Spyware, viruses, & security forum: VULNERABILITIES / FIXES - January 10, 2013

CiscoWorks Prime LAN Management Solution (LMS) Command Injection Vulnerability

Release Date : 2013-01-10

Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Software: CiscoWorks Prime LAN Management Solution (LMS) 4.x

Description:
A vulnerability has been reported in CiscoWorks Prime LAN Management Solution (LMS), which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error when validating certain authentication and authorization commands and can be exploited to inject and execute arbitrary commands as the "root" user by sending a specially crafted command to certain TCP ports.

The vulnerability is reported in Linux-based Cisco Prime LMS Virtual Appliances versions prior to 4.2.3.

Solution:
Update to version 4.2.3 or apply patches.

Provided and/or discovered by
Reported by the vendor.

Original Advisory:
Cisco (cisco-sa-20130109-lms):
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms

http://secunia.com/advisories/51814/

Release Date : 2013-01-10

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: Red Hat Enterprise Linux Desktop Supplementary (v. 6)
Red Hat Enterprise Linux Server Supplementary (v. 6)
Red Hat Enterprise Linux Workstation Supplementary (v. 6)
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for acroread. This fixes multiple vulnerabilities, which can be exploited by malicious people to compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0150-1:
https://rhn.redhat.com/errata/RHSA-2013-0150.html

http://secunia.com/advisories/51811/

Release Date : 2013-01-10

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Oracle Solaris 11.x

Description:
Oracle has acknowledged a vulnerability in tcsd included in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply 11/11 SRU 13.4.

Original Advisory:
https://blogs.oracle.com/sunsecurity/entry/cve_2012_0698_denial_of

http://secunia.com/advisories/51805/

Zoom Player JPEG Image Processing Code Execution Vulnerability

Release Date : 2013-01-10

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: Zoom Player 8.x

Description:
Debasish Mandal has reported a vulnerability in Zoom Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error when processing JPEG images and can be exploited to execute arbitrary code via a specially crafted JPEG image.

The vulnerability is reported in version 8.5.0. Prior versions may also be affected.

Solution:
Update to version 8.5.1.

Provided and/or discovered by:
Debasish Mandal

Original Advisory:
Zoom Player:
http://forum.inmatrix.com/index.php?showtopic=13904

Debasish Mandal:
http://www.debasish.in/2013/01/jpeg-of-deathzoom-player-jpeg-file.html

http://secunia.com/advisories/51796/

WordPress GRAND FlAGallery Plugin Directory Enumeration Weakness

Release Date: 2013-01-10

Criticality level : Not critical
Impact: Exposure of system information
Where : From remote
Solution Status : Unpatched

Software: Wordpress GRAND FlAGallery Plugin (2.x)

Description:
Janek Vind has discovered a weakness in the GRAND FlAGallery plugin for WordPress, which can be exploited by malicious people to disclose sensitive information.

The weakness is caused due to the wp-content/plugins/flash-album-gallery/facebook.php script returning different responses depending on whether or not a directory exists. This can be exploited to check the existence of directories.

The weakness is confirmed in version 2.17. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Janek Vind "waraxe"

Original Advisory:
Janek Vind "waraxe":
http://www.waraxe.us/advisory-94.html

http://secunia.com/advisories/51601/

Drupal Search API Module Cross-Site Scripting and Script Insertion Vulnerabilities

Release Date : 2013-01-10

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Drupal Search API Module 7.x

Description:
Two vulnerabilities have been reported in the Search API module for Drupal, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.

1) Certain unspecified input related to error messages in e.g. the database backend view is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Certain unspecified input related to field names within the admin view is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

Successful exploitation of this vulnerability requires the malicious user to have privileges to change the field names of an indexed entity type.

The vulnerabilities are reported in versions prior to 7.x-1.4.

Solution:
Update to version 7.x-1.4.

Provided and/or discovered by:
The vendor credits:
1) Josh Stroschein;
2) Francisco Jose Cruz Romanos.

Original Advisory:
SA-CONTRIB-2013-001:
http://drupal.org/node/1884332

http://secunia.com/advisories/51806/

Release Date : 2013-01-09

Criticality level : Highly critical
Impact : Security Bypass
Privilege escalation
System access
Where : From remote
Solution Status : Vendor Patch

Software: Adobe Acrobat 9.x
Adobe Acrobat X 10.x
Adobe Acrobat XI 11.x
Adobe Reader 9.x
Adobe Reader X 10.x
Adobe Reader XI 11.x

Description:
Multiple vulnerabilities have been reported in Adobe Reader and Adobe Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to bypass certain security restrictions and compromise a user's system.

1) An unspecified error can be exploited to corrupt memory.

2) Some unspecified errors can be exploited to corrupt memory.

3) Another unspecified error can be exploited to corrupt memory.

4) A use-after-free error can be exploited to dereference already freed memory.

