> *************************
> Widely Deployed Software
> *************************
>
> (1) HIGH: AOL Nullsoft Winamp Multiple Buffer Overflows
> Affected:
> Winamp versions 5.23, 5.3 and possibly prior
>
> Description: Winamp, a popular media player, contains multiple
> heap-based buffer overflows. Winamp supports AOL's Ultravox media
> streaming protocol. One of the heap-based overflows can be
> triggered by
> supplying a specially crafted "ultravox-max-msg" header. The second
> overflow can be triggered by specially crafted Lyrics3 tags, which are
> used to embed lyrics in an MP3 file. A malformed playlist
> file (.m3u or
> .pls extension) or a crafted "shout:" URI or a crafted "uvox:" URI can
> trigger these overflows to execute arbitrary code on a Winamp user's
> system. Note that Internet Explorer opens playlist file, "shout:" URIs
> and "uvox:" URIs automatically. Hence, browsing a malicious site or
> clicking a malicious link is sufficient to exploit these overflows.
>
> Status: Winamp has released version 5.31 to address these
> vulnerabilities.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> iDefense Advisories
> http://archives.neohapsis.com/archives/bugtraq/2006-10/0424.html
> http://archives.neohapsis.com/archives/bugtraq/2006-10/0418.html
> Ultravox Protocol Specification
> http://ultravox.aol.com/Ultravox3.pdf
> Lyrics3 Tag
> http://www.id3.org/lyrics3.html
> SecurityFocus BID
> http://www.securityfocus.com/bid/20744
>
******************************************************************
>
> ************
> Exploit Code
> ************
>
> (4) CRITICAL: Novell eDirectory iMonitor Buffer Overflow
>
> References:
> Exploit Code
> http://www.milw0rm.com/exploits/2671
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=5&i=42#widely1
>
>
> 06.43.1 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer ADODB.Connection Execute Denial of Service
> Description: Microsoft Internet Explorer is vulnerable to a denial of
> service issue when the browser processes the "Execute" method of the
> "ADODB.Connection.2.7" object. Microsoft Internet Explorer versions
> 6.0 SP1 and earlier are vulnerable.
> Ref: http://www.securityfocus.com/bid/20704
> ______________________________________________________________________
>
> 06.43.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer 7 Popup Window Address Bar Spoofing Weakness
> Description: Microsoft Internet Explorer 7 is vulnerable to a popup
> window address bar spoofing issue because it is possible to display a
> popup window with only a portion of the address bar initially
> displayed to the user. Microsoft Internet Explorer version 7 on
> Windows XP with Service Pack 2 is vulnerable.
> Ref: http://secunia.com/advisories/22542/
> ______________________________________________________________________
>
> 06.43.3 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft .NET Framework Request Filtering Bypass
> Description: Microsoft .NET framework is vulnerable to an issue that
> may permit the bypassing of content filtering. Microsoft .NET version
> Framework 2.0 is vulnerable.
> Ref: http://www.securityfocus.com/bid/20753
>
> 06.43.9 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Nullsoft Winamp Ultravox Multiple Remote Heap Overflow
> Vulnerabilities
> Description: AOL Nullsoft Winamp is a media player from AOL. It is
> vulnerable to multiple Ultravox related remote heap buffer overflow
> vulnerabilities due to improper boundary checks. NullSoft Winamp
> versions 5.3 and earlier are vulnerable.
> Ref:
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=431
> ______________________________________________________________________
>
> 06.43.17 CVE: Not Available
> Platform: BSD
> Title: FreeBSD Crypto Local Denial of Service
> Description: FreeBSD is prone to a local denial of service
> vulnerability when the CIOCKEY "ioctl()" command is called on
> "/dev/crypto" with an excessively large "crp-nbits" value. An attacker
> may leverage this issue to crash the affected computer. FreeBSD
> version 6.1 is reported to be vulnerable.
> Ref: http://www.securityfocus.com/bid/20713
> ______________________________________________________________________
>
> 06.43.18 CVE: Not Available
> Platform: Novell
> Title: Novell eDirectory iMonitor HTTPSTK Buffer Overflow
> Description: iMonitor is a web-based management interface used for
> eDirectory which is directory server software. It is affected by a
> buffer overflow issue because the HTTP stack fails to perform
> sufficient bounds checks on the request header. eDirectory versions
> 8.7.3.8 and earlier are affected.
