ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 12



ïÎÉ ÔÏÌØËÏ ÎÅ ÐÒÁ×Ù × ÏÔÎÏÛÅÎÉÉ ÞÉÓÌÁ ÓÁÊÔÏ× Ó ÜËÓÐÌÏÊÔÏÍ - SANS ÇÏ×ÏÒÉÔ, ÞÔÏ 
ÉÈ ÕÖÅ ÚÁ 200.

> 
> *************************
> Widely Deployed Software
> *************************
> 
> (1) CRITICAL: Internet Explorer createTextRange Method Remote 
> Code Execution
> Affected:
> Internet Explorer 5.01, 6 and 7 Beta 2
> 
> Description: Internet Explorer contains a heap memory corruption
> vulnerability that can be triggered by a JavaScript call to
> "createTextRange" method. This method is used to create "textRange"
> object that represents text in an HTML element. Invoking the
> "createTextRange" method on a "checkbox" object can be exploited to
> corrupt heap memory that leads to arbitrary code execution. A 
> specially
> crafted webpage or an HTML email can exploit this flaw to compromise a
> user's system. Exploit code has been publicly posted and attacks have
> been recorded in the wild. SANS Internet Storm Center reports that
> around 100 sites using the exploit to install Trojans and 
> other malware
> on compromised systems.  A researcher has posted a tool that 
> can be used
> to stress test the implementation of other DHTML methods, and reported
> that Internet Explorer crashes on three other instances. Another
> researcher has reportedly found a flaw in IE that can be used to run
> arbitrary HTA code.
> 
> Status: Microsoft is aware of the issues and is working on 
> releasing the
> fix along with the April patches. Microsoft is also planning to roll
> changes in IE's automatic handling of multimedia content in the next
> patch that may cause issues with certain websites (EOLAS changes). A
> workaround is to turn off the "Active Scripting" option in IE (which
> will break normal functioning of many webpages) or use another browser
> like Firefox. Use updated AV and IDS/IPS signatures to prevent users
> from loading malicious webpages or emails.
> 
> Council Site Actions:
> Most are reviewing turning off "Active Scripting", but will 
> likely wait
> for vendor patch/fix. The great majority will obtain the 
> update through
> the public Microsoft Update site, or through their local WSUS server,
> whenever Microsoft releases a patch. Antivirus may buy some degree of
> protection in the meantime.
> 
> References:
> Secunia Advisory
> http://archives.neohapsis.com/archives/secunia/2006-q1/1088.html  
> Microsoft Advisory
> http://www.microsoft.com/technet/security/advisory/917077.mspx  
> Microsoft Security Response Center Blog
> http://blogs.technet.com/msrc/ 
> SANS Incident Handler's Diary
> http://www.incidents.org/diary.php?storyid=1223 
> http://www.incidents.org/diary.php?storyid=1221 
> Tool for Testing DHTML Methods
> http://metasploit.com/users/hdm/tools/hamachi/hamachi.html 
> Undisclosed vulnerability in IE
> http://jeffrey.vanderstad.net/grasshopper/  
> Exploit Code
> http://www.milw0rm.com/exploits/1606  
> http://www.milw0rm.com/exploits/1607  
> IE Changes Planned for Next Update (EOLAS)
> http://www.computerworld.com/developmenttopics/websitemgmt/sto
> ry/0,10801,109866,00.html?source=NLT_SEC&nid=109866 
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/17196 
> 
> ****************************************************************
> 
> (2) HIGH: Sendmail Signal Handling Memory Corruption
> Affected:
> Open Source: Sendmail version 8.13.5 and prior 
> Commercial Products:
> Sendmail Sentrion Appliance version 1.1 
> Sendmail Switch/Managed MTA/Multi-Switch version 3.1.7 and prior
> Sendmail Advanced Message Server and Message Store version 
> 2.2 and prior
> Intelligent Quarantine version 3.0 
> All other OSes and third party software using affected 
> versions of Sendmail.
> 
> Description: Sendmail is the most common mail transfer agent 
> (MTA) used
> on the Internet and according to certain estimates handles between 50
> and 75% of the e-mail traffic. Sendmail contains a 
> vulnerability in its
> "signal" handling code that deals with "timeouts" during SMTP
> connections. (Signals are used to communicate to a process or a thread
> about certain events.) A remote attacker can trigger the vulnerability
> by sending a sequence of SMTP commands with certain timing conditions
> along with a specially crafted e-mail message. The flaw can 
> be exploited
> to corrupt the process stack or heap memory, and execute 
> arbitrary code
> with the privileges of sendmail process (root in older versions).
> Proof-of-concept exploit has been publicly posted.