5) An unspecified error can be exploited to cause a heap-based buffer overflow.

6) Another unspecified error can be exploited to cause a heap-based buffer overflow.

7) An unspecified error can be exploited to cause a stack-based buffer overflow.

8) Another unspecified error can be exploited to cause a stack-based buffer overflow.

9) Some unspecified errors can be exploited to cause buffer overflows.

10) Some integer overflow errors can be exploited to corrupt memory.

11) An unspecified error can be exploited to gain escalated privileges.

12) Some unspecified logic errors can be exploited to execute arbitrary code.

13) An unspecified error can be exploited to bypass certain security restrictions.

14) Another unspecified error can be exploited to bypass certain security restrictions.

Successful exploitation of vulnerabilities #1 through #10 and #12 may allow execution of arbitrary code.

The vulnerabilities are reported in the following products:
* Adobe Reader XI and Acrobat XI version 11.0.0 for Windows and Macintosh.
* Adobe Reader X and Acrobat X versions 10.1.4 and prior for Windows and Macintosh.
* Adobe Reader and Acrobat versions 9.5.2 and prior for Windows and Macintosh.
* Adobe Reader for Linux versions 9.5.1 and prior.

Solution:
Update to a fixed version.

Provided and/or discovered by:
1) The vendor credits Nicolas Gregoire via iDefense Labs
2, 4, 7, 9, 10, 12) The vendor credits Mateusz Jurczyk and Gynvael Coldwind, Google Security Team
3) The vendor independently credits David D. Rude II, iDefense Labs and Alexander Gavrun via iDefense Labs
5) The vendor credits Tom Gallagher, Microsoft and Microsoft Vulnerability Research
6) The vendor credits Alexander Gavrun via iDefense Labs
8) Reported by the vendor
11) The vendor independently credits Myke Hamada, Joost Bakker, Anand Bhat, and Timothy McKenzie
13) The vendor credits Joel Geraci, Practical:PDF
14) The vendor independently credits Billy Rios, Federico Lanusse, and Mauro Gentile

Original Advisory:
Adobe (APSB13-02):
http://www.adobe.com/support/security/bulletins/apsb13-02.html

http://secunia.com/advisories/51791/

Mozilla Firefox / Thunderbird / SeaMonkey Multiple Vulnerabilities

Release Date : 2013-01-09

Criticality level : Highly critical
Impact : Security Bypass
Spoofing
Exposure of sensitive information
System access
Where : From remote
Solution Status : Vendor Patch

Software: Mozilla Firefox 17.x
Mozilla SeaMonkey 2.x
Mozilla Thunderbird 17.x

Description:
Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird, and SeaMonkey, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, disclose sensitive information, and compromise a user's system.

1) Several unspecified errors in the browser engine can be exploited to corrupt memory.

2) Several unspecified errors in the browser engine can be exploited to corrupt memory.

3) Several unspecified errors in the browser engine can be exploited to corrupt memory.

4) An error within the "CharDistributionAnalysis::HandleOneChar()" function can be exploited to cause a buffer overflow.

5) A use-after-free error exists within the "imgRequest::OnStopFrame()" function.

6) A use-after-free error exists within ~nsHTMLEditRules.

7) A use-after-free error exists within the "mozilla::TrackUnionStream::EndTrack()" function.

8) A use-after-free error exists within Mesa when resizing a WebGL canvas.

9) An error within the "gfxTextRun::ShrinkToLigatureBoundaries()" function can be exploited to cause a heap-based buffer overflow.

10) An error within the "nsWindow::OnExposeEvent()" function can be exploited to cause a heap-based buffer overflow.

11) An error when parsing height and width values of a canvas element can be exploited to cause a stack-based buffer overflow.

12) An error exists which can be exploited to spoof the URL displayed in the addressbar while the page is loading.

13) A use-after-free error exists when displaying a table with many columns and column groups.

14) An error exists within the "nsSOCKSSocketInfo::ConnectToProxy()" function when handling SSL connection threads.

15) An error exists due to the AutoWrapperChanger class not keeping certain objects alive during garbage collection.

16) An error related to quickstubs can be exploited to cause a compartment mismatch and may cause the garbage collection to occur incorrectly.

17) An error related to events in the plugin handler can be exploited to bypass the same-origin policy.

18) An error within the "XBL.__proto__.toString()" function can be exploited to disclose the address space layout.

19) An integer overflow error when calculating the length of a JavaScript string concatenation can be exploited to cause a heap-based buffer overflow.

20) An error related to XBL files containing multiple XML bindings with SVG content can be exploited to corrupt memory.

21) An error within the "Object.prototype.__proto__()" function can be exploited to bypass Chrome Object Wrappers (COW) and gain access to chrome privileged functions.

22) An error related to plugin objects can be exploited to open a chrome privileged web page.

23) A use-after-free error exists within the XMLSerializer.serializeToStream()".

