Next Page >>
images
emulator based on the QEMU emulator [4]. Public reports as of February
27th, 2008 state that the Android SDK has been downloaded 750,000 times
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
processing graphic content in some of the most used image formats (PNG,
GIF an BMP). While some of these vulnerabilities stem from the use of
outdated and vulnerable open source image processing libraries other
were introduced by native Android code that use them or that implements
new functionality.
Advisory: Papoo CMS: Authenticated Arbitrary Code Execution
The Papoo CMS allows authenticated users to upload GIF, JPG and PNG images
if they have the "upload images" privilege, which is true for all default
groups that can access the administrative interface. The CMS checks the
uploaded images only for their header, but not for the file extension. It
is therefore possible to upload images with the file extension ".php" and
a valid image header. By embedding PHP code into the image (e.g. by using
the GIF comments field), arbitrary code can be executed when requesting
the image.
Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau
Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.
CVE-2007-4988 CVE-2008-1096 CVE-2008-3134 CVE-2008-6070
CVE-2008-6071 CVE-2008-6072 CVE-2008-6621 CVE-2009-1882
Debian Bugs : 414370 417862 444266 491439 530946
Several vulnerabilities have been discovered in graphicsmagick, a
collection of image processing tool, which can lead to the execution
of arbitrary code, exposure of sensitive information or cause DoS.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-1667
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
the CLI view attached to the user does not allow it. This
configuration file may include passwords or other sensitive
information.
The Cisco IOS SCP server is an optional service that is disabled by
ESX 2.5.5 ESX not affected
b. Updated libpng package for the ESX 2.5.5 Service Console
The libpng packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.
A flaw was discovered in libpng that could result in libpng trying
to free() random memory if certain, unlikely error conditions
occurred. If a carefully-crafted PNG file was loaded by an
application linked against libpng, it could cause the application
Team Vexillium
Security Advisory
http://vexillium.org/
Name : WinImage 8.10 Multiple Vulnerabilities
Class : Denial of Service and Directory Traversal
Threat level : LOW (DoS), MED (Dir. traversal vuln)
Discovered : 2007-08-31
Published : 2007-09-15
Credit : j00ru//vx
For Windows
VMware Server 2
Version 2.0.1 | 156745 - 03/31/09
507 MB EXE image VMware Server 2 for Windows Operating Systems. A
master installer file containing all Windows components of VMware
Server.
md5sum: d0eefaa79e42d13a693c4d732a460ba4
VIX API 1.6 for Windows.
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
are 2 problems with this approach:
The encrypted text for a specific image always remains the same
The key used to encrypt the request sent to the server does not expire
Details follow:
Sauli Pahlman discovered that the TIFF library incorrectly handled invalid
td_stripbytecount fields. If a user or automated system were tricked into
opening a specially crafted TIFF image, a remote attacker could crash the
application, leading to a denial of service. This issue only affected
Ubuntu 10.04 LTS and 10.10. (CVE-2010-2482)
Sauli Pahlman discovered that the TIFF library incorrectly handled TIFF
files with an invalid combination of SamplesPerPixel and Photometric
to process Picture Data within FLAC files.
Vulnerability #6: Picture Dimension Size Heap Overflow
By modifying the width and height values in the PICTURE Metadata block,
a heap-based overflow could be achieved. When a vulnerable application
that supports FLAC images attempts to render the excessively large
image, the application allocates memory based on the dimension fields,
which could be used to overwrite memory values and pointers with
arbitrary values that could lead to code execution.
Vulnerability #7: Picture Description Size Heap Overflow
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
are 2 problems with this approach:
The encrypted text for a specific image always remains the same
The key used to encrypt the request sent to the server does not expire
Original advisory details:
Sauli Pahlman discovered that the TIFF library incorrectly handled invalid
td_stripbytecount fields. If a user or automated system were tricked into
opening a specially crafted TIFF image, a remote attacker could crash the
application, leading to a denial of service. This issue only affected
Ubuntu 10.04 LTS and 10.10. (CVE-2010-2482)
Sauli Pahlman discovered that the TIFF library incorrectly handled TIFF
files with an invalid combination of SamplesPerPixel and Photometric
Given that the slides aren't online yet [1], that Core hasn't published Topo's
technical paper on their website [2] yet either, and that I'm done replying to
direct inquiries about it [3], here's a summary of the IOS rootkit saga and its
impact on the Service Provider community (from my point of view :)
Topo spent a lot of time (and if you ever loaded an IOS image in IDA you know
what I'm talking about) analyzing strings and functions in IOS. In his proof
of concept he located the code doing the password check and adds a trampoline
to his backdoor code (by saving paramaters, glueing the two codes together,
doing the "new" password check and returning properly to the main code path).
Nice lesson on 101 hooking on IOS.
For Windows
VMware Server 2
Version 2.0.1 | 156745 - 03/31/09
507 MB EXE image VMware Server 2 for Windows Operating Systems. A
master installer file containing all Windows components of VMware
Server.
md5sum: d0eefaa79e42d13a693c4d732a460ba4
VIX API 1.6 for Windows.