> Ref:
> http://www.novell.com/support/search.do?cmd=displayKC&docType=
> kc&externalId=InfoDocument-2974603&sliceId=&dialogID=16690465&
> stateId=0%200%2016688551
> ______________________________________________________________________
>
> 06.43.19 CVE: Not Available
> Platform: Novell
> Title: Novell eDirectory EvtFilteredMonitorEventsRequest Multiple
> Vulnerabilities
> Description: Novell eDirectory is a directory server software package.
> The "evtFilteredMonitorEventsRequest" function is vulnerable to two
> security issues. It is affected by a buffer overflow issue and an
> invalid free issue because it fails to perform sufficient bounds
> checking on client supplied data. eDirectory versions 8.8 and 8.8.1
> are affected.
> Ref: http://www.securityfocus.com/bid/20663
> ______________________________________________________________________
>
> 06.43.20 CVE: Not Available
> Platform: Cross Platform
> Title: Symantec Mail Security for Domino Server Premium AntiSpam Email
> Relay
> Description: Symantec Mail Security for Domino Server provides
> protection against security risks, unwanted content and spam on Domino
> servers. Symantec Mail Security for Domino Server 5.1.0 is affected.
> Please refer to the link below for further details.
> Ref: http://www.symantec.com/avcenter/security/Content/2006.10.19.html
> ______________________________________________________________________
>
> 06.43.21 CVE: CVE-2006-4177
> Platform: Cross Platform
> Title: Novell eDirectory NCP Packet Processing Remote Heap Overflow
> Description: eDirectory is a directory server software package
> available for multiple platforms. Novell eDirectory server is prone to
> a heap overflow vulnerability because the server fails to perform
> sufficient bounds checks on NCP data provided by the client before
> copying it into an insufficiently sized buffer. eDirectory versions
> 8.8.1 and 8.8 were reported to be vulnerable.
> Ref: http://www.securityfocus.com/bid/20664
> ______________________________________________________________________
>
> 06.43.24 CVE: Not Available
> Platform: Cross Platform
> Title: Sun Java System/iPlanet Messaging Server Webmail JavaScript
> Injection
> Description: Sun Java Messaging Server and iPlanet Messaging Server
> are prone to a vulnerability that may permit the execution of
> arbitrary attacker supplied JavaScript. This issue exists in the
> Webmail facility and may be exploited by injecting hostile script code
> through emails. This issue is due to a failure in the application to
> properly sanitize user-supplied input.
> Ref: http://www.securityfocus.com/bid/20708
> ______________________________________________________________________
>
> 06.43.26 CVE: Not Available
> Platform: Cross Platform
> Title: PostgreSQL Multiple Local Denial of Service Vulnerabilities
> Description: PostgreSQL is a relational database suite. It is exposed
> to multiple local denial of service issues. PostgreSQL versions 8.1.4
> and earlier are affected.
> Ref: http://www.postgresql.org/about/news.664
> ______________________________________________________________________
>
> 06.43.31 CVE: Not Available
> Platform: Cross Platform
> Title: wvWare Multiple Integer Overflow Vulnerabilities
> Description: wvWare is a library to parse Word 2000, 97, 95 and 6 file
> formats. It is prone to multiple integer overflow vulnerabilities due
> to insufficient bounds checking in the "wvGetLFO_records()" and the
> "wvGetLFO_PLF()" functions. This issue may be exploited via a
> maliciously crafted Word document. Versions 1.2.2 and prior are
> vulnerable.
> Ref: http://www.securityfocus.com/bid/20761
> ______________________________________________________________________
>
> 06.43.32 CVE: CVE-2006-5468, CVE-2006-4805, CVE-2006-5740,
> CVE-2006-5469, CVE-2006-4574
> Platform: Cross Platform
> Title: Wireshark Multiple Protocol Dissectors Denial of Service
> Vulnerabilities
> Description: Wireshark is prone to multiple denial of service
> vulnerabilities. These issues affect the HTTP, LDAP, XOT, WBXML, and
> MIME Multipart dissectors. The issue affecting the MIME Multipart
> arises due to an off-by-one error, which can potentially lead to
> arbitrary code execution. Wireshark versions prior to 0.99.4 are
> affected.
> Ref: http://www.wireshark.org/security/wnpa-sec-2006-03.html
> ______________________________________________________________________