24) A use-after-free error exists within the ListenerManager when garbage collection is forced on certain data allocated in listener objects.

25) A use-after-free error exists within the Vibrate library related to the domDoc pointer.

26) A use-after-free error exists in the JavaScript Proxy class within the "obj_toSource()" function.

Successful exploitation of vulnerabilities #1 through #11, #13 through #16, and #19 through #26 may allow execution of arbitrary code.

Solution:
Update to fixed version

Provided and/or discovered by:
The vendor credits:

1) Christoph Diehl, Christian Holler, Mats Palmgren, and Chiaki Ishikawa
2) Bill Gianopoulos, Benoit Jacob, Christoph Diehl, Christian Holler, Gary Kwong, Robert O'Callahan, and Scoobidiver
3) Jesse Ruderman, Christian Holler, Julian Seward, and Scoobidiver
4-10) Abhishek Arya (Inferno), Google Chrome Security Team
11) miaubiz
12) Masato Kinugawa
13) Atte Kettunen, OUSPG
14) Jerry Baker
15) Olli Pettay
16) Boris Zbarsky
17, 18) Jesse Ruderman
19) pa_kt via ZDI
20) Sviatoslav Chagaev
21, 22) Mariusz Mlynski
23-26) regenrecht via ZDI

Original Advisory:
https://www.mozilla.org/security/announce/2013/mfsa2013-01.html
https://www.mozilla.org/security/announce/2013/mfsa2013-02.html
https://www.mozilla.org/security/announce/2013/mfsa2013-03.html
https://www.mozilla.org/security/announce/2013/mfsa2013-04.html
https://www.mozilla.org/security/announce/2013/mfsa2013-05.html
https://www.mozilla.org/security/announce/2013/mfsa2013-07.html
https://www.mozilla.org/security/announce/2013/mfsa2013-08.html
https://www.mozilla.org/security/announce/2013/mfsa2013-09.html
https://www.mozilla.org/security/announce/2013/mfsa2013-10.html
https://www.mozilla.org/security/announce/2013/mfsa2013-11.html
https://www.mozilla.org/security/announce/2013/mfsa2013-12.html
https://www.mozilla.org/security/announce/2013/mfsa2013-13.html
https://www.mozilla.org/security/announce/2013/mfsa2013-14.html
https://www.mozilla.org/security/announce/2013/mfsa2013-15.html
https://www.mozilla.org/security/announce/2013/mfsa2013-16.html
https://www.mozilla.org/security/announce/2013/mfsa2013-17.html
https://www.mozilla.org/security/announce/2013/mfsa2013-18.html
https://www.mozilla.org/security/announce/2013/mfsa2013-19.html

http://secunia.com/advisories/51752/

Release Date : 2013-01-09

Criticality level : Highly critical
Impact : Security Bypass
Spoofing
Exposure of sensitive information
System access
Where : From remote
Solution Status : Vendor Patch

Operating System : Ubuntu Linux 10.04
Ubuntu Linux 11.10
Ubuntu Linux 12.04

Description:
Ubuntu has issued an update for thunderbird. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, disclose sensitive information, and compromise a user's system.

Solution:
Apply updated packages.

Original Advisory:
USN-1681-2:
http://www.ubuntu.com/usn/usn-1681-2/

http://secunia.com/advisories/51754/

Release Date : 2013-01-09

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status Vendor Patch

Software: Ruby on Rails 2.3.x
Ruby on Rails 3.0.x
Ruby on Rails 3.1.x
Ruby on Rails 3.2.x

Description:
A vulnerability has been reported in Ruby on Rails, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error when parsing XML parameters, which allows symbol and yaml types to be a part of the request and can be exploited to execute arbitrary commands.

NOTE: Additionally, a weakness exists when handling JSON parameters, which can lead to the query to check for NULL or eliminate a WHERE clause.

The vulnerability is reported in versions prior to 3.2.11, 3.1.10, 3.0.19, and 2.3.15.

Solution:
Update to version 3.2.11, 3.1.10, 3.0.19, or 2.3.15 or apply patch.

Provided and/or discovered by:
The vendor credits Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen, and Charlie Somerville.

Original Advisory:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI

http://secunia.com/advisories/51753/

Call of Duty Elite for iOS Certificate Verification Security Issue

Release Date : 2013-01-09

Criticality level : Less critical
Impact : Spoofing
Where : From remote
Solution Status : Unpatched

Software: Call of Duty Elite for iOS 2.x

Description:
Charlie Eriksen has discovered a security issue in Call of Duty Elite for iOS, which can be exploited by malicious people to conduct spoofing attacks.

The security issue is caused due to the application not properly verifying the server SSL certificate. This can be exploited to e.g. spoof the server via a MitM (Man-in-the-Middle) attack and e.g. disclose potentially sensitive information.

The security issue is confirmed in version 2.0.1. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Charlie Eriksen via Secunia.

http://secunia.com/advisories/51366/