-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1
ANOTHER VICTIM FALLS DEAD FROM FULL DISCLOSURE
On Tue, 30 Jan 2007 08:18:25 -0500 douglas.graham@ntlworld.comwrote:>> Hello. I
am Douglas GrahamÂs Father (Roy Graham). It is with>great regret that I have
to inform you that Douglas passed away on>the 22nd November 2006. after a very
short illness. I apologise>for the delay in letting you know, but I have only
recently been>able to access his email account.>My wife Jacqui and I would like
to thank you for assisting Douglas>in the past and please would you remove his
details from your data>base. We hope that this email does not cause you any
distress.>Should you need to contact me my email address is:>Braingoing@aol.com
please enter DIGA as the subject, so that I>know that it is not spam.>
Regards, Roy Graham>>> From:
full-disclosure-request@lists.grok.org.uk>> Date: 2007/01/30 Tue PM 12:00:01
GMT>> To: full-disclosure@lists.grok.org.uk>> Subject: Full-Disclosure Digest,
Vol 23, Issue 56>>>> Send Full-Disclosure mailing list submissions to>>
full-disclosure@lists.grok.org.uk>>>> To subscribe or unsubscribe via the World
Wide Web, visit>>
https://lists.grok.org.uk/mailman/listinfo/full-disclosure>> or, via email,
send a message with subject or body 'help' to>>
full-disclosure-request@lists.grok.org.uk>>>> You can reach the person managing
the list at>> full-disclosure-owner@lists.grok.org.uk>>>> When replying,
please edit your Subject line so it is more>specific>> than "Re: Contents of
Full-Disclosure digest...">>>>>> Note to digest recipients - when replying to
digest posts,>please trim your post appropriately. Thank you.>>>>>> Today's
Topics:>>>> 1. CVSTrac 2.0.0 Denial of Service (DoS) vulnerability>>
(Ralf S. Engelschall)>> 2. [OpenPKG-SA-2007.008] OpenPKG Security
Advisory (cvstrac)>> (OpenPKG GmbH)>> 3. Oracle - Indirect
Privilege Escalation and Defeating>Virtual>> Private Databases (David
Litchfield)>> 4. Phishing Evolution Report Released (S?nnet Beskerming)>>
5. Universal printer provider exploit for Windows (Andres>Tarasco)>> 6.
[DRUPAL-SA-2007-005] Drupal 4.7.6 / 5.1 fixes arbitrary>code>>
execution issue (Uwe Hermann)>> 7. PC/Laptop microphones (Jim Popovitch)>>
8. Re: S21sec-034-en: Cisco VTP DoS vulnerability>> (Clay
Seaman-Kossmeyer)>> 9. Re: PC/Laptop microphones (Tyop?)>> 10. Re:
PC/Laptop microphones (Simon Smith)>> 11. Re: PC/Laptop microphones (Clement
Dupuis)>> 12. Re: PC/Laptop microphones (Jim Popovitch)>> 13. Re: PC/Laptop
microphones (Simon Smith)>> 14. Re: S21sec-034-en: Cisco VTP DoS
vulnerability>> (Clay Seaman-Kossmeyer)>> 15. COSEINC Alert: Microsoft
Agent Heap Overflow Vulnerability>> Technical Details (Patched)
(COSEINC)>>>>>>
----------------------------------------------------------------->----->>>>
Message: 1>> Date: Mon, 29 Jan 2007 13:27:38 +0100>> From: "Ralf S.
