Spyware, viruses, & security forum: VULNERABILITIES - February 14, 2007

Snort contains a vulnerability in the rule matching algorithm that
could result in a Denial of Service.

Background
==========

Snort is a widely deployed intrusion detection program.

Description
===========

Randy Smith, Christian Estan and Somesh Jha discovered that the rule
matching algorithm of Snort can be exploited in a way known as a
"backtracking attack" to perform numerous time-consuming operations.

Impact
======

A remote attacker could send specially crafted network packets, which
would result in the cessation of the detections and the consumption of
the CPU resources.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Snort users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.2"

References
==========

[ 1 ] CVE-2006-6931
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6931

Availability
http://security.gentoo.org/glsa/glsa-200702-03.xml

TITLE:
MailEnable NTLM Authentication Denial of Service

SECUNIA ADVISORY ID:
SA24139

VERIFY ADVISORY:
http://secunia.com/advisories/24139/

CRITICAL:
Moderately critical

IMPACT:
DoS

WHERE:
From remote

SOFTWARE:
MailEnable Enterprise Edition 2.x
http://secunia.com/product/10427/
MailEnable Professional 2.x
http://secunia.com/product/10625/

DESCRIPTION:
mu-b has discovered a vulnerability in MailEnable, which can be
exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within
"NTLM_UnPack_Type3()" (MENTLM.DLL) when processing NTLM
authentication data. This can be exploited e.g. to crash the IMAP or
POP service via a specially crafted series of commands and data.

The vulnerability is confirmed in MailEnable Professional version
2.35. Other versions may also be affected.

SOLUTION:
Update to version 2.351 or later.

PROVIDED AND/OR DISCOVERED BY:
mu-b

ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052427.html

Cisco IOS Intrusion Prevention System Denial of Service and Security Bypass Issues

Advisory ID : FrSIRT/ADV-2007-0597
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-02-14

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

Two vulnerabilities have been identified in Cisco IOS, which could be exploited by attackers to bypass security restrictions or cause a denial of service.

The first issue is due to an error within various IPS signatures when processing certain network traffic via regular expressions, which could be exploited by attackers to bypass signature inspection by sending malicious network traffic as IP fragments.

The second vulnerability is due to an error within the "ATOMIC.TCP" signature engine when processing certain network traffic via regular expressions, which could be exploited by attackers to crash a vulnerable device, creating a denial of service condition.

Solution

Apply patches :
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml#software

References

http://www.frsirt.com/english/advisories/2007/0597
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml

Credits

Vulnerabilities reported by the vendor

Adobe JRun Administrator Console Client-Side Cross Site Scripting Vulnerability

Advisory ID : FrSIRT/ADV-2007-0594
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-02-14

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Adobe JRun, which could be exploited by attackers to execute arbitrary scripting code. This issue is due to an input validation error within the administrator console, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Note : This issue also affects ColdFusion MX 7.0 Enterprise Edition when installed as the "Multi-Server" option, and ColdFusion MX 6.1 Enterprise when installed with the "J2EE" option and deployed on JRun 4.0.

Affected Products

Adobe JRun 4.0
Adobe ColdFusion MX 7.0 Enterprise Edition
Adobe ColdFusion MX 6.1 Enterprise

Solution

Apply patch :
http://download.macromedia.com/pub/security/bulletins/apsb07-05/jrun-hotfix-66413.jar

References

http://www.frsirt.com/english/advisories/2007/0594
http://www.adobe.com/support/security/bulletins/apsb07-05.html

Credits

Vulnerability reported by Daiki Fukumori(Secure Sky Technology, Inc).

Adobe ColdFusion MX URL Handling Client-Side Cross Site Scripting Vulnerability

Advisory ID : FrSIRT/ADV-2007-0592
CVE ID : CVE-2006-5859
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-02-14

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Adobe ColdFusion MX, which could be exploited by attackers to execute arbitrary scripting code. This issue is due to an input validation error when processing a malformed URL while the Global Script Protection feature is not enabled, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Affected Products

Adobe ColdFusion MX 7

Solution

Upgrade to ColdFusion MX 7.0.2 and apply patch :
http://download.macromedia.com/pub/security/bulletins/apsb07-03/apsb07-03.zip

References

http://www.frsirt.com/english/advisories/2007/0592
http://www.adobe.com/support/security/bulletins/apsb07-03.html

Credits

Vulnerability reported by Daiki Fukumori (Secure Sky Technology, Inc).

Sun Solaris X Font Server X Render and DBE Extensions Privilege Escalation Issues

Advisory ID : FrSIRT/ADV-2007-0589
CVE ID : CVE-2003-0730 - CVE-2006-6101 - CVE-2006-6102 - CVE-2006-6103
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-02-14

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

Multiple vulnerabilities have been identified in X Font Server for Sun Solaris, which could be exploited by local attackers to obtain elevated privileges. For additional information, see : FrSIRT/ADV-2007-0108

Affected Products

Sun Solaris 10
Sun Solaris 9
Sun Solaris 8

Solution

Solaris 8 (SPARC) - Apply patch 119067-06 or later and 109862-04 or later
Solaris 8 (x86) - Apply patch 119068-06 or later and 109863-04 or later

References

http://www.frsirt.com/english/advisories/2007/0589
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102803-1

TITLE:
Gentoo update for snort

SECUNIA ADVISORY ID:
SA24164

VERIFY ADVISORY:
http://secunia.com/advisories/24164/

CRITICAL:
Less critical

IMPACT:
DoS

WHERE:
From remote

OPERATING SYSTEM:
Gentoo Linux 1.x
http://secunia.com/product/339/

DESCRIPTION:
Gentoo has issued an update for snort. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

For more information:
SA23716

SOLUTION:
Update to "net-analyzer/snort-2.6.1.2".

