticated, user could have triggered this
flaw and executed arbitrary code on the server. Additionally, this
flaw could be triggered by a remote unauthenticated user if Samba
was configured to use the non-default username map script option.
(CVE-2007-2447)
Thanks to the Samba developers, TippingPoint, and iDefense for
header injection and HTTP request smuggling.
Attack Scenarios
- ----------------
In the simplest scenarios, an attacker could use this flaw to inject
malicious versions of headers which are considered trusted. In certain
situations, headers are added to requests by the web server proxy module
which may be used to make decisions about authentication or access
control.
1. VULNERABILITY DESCRIPTION
Potential SQL Injection Flaws were detected Joomla! CMS version
1.5.20. These flaws were reported along with our Cross Scripting Flaw
which was fixed in 1.5.21. Developers believed that our reported SQL
Injection flaws are not fully exploitable because of Joomla! built-in
string filters and were not fixed in 1.5.21 which is currently the
latest version.
1. VULNERABILITY DESCRIPTION
Potential SQL Injection Flaws were detected Joomla! CMS version
1.5.20. These flaws were reported along with our Cross Scripting Flaw
which was fixed in 1.5.21. Developers believed that our reported SQL
Injection flaws are not fully exploitable because of Joomla! built-in
string filters and were not fixed in 1.5.21 which is currently the
latest version.
Debian-specific: no
CVE Id(s) : CVE-2009-1890 CVE-2009-1891
The previous update caused a regression for apache2 in Debian 4.0
"etch". Using mod_deflate together with mod_php could cause segfaults
when a client aborts a connection. This update corrects this flaw.
For reference the original advisory text is below.
A denial of service flaw was found in the Apache mod_proxy module when
it was used as a reverse proxy. A remote attacker could use this flaw
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
files with the privileges of the user invoking the program. (CVE-2009-3274)
Paul Stone discovered a flaw in the Firefox form history. If a user were
tricked into viewing a malicious website, a remote attacker could access this
data to steal confidential information. (CVE-2009-3370)
Orlando Berrera discovered that Firefox did not properly free memory when using
web-workers. If a user were tricked into viewing a malicious website, a remote
-----------------------
Hi all,
Just for the records since the vulnerability is not only a DoS as stated
initially. Below are the technical details I found while verifying the flaw.
* This vulnerability is not only a BSOD flaw. It allows remote code
execution. The execution of code is far from being reliable though (at
the momment).
Problem Description:
Security vulnerabilities have been discovered and corrected in Mozilla
Firefox 3.0.x:
Several flaws in Firefox browser and javascript engine could allow a
malicious site to cause a denial-of-service of possibly remote code
execution (CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837,
CVE-2009-1838, CVE-2009-1841, CVE-2009-2043, CVE-2009-2044).
Several flaws were discovered in Firefox which could lead to
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
files with the privileges of the user invoking the program. (CVE-2009-3274)
Paul Stone discovered a flaw in the Firefox form history. If a user were
tricked into viewing a malicious website, a remote attacker could access this
data to steal confidential information. (CVE-2009-3370)
Orlando Berrera discovered that Firefox did not properly free memory when using
web-workers. If a user were tricked into viewing a malicious website, a remote
properly enforce OpenType checks, which allows context-dependent
attackers to bypass intended access restrictions by leveraging
finalizer resurrection to obtain a reference to a privileged object
(CVE-2009-2476).
A flaw in the Xerces2 as used in OpenJDK allows remote attackers to
cause denial of service via a malformed XML input (CVE-2009-2625).
The audio system does not prevent access to java.lang.System properties
either by untrusted applets and Java Web Start applications, which
allows context-dependent attackers to obtain sensitive information
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
b. Update bind package for the Service Console fixes a security issue.
A flaw was discovered in the way Berkeley Internet Name Domain
(BIND) checked the return value of the OpenSSL DSA_do_verify
function. On systems using DNSSEC, a malicious zone could present
a malformed DSA certificate and bypass proper certificate
validation, allowing spoofing attacks.
(CVE-2009-0147).
An integer overflow in the JBIG2 decoder has unspecified
impact. (CVE-2009-0165).
A free of uninitialized memory flaw in the the JBIG2 decoder allows
remote to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0166).
Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
already public. Apologies to those vendors who have not reacted to Sun's
announcements of December 2nd in a timely manner;
Mitre ID: CVE-2008-2938
Initial title: Java Runtime UTF-8 Decoding Flaw
Actual title: Java Runtime UTF-8 Decoder Smuggling Vector
Discovered by: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Sr. Software Engineer, SpringSource, Inc.
Fixed in: No fix currently available.
Risk: High
Vulnerability Description: Windows NTP Time Server Syslog Monitor 1.0.000 is vulnerable to a remote denial-of-service vulnerability because it fails to handle user-supplied input. Sending a specially crafted UDP Syslog request will cause the application to become unstable and stop responding.
Impact: A remote or local attacker can exploit this flaw by sending a specially crafted packet to the Syslog server. Successful exploitation of this flaw will cause the Syslog server process to crash preventing valid users or devices from using the service. The Syslog server will need to be restarted to resume normal Syslog server operations.
Keywords: security, vulnerability, syslog, princeofnigeria, windows, server, udp, dos, denial of service
[--Background--]
Next Page>>
|