Engelschall" <rse@engelschall.com>>> Subject: [Full-disclosure] CVSTrac 2.0.0
Denial of Service (DoS)>> vulnerability>> To:
full-disclosure@lists.grok.org.uk>> Message-ID:
<20070129122738.GA45233@engelschall.com>>> Content-Type: text/plain;
charset=us-ascii>>>> SECURITY ADVISORY>> =================>>>> Application:
CVSTrac>> Version: 2.0.0>> Vulnerability: Denial of Service (DoS)>>
Identification: CVE-2007-0347>> Date: 2007-01-29 12:00 UTC>>>>
DESCRIPTION>> ----------->>>> A Denial of Service (DoS) vulnerability exists in
CVSTrac>> (http://www.cvstrac.org/) version 2.0.0, a web-based bug
and>patch-set>> tracking system for the version control systems CVS,
Subversion>and Git.>>>> The vulnerability is in the Wiki-style text output
formatter and>is>> triggered by special text constructs in commit messages,
tickets>and>> Wiki pages. Only users with check-in permissions and Wiki
or>ticket edit>> permissions can perform an attack. But as the anonymous
user>usually>> is granted Wiki edit and ticket creation permissions,
an>attacker>> remotely and anonymously can cause a partial DoS (depending
on>the pages>> requested) on a CVSTrac installation by opening a new ticket
or>editing>> a Wiki page with an arbitrary text containing for instance
the>string>> "/foo/bar'quux".>>>> The result of an attack is an error of the
underlying SQLite>RDBMS:>>>> | Database Error>> | db_exists: Database exists
query failed>> | SELECT filename FROM filechng
WHERE>filename='foo/bar'quux'>> | Reason: near "quux": syntax error>>>>
ANALYSIS>> -------->>>> The DoS vulnerability exists because the is_eow()
function in>"format.c">> does NOT just check the first(!) character of the
supplied>string>> for an End-Of-Word terminating character, but instead
iterates>over>> string and this way can skip a single embedded quotation
mark.>The>> is_repository_file() function then in turn assumes that
the>filename>> string can never contain a single quotation mark and traps
into>an SQL>> escaping problem.>>>> An SQL injection via this technique is
somewhat limited as>is_eow()>> bails on whitespace. So while one _can_ do an
SQL injection, one>is>> limited to SQL queries containing only characters which
get past>the>> function isspace(3). This effectively limits attacks to
SQL>commands>> like "VACUUM".>>>> WORKAROUND>> ---------->>>> Administrators
can quickly workaround by revoking permissions on>the>> users. Restoring those
permissions, obviously, would require>keeping>> vulnerable permissions on at
least one infrequently used account>like>> "setup" or using the CLI sqlite3(1)
to manually add them back>later.>>>> One can resurrect an attacked CVSTrac
2.0.0 by fixing the texts>in the>> underlying SQLite database with the
following small Perl script.>>>> ##>> ## cvstrack-resurrect.pl -- CVSTrac
Post-Attack Database>Resurrection>> ## Copyright (c) 2007 Ralf S. Engelschall