> 
> Status: Sendmail has released version 8.13.6 to fix the 
> problem. Patches
> for versions 8.15.5 and 8.12.11 are also available. Major 
> Linux vendors
> like RedHat, Gentoo, OpenPKG, Fedora have released updated sendmail
> packages. Sun and IBM have also released patches for Solaris and AIX
> respectively. For other affected vendors, please refer to the CERT
> advisory.
> 
> Council Site Actions:  One site has sendmail enabled only to listen on
> loopback only mode and they plan to deploy the patch during their next
> regularly scheduled system maintenance cycle.  Another site 
> is affected
> only on its Sun platforms and they are currently testing the 
> patches and
> will deploy soon.  The third site plans to deploy patches for heavily
> used systems after some initial testing over the next few weeks. Their
> lightly used system will automatically obtain updates from their Linux
> distributors.
> 
> References:
> ISS Advisory
> http://xforce.iss.net/xforce/alerts/id/216   
> Sendmail Advisory
> http://www.sendmail.com/company/advisory/  
> CERT Advisory
> http://www.kb.cert.org/vuls/id/834865 
> Posting by Mark Dowd (discoverer)
> http://archives.neohapsis.com/archives/dailydave/2006-q1/0250.html 
> Posting by Dave Aitel
> http://archives.neohapsis.com/archives/dailydave/2006-q1/0255.html 
> PoC Code
> http://rapturesecurity.org/jack/exploiting_sendmail.html 
> SecurityFocus BID
> http://www.securityfocus.com/bid/17192 
> 
> ****************************************************************
> 
> (3) HIGH: RealNetworks RealPlayer Multiple Vulnerabilities
> Affected:
> RealPlayer, RealOne Player, Mac Real Player, Mac RealOne Player, Helix
> Player, Linux RealPlayer
> 
> Description: RealPlayer contains multiple vulnerabilities 
> that can lead
> to remote compromise of users' systems running the vulnerable version
> of the media players.
> 
> (a) The players contain a buffer overflow in handling 
> specially crafted
> SWF and MBC file formats. A malicious media file posted on a webpage,
> P2P or shared folder can exploit the overflows to execute 
> arbitrary code
> on a client system. The technical details required to craft an exploit
> have not been released yet.
> 
> (b) The players contain a heap-based overflow that can be triggered by
> specially crafted "chunked data" during HTTP download. Chunk transfer
> mechanism allows an HTTP server to break the data into smaller pieces
> or "chunks", and each chunk of data is preceded by its 
> length. The heap
> corruption can be triggered by chunk with size -1 or chunk with data
> size greater than the declared length. A malicious server hosting a
> media file can exploit this overflow to execute arbitrary code on a
> client system.
> 
> Status: RealPlayer has issued fixed version for all the affected media
> players. Enable the "Autoupdate" feature available on the players to
> keep them updated.
> 
> Council Site Actions: The software is not officially supported at the
> reporting council sites, although it is used by many at the respective
> sites.  Two sites are relying on the "Autoupdate" feature to download
> the latest version.  The third site uses SMS to search for and remove
> the software from their workstations on a regular basis. This forces
> their user community to download and install the latest releases when
> they want to use the software.
> 
> References:
> RealNetworks Advisory
> http://service.real.com/realplayer/security/03162006_player/en/  
> iDefense Advisory
> http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0088.html  
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/17202 
> 
> 
> 06.12.1 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer Unspecified Remote HTA Execution
> Description: Microsoft Internet Explorer is affected by an unspecified
> remote issue. HTA files are HTML applications that are given higher
> levels of trust and access to the local system that remote web pages
> are normally given. Due to this higher level of trust, successful
> exploits may possibly facilitate arbitrary remote code execution and
> the compromise of affected computers. This vulnerability affects
> Internet Explorer 6.0 running on Microsoft Windows 98, Windows XP, and
> Windows Server 2003.
> Ref: http://www.securityfocus.com/bid/17181
> ______________________________________________________________________
> 
> 06.12.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer CreateTextRange Remote Code
> Execution
> Description: Microsoft Internet Explorer is affected by a remote code
> execution issue due to a flaw in the application that results in an
> invalid table pointer dereference. Certain uses of the
> "createTextRange()" JavaScript method exposes this issue. Internet
> Explorer 6 and 7 beta 2 are affected.
> Ref: http://www.securityfocus.com/bid/17196
> ______________________________________________________________________
> ______________________________________________________________________
> 
> 06.12.8 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Microsoft ASP.NET COM Components W3WP Remote Denial of Service
> Description: w3wp.exe is a worker process associated with the
> Microsoft IIS access pool. ASP.NET is a set of tools based on the .NET
> framework for building web applications. The application is affected
> by a remote denial of service issue due to the "ASPCompat" directive
> when accessing COM and COM+ components.
