Next Page >>
specially
----------------------------
Vulnerability Descriptions
----------------------------
1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes
evades detection.
Affected products -
ClamAV 0.96.4, CAT-QuickHeal 11.00
As we have a single presentation track, please bear in mind that
speaking slots are limited to one hour. While presenters typically
divide the hour into separate presentation and Q&A sessions, you may
structure your time however you see fit. If you think your
presentation will run longer, or have any special requirements, please
include this information in your submission and we will do our best to
accommodate you.
Note: If the presentation is based upon code or a particular
technique, the presenter must be one of the developers of the code or
Details follow:
It was discovered that xine-lib did not correctly handle certain malformed
Ogg and Windows Media files. If a user or automated system were tricked into
opening a specially crafted Ogg or Windows Media file, an attacker could cause
xine-lib to crash, creating a denial of service. This issue only applied to
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)
It was discovered that the MNG, MOD, and Real demuxers in xine-lib did not
correctly handle memory allocation failures. If a user or automated system were
2. Background
The shellescape() function, added by patch 7.0.111, has since been
modified in 7.2a.013 to escape special characters, so as to be useful
when sanitizing arguments of the ``execute'' command:
``shellescape({string} [, {special}])
Escape {string} for use as shell command argument.
create a malicious trusted certificate to impersonate another site. This
update handles this issue by completely disabling MD2 for certificate
validation in OpenJDK. (CVE-2009-2409)
It was discovered that ICC profiles could be identified with
".." pathnames. If a user were tricked into running a specially
crafted applet, a remote attacker could gain information about a local
system. (CVE-2009-3728)
Peter Vreugdenhil discovered multiple flaws in the processing of graphics
in the AWT library. If a user were tricked into running a specially
Details follow:
Sauli Pahlman discovered that the TIFF library incorrectly handled invalid
td_stripbytecount fields. If a user or automated system were tricked into
opening a specially crafted TIFF image, a remote attacker could crash the
application, leading to a denial of service. This issue only affected
Ubuntu 10.04 LTS and 10.10. (CVE-2010-2482)
Sauli Pahlman discovered that the TIFF library incorrectly handled TIFF
files with an invalid combination of SamplesPerPixel and Photometric
Original advisory details:
Sauli Pahlman discovered that the TIFF library incorrectly handled invalid
td_stripbytecount fields. If a user or automated system were tricked into
opening a specially crafted TIFF image, a remote attacker could crash the
application, leading to a denial of service. This issue only affected
Ubuntu 10.04 LTS and 10.10. (CVE-2010-2482)
Sauli Pahlman discovered that the TIFF library incorrectly handled TIFF
files with an invalid combination of SamplesPerPixel and Photometric
could be exploited to view sensitive information. This issue only affected
Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)
It was discovered that Pidgin did not properly handle certain SLP invite
messages in the MSN protocol handler. A remote attacker could send a
specially crafted invite message and cause Pidgin to crash, leading to a
denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10
and Ubuntu 9.04. (CVE-2009-3083)
It was discovered that Pidgin did not properly handle certain errors in the
XMPP protocol handler. A remote attacker could send a specially crafted
a 32-bit application on a 64-bit kernel. A local attacker could
exploit this to cause a denial of service. (Only affected Ubuntu 6.06
LTS.) (CVE-2009-4271)
It was discovered that the r8169 network driver did not correctly check
the size of Ethernet frames. A remote attacker could send specially
crafted traffic to crash the system, leading to a denial of service.
(CVE-2009-4537)
Wei Yongjun discovered that SCTP did not correctly validate certain
chunks. A remote attacker could send specially crafted traffic to
Details follow:
It was discovered that PHP did not properly enforce php_admin_value and
php_admin_flag restrictions in the Apache configuration file. A local attacker
could create a specially crafted PHP script that would bypass intended security
restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS.
(CVE-2007-5900)
It was discovered that PHP did not correctly handle certain malformed font
files. If a PHP application were tricked into processing a specially crafted
Details follow:
Joel Becker discovered that OCFS2 did not correctly validate on-disk
symlink structures. If an attacker were able to trick a user or automated
system into mounting a specially crafted filesystem, it could crash the
system or exposde kernel memory, leading to a loss of privacy.
Ben Hutchings discovered that the ethtool interface did not correctly
check certain sizes. A local attacker could perform malicious ioctl calls
that could crash the system, leading to a denial of service. (Only Ubuntu
Cisco IOS Software contains two vulnerabilities related to Cisco IOS
Intrusion Prevention System (IPS) and Cisco IOS Zone-Based Firewall
features. These vulnerabilities are:
* Memory leak in Cisco IOS Software
* Cisco IOS Software Denial of Service when processing specially
crafted HTTP packets
Cisco has released free software updates that address these
vulnerabilities.
Patch: http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch
References: CVS-2009-0359, DTSA-194-1
Description:
Samizdat 0.6.1 contains several code paths that fail to escape special HTML
characters in message title and user full name before these strings are included
in a Web page (in earlier versions, only user full name is exploitable). This
allows an attacker to perform a cross-site scripting attack by including a
specially crafted string in their full name or message title.