<rse@engelschall.com>>> ##>>>> use DBI; # requires OpenPKG perl-dbi>>
use DBD::SQLite; # requires OpenPKG perl-dbi,
perl->dbi::with_dbd_sqlite=yes>> use DBIx::Simple; # requires OpenPKG
perl-dbix>> use Date::Format; # requires OpenPKG perl-time>>>> my $db_file =
$ARGV[0];>>>> my $db = DBIx::Simple->connect(>>
"dbi:SQLite:dbname=$db_file", "", "",>> { RaiseError => 0, AutoCommit => 0
}>> );>>>> my $eow = q{\x00\s.,:;?!)"'};>>>> sub fixup {>> my ($data) =
@_;>> if ($$data =~ m:/[^$eow]*/[^$eow]*'[^$eow]+:s) {>> $$data =~
s:(/[^$eow]*/[^$eow]*)('[^$eow]+):$1 $2:sg;>> return 1;>> }>>
return 0;>> }>>>> foreach my $rec ($db->query("SELECT name, invtime, text
FROM>wiki")->hashes()) {>> if (&fixup(\$rec->{"text"})) {>>
printf("++ adjusting Wiki page \"%s\" as of %s\n",>>
$rec->{"name"}, time2str("%Y-%m-%d %H:%M:%S", -$rec->>{"invtime"}));>>
$db->query("UPDATE wiki SET text = ? WHERE name = ? AND>invtime = ?",>>
$rec->{"text"}, $rec->{"name"}, $rec->{"invtime"});>> }>> }>> foreach
my $rec ($db->query("SELECT tn, description, remarks>FROM ticket")->hashes())
{>> if (&fixup(\$rec->{"description"}) or &fixup(\$rec->>{"remarks"})) {>>
printf("++ adjusting ticket #%d\n",>> $rec->{"tn"});>>
$db->query("UPDATE ticket SET description = ?, remarks =>? WHERE tn = ?",>>
$rec->{"description"}, $rec->{"remarks"}, $rec->>{"tn"});>> }>>
}>> foreach my $rec ($db->query("SELECT tn, chngtime, oldval, newval>FROM
tktchng")->hashes()) {>> if (&fixup(\$rec->{"oldval"}) or
&fixup(\$rec->{"newval"}))>{>> printf("++ adjusting ticket [%d] change
as of %s\n",>> $rec->{"tn"}, time2str("%Y-%m-%d %H:%M:%S",
$rec->>{"chngtime"}));>> $db->query("UPDATE tktchng SET oldval = ?,
newval = ?>WHERE tn = ? AND chngtime = ?",>> $rec->{"oldval"},
$rec->{"newval"}, $rec->{"tn"},>$rec->{"chngtime"});>> }>> }>> foreach my
$rec ($db->query("SELECT cn, message FROM chng")->>hashes()) {>> if
(&fixup(\$rec->{"message"})) {>> printf("++ adjusting change [%d]\n",>>
$rec->{"cn"});>> $db->query("UPDATE chng SET message = ?
WHERE cn = ?",>> $rec->{"message"}, $rec->{"cn"});>> }>> }>>>>
$db->commit();>> $db->disconnect();>>>> RESOLUTION>> ---------->>>> Upgrade to
the now available CVSTrac 2.0.1:>>
http://www.cvstrac.org/cvstrac-2.0.1.tar.gz>>>> Or apply the following upstream
vendor patch against CVSTrac>2.0.0:>>
http://www.cvstrac.org/cvstrac/chngview?cn=852>>>> Index: cvstrac/format.c>>
--- format.c 2006/07/05 01:06:50 1.87>> +++ format.c 2006/08/16
23:02:14 1.88>> @@ -77,6 +77,8 @@>> ** Return TRUE if *z points to the
terminator for a word.>Words>> ** are terminated by whitespace or end of input
or any of the>> ** characters in zEnd.>> +** Note that is_eow() ignores zEnd
characters _inside_ a word.>They>> +** only count if they're followed by other
EOW characters.>> */>> int is_eow(const char *z, const char *zEnd){>> if(
zEnd==0 ) zEnd = ".,:;?!)\"'";>> @@ -123,6 +125,7 @@>> ** somewhere inside.