> Ref: http://www.securityfocus.com/bid/17188
> ______________________________________________________________________
> 
> 
> 06.12.13 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel Netfilter Do_Replace Remote Buffer Overflow
> Description: The Linux kernel is susceptible to a remote buffer
> overflow vulnerability due to improper boundary checking of user
> supplied input before using it in a memory copy operation. Linux
> kernel versions prior to 2.6.16 in the 2.6 series are affected by this
> issue.
> Ref: http://www.securityfocus.com/bid/17178
> ______________________________________________________________________
> 
> 06.12.15 CVE: CVE-2006-1342, CVE-2006-1343
> Platform: Linux
> Title: Linux Kernel sockaddr_In.Sin_Zero Kernel Memory Disclosure
> Vulnerabilities
> Description: The Linux kernel is affected by multiple local memory
> disclosure vulnerabilities. These issues are due to a failure of the
> kernel to properly clear previously used kernel memory prior to
> returning it to local users. These issues return 6 bytes of
> previously-used kernel memory in the "sockaddr_in.sin_zero" memory
> buffer when local users call the following functions: accept(),
> getpeername(), getsockname(), getsockopt() with the "SO_ORIGINAL_DST"
> flag. Linux kernel versions 2.6.16 -rc1 and earlier are vulnerable.
> Ref: http://www.securityfocus.com/bid/17203/exploit
> ______________________________________________________________________
> 
> 06.12.18 CVE: CVE-2006-0905
> Platform: BSD
> Title: FreeBSD IPsec Replay Vulnerability
> Description: FreeBSD's IPsec implementation is vulnerable to remote
> replay attacks due to a flaw in the "fast_ipsec(4)" which allows all
> packets to pass the anti-replay sequence number validation check.
> FreeBSD versions 6.0 and earlier are vulnerable.
> Ref: 
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-0
6:11.ipsec.asc
> ______________________________________________________________________
> 
> 06.12.20 CVE: CVE-2006-1329
> Platform: Unix
> Title: Jabber Studio JabberD Remote Denial of Service
> Description: Jabber Studio JabberD is an instant messaging protocol
> application. It is vulnerable to a remote denial of service issue due
> to insufficient handling of malformed network messages. Jabber Server
> versions 2.0 s10 and earlier are vulnerable.
> Ref: http://article.gmane.org/gmane.network.jabber.admin/27372
> ______________________________________________________________________
> 
> 06.12.21 CVE: Not Available
> Platform: Unix
> Title: FreeRADIUS EAP-MSCHAPv2 Authentication Bypass
> Description: FreeRADIUS is a freely available, open source
> implementation of the RADIUS protocol. It is available for the Unix
> and Linux platforms. FreeRADIUS is prone to an authentication bypass
> vulnerability. This issue exists because adequate input validation was
> not being performed in the EAP-MSCHAPv2 client state machine. This
> could allow a user to manipulate the EAP-MSCHAPv2 client state machine
> to convince the server to bypass authentication checks. FreeRADIUS
> versions 1.0.0 to 1.1.0 are vulnerable.
> Ref: http://www.freeradius.org/security.html
> ______________________________________________________________________
> 
> 
> 06.12.32 CVE: CVE-2006-0058
> Platform: Cross Platform
> Title: Sendmail Asynchronous Signal Handling Remote Code Execution
> Description: Sendmail is a widely used MTA for Unix and Microsoft
> Windows systems. It is prone to a remote code execution vulnerability
> due to an unspecified race condition error. Sendmail versions prior to
> 8.13.6 are vulnerable to this issue.
> Ref: http://www.securityfocus.com/bid/17192
> ______________________________________________________________________
> 
> 06.12.33 CVE: CVE-2006-0323, CAN-2005-2922
> Platform: Cross Platform
> Title: RealNetworks Multiple Products Multiple Buffer Overflow
> Vulnerabilities
> Description: Various RealNetworks products are prone to multiple
> buffer overflow vulnerabilities. These issues arise because the
> applications fail to perform boundary checks prior to copying
> user-supplied data into sensitive process buffers. Please see the
> advisory below for details.
> Ref: http://www.securityfocus.com/bid/17202
> ______________________________________________________________________
> 
> 06.12.35 CVE: CVE-2006-0058
> Platform: Cross Platform
> Title: Sendmail SM_SysLog Remote Memory Leak Denial Of Service
> Description: Sendmail is a widely used MTA for UNIX and Microsoft
> Windows systems. Sendmail is prone to a remote denial of service
> vulnerability. This issue is due to a failure of the application to
> properly free allocated memory regions when it is finished with them.
> Remote attackers may leverage this issue to consume excessive memory,
> eventually crashing the application. Sendmail versions prior to 8.13.6
> are vulnerable to this issue.
> Ref: http://www.sendmail.com/company/advisory/index.shtml



 




Copyright © Lexa Software, 1996-2009.