Ex commands don't accept strings for arguments, only bare-words. In other
words, there is just one level of quoting. It is possible to quote individual
characters by prepending a backslash. As we can learn in the Vim Reference
Manual (``cmdline.txt'') we can divide the characters in three classes --
characters that are treated specially :
(1) *unless* preceded by a backslash
(2) *when* preceded by a backslash
(3) when preceded by a *quoted* backslash
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP and SIP firmware contain a buffer overflow
vulnerability in the handling of DNS responses. A
specially-crafted DNS response may be able to trigger a buffer
overflow and execute arbitrary code on a vulnerable phone. This
vulnerability is corrected in SCCP firmware version 8.0(8) and
SIP firmware version 8.8(0). This vulnerability is documented in
CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and
CSCsk21863.
3. *Vulnerability Description*
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. The vulnerability could allow remote code
execution if a user opens a specially crafted Word file that includes a
malformed record value. An attacker who successfully exploited this
vulnerability could execute arbitrary code with the privileges of the
user running the MS Word application.
lib/morph.c, and the getindex() in lib/search.c, which lead to
stack-based buffer overflows.
* Rob Holland (oCERT) reported two boundary errors within the
do_init() function in lib/morph.c, which lead to stack-based buffer
overflows via specially crafted "WNSEARCHDIR" or "WNHOME" environment
variables.
* Rob Holland (oCERT) reported multiple boundary errors in the
bin_search() and bin_search_key() functions in binsrch.c, which lead
to stack-based buffer overflows via specially crafted data files.
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)
Suresh Jayaraman discovered that CIFS did not correctly validate certain
response packats. A remote attacker could send specially crafted traffic
that would crash the system, leading to a denial of service.
(CVE-2010-2248)
Ben Hutchings discovered that the ethtool interface did not correctly check
certain sizes. A local attacker could perform malicious ioctl calls that
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)
Suresh Jayaraman discovered that CIFS did not correctly validate certain
response packats. A remote attacker could send specially crafted traffic
that would crash the system, leading to a denial of service.
(CVE-2010-2248)
Ben Hutchings discovered that the ethtool interface did not correctly check
certain sizes. A local attacker could perform malicious ioctl calls that
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Suresh Jayaraman discovered that CIFS did not correctly validate certain
response packats. A remote attacker could send specially crafted traffic
that would crash the system, leading to a denial of service.
(CVE-2010-2248)
Ben Hutchings discovered that the ethtool interface did not correctly check
certain sizes. A local attacker could perform malicious ioctl calls that
CVE-2011-1163
Timo Warns reported an issue in the kernel support for Alpha OSF format disk
partitions. Users with physical access can gain access to sensitive kernel
memory by adding a storage device with a specially crafted OSF partition.
CVE-2011-1170
Vasiliy Kulikov reported an issue in the Netfilter arp table
implementation. Local users with the CAP_NET_ADMIN capability can gain
SAP Netweaver [1] is a technology platform for building and integrating
SAP business applications. Multiple vulnerabilities have been found in
SAP Netweaver that could allow an unauthenticated, remote attacker to
execute arbitrary code and lead to denial of service conditions. The
vulnerabilities are triggered sending specially crafted SAP Diag packets
to remote TCP port 32NN (being NN the SAP system number) of a host
running the "Dispatcher" service, part of SAP Netweaver Application
Server ABAP. By sending different messages, the different
vulnerabilities can be triggered.
Problem Description:
Several vulnerabilities were found in the vim editor:
A number of input sanitization flaws were found in various vim
system functions. If a user were to open a specially crafted file,
it would be possible to execute arbitrary code as the user running vim
(CVE-2008-2712).
Ulf Härnhammar of Secunia Research found a format string flaw in
vim's help tags processor. If a user were tricked into executing the
Problem Description:
Several vulnerabilities were found in the vim editor:
A number of input sanitization flaws were found in various vim
system functions. If a user were to open a specially crafted file,
it would be possible to execute arbitrary code as the user running vim
(CVE-2008-2712).
Ulf Härnhammar of Secunia Research found a format string flaw in
vim's help tags processor. If a user were tricked into executing the
3. *Vulnerability Description*
Adobe Acrobat Reader is prone to a use-after-free vulnerability due to
an invalid usage of a released memory chunk. This vulnerability could be
used by a remote attacker to execute arbitrary code, by enticing the
user of Adobe Acrobat Reader to open a specially crafted file and click
on PAGES thumbnails.
4. *Vulnerable packages*
Onapsis Security Advisory 2011-005: SAP Enterprise Portal Path Disclosure
This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences.
1. Impact on Business
=====================
Onapsis Security Advisory 2011-008: Oracle JD Edwards JDENET CallObjectKernel Remote Command Execution
This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences.
?
1. Impact on Business
=====================
Onapsis Security Advisory 2011-013: Oracle JD Edwards JDENET USRBROADCAST Denial of Service
This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences.
?
?1. Impact on Business
=====================?
Onapsis Security Advisory: Oracle JD Edwards JDENET Arbitrary File Write
This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences.
1. Impact on Business
=====================
Onapsis Security Advisory: Oracle JD Edwards Security Kernel Remote Password Disclosure
This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences.
1. Impact on Business
=====================
Next Page>>
|