Spaces in filenames aren't supported.>> */>> int is_repository_file(const
char *z){>> + char *s;>> int i;>> int gotslash=0;>> if( z[0]!='/' )
return 0;>> @@ -132,13 +135,12 @@>> if(!gotslash) return 0;>>>> /* see if
it's in the repository. Note that we strip the>leading '/' from the>> - *
query. Note that the is_eow() check means there's no '>character.>> + *
query.>> */>> - if( !db_exists("SELECT filename FROM filechng
WHERE>filename='%.*s'",>> - i-1, &z[1]) ){>> - return 0;>> -
}>> - return i;>> + s = mprintf("%.*s", i-1, &z[1]);>> + gotslash =
db_exists("SELECT filename FROM filechng WHERE>filename='%q'", s );>> +
free(s);>> + return gotslash ? i : 0;>> }>>>> /*>>>> HISTORY>> ------->>>>
2007-01-17 10:00 UTC: problem detected>> 2007-01-17 11:30 UTC: vulnerability
detected in>format.c:is_eow()>> 2007-01-17 12:15 UTC: vulnerability analized
and first>workaround patch created>> 2007-01-17 12:45 UTC: database
resurrection script written>> 2007-01-17 13:00 UTC: upstream vendor notified>>
2007-01-17 22:24 UTC: vendor confirmed vulnerability and>provided official
fix>> 2007-01-18 09:22 UTC: vendor informed and CVE number requested>from
MITRE>> 2007-01-18 20:08 UTC: received CVE number CVE-2007-0347 from>MITRE>>
2007-01-22 08:30 UTC: settled with vendor on an embargo date of>2007-01-29
12:00 UTC>> 2007-01-22 09:00 UTC: pre-informed "vendor-sec">> 2007-01-29 12:00
UTC: send out RSE security advisory>>>>
Ralf S. Engelschall>>
rse@engelschall.com>>
www.engelschall.com>>>>>>>> ------------------------------>>>> Message: 2>>
Date: Mon, 29 Jan 2007 14:03:14 +0100>> From: OpenPKG GmbH
<openpkg-noreply@openpkg.com>>> Subject: [Full-disclosure]
[OpenPKG-SA-2007.008] OpenPKG>Security>> Advisory (cvstrac)>> To:
full-disclosure@lists.grok.org.uk>> Message-ID:
<OpenPKG-SA-2007.008@openpkg.com>>> Content-Type: text/plain;
charset=us-ascii>>>> -----BEGIN PGP SIGNED MESSAGE----->> Hash:
SHA1>>>>>___________________________________________________________________>_________>>>>
Publisher Name: OpenPKG GmbH>> Publisher Home:
http://openpkg.com/>>>> Advisory Id (public): OpenPKG-SA-2007.008>> Advisory
Type: OpenPKG Security Advisory (SA)>> Advisory Directory:
http://openpkg.com/go/OpenPKG-SA>> Advisory Document:
http://openpkg.com/go/OpenPKG-SA->2007.008>> Advisory Published:
2007-01-29 14:02 UTC>>>> Issue Id (internal): OpenPKG-SI-20070117.01>>
Issue First Created: 2007-01-17>> Issue Last Modified: 2007-01-29>>
Issue Revision:
08>>>___________________________________________________________________>_________>>>>
Subject Name: cvstrac>> Subject Summary: VCS web frontend>>
Subject Home: http://www.cvstrac.org/>> Subject Versions: * =
2.0.0>>>> Vulnerability Id: CVE-2007-0347>> Vulnerability Scope:
global (not OpenPKG specific)>>>> Attack Feasibility: run-time>> Attack
Vector: remote network>> Attack Impact: denial of
service>>>> Description:>> Ralf S. Engelschall from OpenPKG GmbH discovered
a Denial of>Service>> (DoS) vulnerability in the CVS/Subversion/Git
Version>Control System>> (VCS) frontend CVSTrac [0], version 2.0.0.>>>>
The vulnerability is in the Wiki-style text output formatter>and is>>
triggered by special text constructs in commit messages,>tickets and>> Wiki
pages. Only users with check-in permissions and Wiki or>ticket>> edit
permissions can perform an attack. But as the anonymous>user>> usually is
granted Wiki edit and ticket creation>permissions, an>> attacker remotely
and anonymously can cause a partial DoS>(depending>> on the pages