[Advisory Summary]
- ----------------------------------------------------------------------
Advisory Author : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070628
Product Name : Core Image Fun House
Product Version : <= 2.0 OS X
Vendor Name : http://www.apple.com
Type of Vulnerability : Buffer Overflow
Effort (1-10 where 1 == easy) : 5
Impact : Arbitrary Code Execution
Registered users with blog keeping privileges can access personal gallery
functionality, example URL:
http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal
They can also upload image files to the server. File uploading can be
dangerous without proper security checks. So let's have a closer look
at the source code of "modules/blog/index.php" line ~2452:
---------------------[source code]---------------------
function upload_imm () {
Debian Security Advisory DSA-1858-1 security@debian.org
http://www.debian.org/security/ Luciano Bello
August 10, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : imagemagick
Vulnerability : multiple
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-1667 CVE-2007-1797 CVE-2007-4985 CVE-2007-4986
CVE-2007-4987 CVE-2007-4988 CVE-2008-1096 CVE-2008-1097
Oct 28, 2009
I. BACKGROUND
Firefox is the Mozilla Foundation's open source internet web browser.
Among the browser's capabilities is the display of GIF images. GIF is a
widely used image format with features such as loss-less compression,
animation and color palettes. For more information, visit the URLs
shown below.
http://www.mozilla.com/firefox/
d. Third party library update for libpng to version 1.2.37
The libpng libraries through 1.2.35 contain an uninitialized-
memory-read bug that may have security implications.
Specifically, 1-bit (2-color) interlaced images whose widths are
not divisible by 8 may result in several uninitialized bits at the
end of certain rows in certain interlace passes being returned to
the user. An application that failed to mask these out-of-bounds
pixels might display or process them, albeit presumably with benign
results in most cases.
d. Third party library update for libpng to version 1.2.37
The libpng libraries through 1.2.35 contain an uninitialized-
memory-read bug that may have security implications.
Specifically, 1-bit (2-color) interlaced images whose widths are
not divisible by 8 may result in several uninitialized bits at the
end of certain rows in certain interlace passes being returned to
the user. An application that failed to mask these out-of-bounds
pixels might display or process them, albeit presumably with benign
results in most cases.
Multiple security vulnerabilities has been identified and fixed in
Little cms library embedded in OpenJDK:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
overflow (CVE-2009-0723).
configured for SIP and Cisco Unified Border Element feature are not
affected by this vulnerability.
Note: Cisco Unified Border Element feature (previously known as the
Cisco Multiservice IP-to-IP Gateway) is a special Cisco IOS Software
image that runs on Cisco multiservice gateway platforms. It provides
a network-to-network interface point for billing, security, call
admission control, quality of service, and signaling interworking.
Cisco Unified Border Element feature requires the "voice service voip"
command and the "allow-connections" subcommand. An example of an
Previous versions of the gd, php, and php5 packages are vulnerable
to multiple attacks in which an attacker may cause unbounded CPU
consumption or application crashes (Denial of Service), possibly
leading to the execution of malicious code (Unauthorized Access).
These attacks are generally limited to uses of the gd library to load
existing images rather than generate new images. Many applications
that use gd (including all uses of gd within rPath Linux) us gd
only for generating new images, not for loading existing images.
While rPath Linux itself is not vulnerable to these attacks,
some uses of gd, particularly when loading attacker-supplied
Login: vmsbind
Password: vmsbind
FTP Access URL: ftp://vmsbind:vmsbind@hprc.external.hp.com/
There are patches for all TCP/IP versions (i.e. v54-ECO7, v55-ECO3, and v56-ECO4) for both ALPHA and ITANIUM platforms. Download the file needed from the ftp server for the particular server architecture and TCP/IP services version. The ECO level in each patch file name refers to the TCP/IP services ECO which must be installed prior to using this patch. Itanium Images
TCPIP$BIND_SERVER.EXE_SECURITY_V55_ECO3_ITN
TCPIP$BIND_SERVER.EXE_SECURITY_V56_ECO4_ITN
For complete post with images, please visit
http://securethoughts.com/2009/11/using-blended-browser-threats-involving-ch
rome-to-steal-files-on-your-computer/
SECURETHOUGHTS.COM ADVISORY
=============================================
- CVE-ID : CVE-2009-XXXX (Chrome) {Pending}
- Release Date : November 05, 2009
- Severity : Medium
- Discovered by : Inferno
<!--
ImageShack Toolbar 4.5.7 FileUploader Class (ImageShackToolbar.dll) insecure
method poc
This tool may allow a malicious web page to post arbitrary images on the web
from a user hard drive. Images will be visible on ImageShack site, a way for an
attacker to retrieve them maybe tag search or by understanding the renaming
operation, ex. "_" chars are removed and the "tq2" string is appended.
My test image is still visible here:
http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg
Problem Description:
Security issues were identified and fixed in firefox:
Security researcher regenrecht reported (via TippingPoint's Zero Day
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
Multiple security vulnerabilities has been identified and fixed in
Little cms library embedded in OpenJDK:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
overflow (CVE-2009-0723).
Problem Description:
Security issues were identified and fixed in firefox:
Security researcher regenrecht reported (via TippingPoint's Zero Day
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
Next Page>>
|