ORIGINAL ADVISORY:
http://www.gentoo.org/security/en/glsa/glsa-200702-03.xml

OTHER REFERENCES:
SA23716:
http://secunia.com/advisories/23716/

TITLE:
Gentoo update for proftpd

SECUNIA ADVISORY ID:
SA24163

VERIFY ADVISORY:
http://secunia.com/advisories/24163/

CRITICAL:
Less critical

IMPACT:
Privilege escalation

WHERE:
Local system

OPERATING SYSTEM:
Gentoo Linux 1.x
http://secunia.com/product/339/

DESCRIPTION:
Gentoo has issued an update for proftpd. This fixes a vulnerability,
which can be exploited by malicious, local users to gain escalated
privileges.

For more information:
SA23371

SOLUTION:
Update to "net-ftp/proftpd-1.3.1_rc1" or later.

ORIGINAL ADVISORY:
http://www.gentoo.org/security/en/glsa/glsa-200702-02.xml

OTHER REFERENCES:
SA23371:
http://secunia.com/advisories/23371/

TITLE:
@Mail "keywords" Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA24155

VERIFY ADVISORY:
http://secunia.com/advisories/24155/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
@Mail 4.x
http://secunia.com/product/5459/

DESCRIPTION:
Lostmon has reported a vulnerability in @Mail, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Input passed to the "keywords" parameter in search.pl is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

The vulnerability is reported in version 4.61, 4.6, 4.51, 4.03
WebMail for Windows, and 4.11 for Linux. Other versions may also be
affected.

SOLUTION:
Filter malicious characters and character sequences in a web proxy.

PROVIDED AND/OR DISCOVERED BY:
Lostmon

ORIGINAL ADVISORY:
http://lostmon.blogspot.com/2007/02/mail-searchpl-keywords-variable-cross.html

Bugtraq ID: 22479
Class: Input Validation Error
CVE: CVE-2006-5270

This issue is currently being exploited via Portable Document Files (PDF), but other Microsoft applications are also reported vulnerable.

An attacker could exploit this issue by enticing a victim into receiving or opening a malicious Office file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user.

Updated: Feb 14 2007 04:37PM
Credit: Neel Mehta and Alex Wheeler of ISS X-Force discovered this issue.
Vulnerable: Microsoft Windows Live OneCare 0
Microsoft Windows Defender x64 Edition 0
Microsoft Windows Defender 0
Microsoft Forefront Security for SharePoint Server 1.0
Microsoft Forefront Security for Exchange Server 1.0
Microsoft ForeFront 0
Microsoft Antigen 9.0

http://www.securityfocus.com/bid/22479/info

TITLE:
web-app.org WebAPP Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA24080

VERIFY ADVISORY:
http://secunia.com/advisories/24080/

CRITICAL:
Moderately critical

IMPACT:
Unknown, Cross Site Scripting

WHERE:
From remote

SOFTWARE:
web-app.org WebAPP 0.x
http://secunia.com/product/3829/

DESCRIPTION:
Some vulnerabilities have been reported in web-app.org WebAPP. Some
have unknown impact, while others can be exploited by malicious
people to conduct cross-site scripting and script insertion attacks.

1) Input passed to multiple parameters (e.g. "showlog" when viewing
statistics logs) is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.

2) Input passed to multiple parameters is not properly sanitised
before being used. This can be exploited to insert arbitrary HTML and
script code, which is executed in a user's browser session in context
of an affected site when the malicious data is viewed.

NOTE: More security related issues have been reported. However, no
further information about impact or vector is available.

SOLUTION:
Update to version 0.9.9.5.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250

Microsoft Windows OLE Dialog Remote Code Execution Vulnerability

Bugtraq ID: 22483
Class: Unknown
CVE: CVE-2007-0026

An attacker could exploit this issue by enticing a victim to load a malicious RTF file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user.

Updated: Feb 14 2007 08:37PM
Credit: Kostya Kortchinsky of Immunity, Inc. is credited with the discovery of this vulnerability.

http://www.securityfocus.com/bid/22483/info

Microsoft Internet Explorer IMJPCKSI COM Object Instantiation Memory Corruption Vulnerability


Bugtraq ID: 22486
Class: Design Error
CVE: CVE-2006-4697

Internet Explorer 7 on Microsoft Vista is not affected by this issue; Internet Explorer 7 on other Windows versions is affected only if COM objects have been enabled by the ActiveX opt-in feature.

This BID is similar to the one described in BID 15827 (Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability), but it affects a different set of COM objects.

Updated: Feb 14 2007 08:17PM
Credit: The vendor disclosed this issue.

http://www.securityfocus.com/bid/22486/info