requested) on a CVSTrac installation by opening>a new>> ticket or editing a
Wiki page with an arbitrary text>containing for>> instance the string
"/foo/bar'quux".>>>> The DoS vulnerability exists because the is_eow()
function>in>> "format.c" does NOT just check the FIRST character of
the>supplied>> string for an End-Of-Word terminating character, but
instead>> iterates over string and this way can skip a single embedded>>
quotation mark. The is_repository_file() function then in>turn>> assumes
that the filename string can never contain a single>> quotation mark and
traps into an SQL escaping problem.>>>> An SQL injection via this technique
is somewhat limited as>is_eow()>> bails on whitespace. So while one _can_
do an SQL injection,>one is>> limited to SQL queries containing only
characters which get>past the>> function isspace(3). This effectively
limits attacks to SQL>commands>> like "VACUUM".>>>> Administrators can
quickly workaround by revoking>permissions on the>> users. Restoring those
permissions, obviously, would require>keeping>> vulnerable permissions on
at least one infrequently used>account>> like "setup" or using the CLI
sqlite3(1) to manually add>them back>> later.>>>> References:>> [0]
http://www.cvstrac.org/>>>___________________________________________________________________>_________>>>>
Primary Package Name: cvstrac>> Primary Package Home:
http://openpkg.org/go/package/cvstrac>>>> Corrected Distribution: Corrected
Branch: Corrected Package:>> OpenPKG Enterprise E1.0-SOLID
cvstrac-2.0.0-E1.0.2>>>___________________________________________________________________>_________>>>>
For security reasons, this document was digitally signed with>the>> OpenPGP
public key of the OpenPKG GmbH (public key id 61B7AE34)>> which you can
download from http://openpkg.com/openpkg.com.pgp>> or retrieve from the OpenPGP
keyserver at>hkp://pgp.openpkg.org/.>> Follow the instructions
at>http://openpkg.com/security/signatures/>> for more details on how to verify
the integrity of
this>document.>>>___________________________________________________________________>_________>>>>
-----BEGIN PGP SIGNATURE----->> Comment: OpenPKG GmbH
<http://openpkg.com/>>>>>
iD8DBQFFvfCEZwQuyWG3rjQRApMLAJ0Q/mkpIIar3VjFoMVay7b70i5DIwCfX8lJ>>
6ITu0bSW6c3RR9sQ6q6cIpQ=>> =kxz6>> -----END PGP SIGNATURE----->>>>>>>>
------------------------------>>>> Message: 3>> Date: Mon, 29 Jan 2007 17:00:00
-0000>> From: "David Litchfield" <davidl@ngssoftware.com>>> Subject:
[Full-disclosure] Oracle - Indirect Privilege>Escalation and>> Defeating
Virtual Private Databases>> To: <bugtraq@securityfocus.com>>> Cc:
full-disclosure@lists.grok.org.uk, dbsec@freelists.org>> Message-ID:
<001901c743c6$ecf65260$4601a8c0@ngssoftware.com>>> Content-Type: text/plain;
format=flowed; charset="iso-8859-1";>> reply-type=original>>>> Hey all,>>
For anyone that's interested I've just put out two papers>(chapters really);>>
one on Indirect Privilege Escalation in Oracle and the other on>Defeating>>
Virtual Private Databases in Oracle. You can grab them here.>>
http://www.databasesecurity.com/dbsec/ohh-indirect-privilege->escalation.pdf>>
http://www.databasesecurity.com/dbsec/ohh-defeating-vpd.pdf>> Cheers,>>
David>>>> -->> E-MAIL DISCLAIMER>>>> The information contained in this email
and any subsequent>> correspondence is private, is solely for the
intended>recipient(s) and>> may contain confidential or privileged information.
For those>other than>> the intended recipient(s), any disclosure,
copying,>distribution, or any>> other action taken, or omitted to be taken, in
reliance on such>> information is prohibited and may be unlawful. If you are
not>the>> intended recipient and have received this message in error,>please>>
inform the sender and delete this mail and any attachments.>>>> The views
expressed in this email do not necessarily reflect NGS>policy.>> NGS accepts no
liability or responsibility for any onward>transmission>> or use of emails and
attachments having left the NGS domain.>>>> NGS and NGSSoftware are trading
names of Next Generation>Security>> Software Ltd. Registered office address: 52
Throwley Way,>Sutton, SM1>> 4BF with Company Number 04225835 and VAT Number
783096402>>>>>>>> ------------------------------>>>> Message: 4>> Date: Tue, 30
Jan 2007 08:25:27 +1030>> From: S?nnet Beskerming <info@beskerming.com>>>
Subject: [Full-disclosure] Phishing Evolution Report Released>> To:
full-disclosure@lists.grok.org.uk>> Message-ID:
<2DD1B718-CA53-4A3D-87C7->4B6A2BF5487B@beskerming.com>>> Content-Type:
text/plain; charset=ISO-8859-1; delsp=yes;>format=flowed>>>> Hello List(s),>>>>
For those interested in the original FD email about a new>phishing>> technique
being employed on a professional networking site (late>last>> week), the
investigation and subsequent report have been>published.>> Readers of 'The
Register' will note a write up already in place>with>> some feedback from the
site involved. Although the claim of 10>or so>> reports per month of similar
scams being made are probable, I>doubt>> that many (if any) have taken as much
detailed involvement from>the>> scammer before the phish is set.>>>>
http://www.theregister.co.uk/2007/01/29/ecademy_419_scam/>>>> You can find the
report at the following address:>>>>
http://www.beskerming.com/marketing/reports/index.html>>>> Or, for the direct
link:>>>> http://www.beskerming.com/marketing/reports/>>
Beskerming_Phishing_Report_Jan_07.pdf>>>> A higher detailed version is
available upon request, which>includes>> sufficient detail in the account
screenshots for the profile>text to>> be legible.>>>> An Executive Summary for
those who don't want to read the>report:>>>> - Yes, it was a scam. The
scammer started out with a stolen>> identity, maintaining it all the way
through the scam (even when>>> confronted)>> - Ultimately it was a 419-style
phish / scam that was traced>back>> to Nigeria>> - The first recorded use of
the particular stolen identity was>>> November 06, with a very similar scam
(though a more traditional>mass>> spam email).>> - The scammer invested at
least 2-3 days of communication and>trust->> building before beginning to seed
the phish / scam>> - The initial round of the phish bait was mild enough
to>almost be>> missed.>> - The Networking site was VERY prompt in addressing
the>situation>> once notified (less than 5 minutes to remove the account when
it>>> reappeared and they were notified again). Props to Ecademy in>this>>
case.>> - Sometimes you just need to be paranoid.>>>> Any questions or
queries, just ask them.>>>> Carl>>>> S?nnet Beskerming Pty. Ltd.>> Adelaide,
Australia>> http://www.beskerming.com>>>>>> ------------------------------>>>>
Message: 5>> Date: Mon, 29 Jan 2007 11:42:35 +0100>> From: "Andres Tarasco"
<atarasco@gmail.com>>> Subject: [Full-disclosure] Universal printer provider
exploit>for>> Windows>> To: full-disclosure@lists.grok.org.uk>>
Message-ID:>>
<80321d330701290242h56879d87jc346fc5fd3a9386c@mail.gmail.com>>> Content-Type:
text/plain; charset="iso-8859-1">>>> We have developed a new exploit that
should allow code execution>as SYSTEM>> with the following software:>>>> -
DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED &>NOTFIXED>>
-0day!!!>> - Citrix Metaframe - cpprov.dll - FIXED>> - Novell (nwspool.dll -
CVE-2006-5854 - untested. pls give>feedback)>> More information at :>>
http://www.514.es/2007/01/universal_exploit_for_vulnerab.html>(spanish)>>
exploit
code:>>>http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip>>>>>
/*>> Title: Universal exploit for vulnerable printer providers>(spooler
service).>> Vulnerability: Insecure EnumPrintersW() calls>> Author: Andres
Tarasco Acu?a - atarasco@514.es>> Website: http://www.514.es>>>>>> This code
should allow to gain SYSTEM privileges with the>following>> software:>> blink
!blink! blink!>>>> - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED
&>NOTFIXED>> -0day!!!>> - Citrix Metaframe - cpprov.dll - FIXED>> - Novell
(nwspool.dll - CVE-2006-5854 - untested)>> - More undisclosed stuff =)>>>>
If this code crashes your spooler service (spoolsv.exe) check>your>>
"vulnerable" printer providers
at:>>>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers>>>>>
Workaround: Trust only default printer providers "Internet>Print Provider">>>>
and "LanMan Print Services" and delete the other ones.>>>> And remember, if
it doesnt work for you, tweak it yourself. Do>not ask>>>>>>
D:\Programaci?n\EnumPrinters\Exploits>testlpc.exe>> [+] Citrix Presentation
Server - EnumPrinterW() Universal>exploit>> [+] Exploit coded by Andres
Tarasco - atarasco@514.es>>>>>> [+] Connecting to spooler LCP port \RPC
Control\spoolss>> [+] Trying to locate valid address (1 tries)>> [+] Mapped
memory. Client address: 0x003d0000>> [+] Mapped memory. Server address:
0x00a70000>> [+] Targeting return address to : 0x00A700A7>> [+] Writting to
shared memory...>> [+] Written 0x1000 bytes>> [+] Exploiting
vulnerability....>> [+] Exploit complete. Now Connect to 127.0.0.1:51477>>>>>>
D:\Programaci?n\EnumPrinters>nc localhost 51477>> Microsoft Windows XP
[Versi?n 5.1.2600]>> (C) Copyright 1985-2001 Microsoft Corp.>>>>
C:\WINDOWS\system32>whoami>> NT AUTHORITY\SYSTEM>>>> regards,>>>> Andres
Tarasco>> -------------- next part -------------->> An HTML attachment was
scrubbed...>> URL:
http://lists.grok.org.uk/pipermail/full->disclosure/attachments/20070129/4cb1999a/attachment-0001.html>>>>
------------------------------>>>> Message: 6>> Date: Tue, 30 Jan 2007
02:14:53 +0100>> From: Uwe Hermann <uwe@hermann-uwe.de>>> Subject:
[Full-disclosure] [DRUPAL-SA-2007-005] Drupal 4.7.6 />5.1>> fixes
arbitrary code execution issue>> To: bugtraq@securityfocus.com,
full->disclosure@lists.grok.org.uk,>> phpsec@phparch.com>> Message-ID:
<20070130011452.GA31240@greenwood>>> Content-Type: text/plain;
charset="us-ascii">>>>
----------------------------------------------------------------->----------->>
Drupal security advisory DRUPAL->SA-2007-005>>
----------------------------------------------------------------->----------->>
Project: Drupal core>> Version: 4.7.x, 5.x>> Date:
2007-Jan-29>> Security risk: Highy critical>> Exploitable from: Remote>>
Vulnerability: Arbitrary code execution>>
----------------------------------------------------------------->----------->>>>
Description>> ----------->> Previews on comments were not passed through
normal form>validation routines,>> enabling users with the 'post comments'
permission and access to>more than>> one input filter to execute arbitrary
code. By default,>anonymous and>> authenticated users have access to only one
input format.>>>> Immediate workarounds include: disabling the comment
module,>revoking the>> 'post comments' permission for all users or limiting
access to>one input>> format.>>>> Versions affected>> ----------------->> -
Drupal 4.7.x versions before Drupal 4.7.6>> - Drupal 5.x versions before Drupal
5.1>>>> Solution>> -------->> - If you are running Drupal 4.7.x then upgrade to
Drupal 4.7.6.>>
http://ftp.osuosl.org/pub/drupal/files/projects/drupal->4.7.6.tar.gz>> - If you
are running Drupal 5.x then upgrade to Drupal 5.1.>>
http://ftp.osuosl.org/pub/drupal/files/projects/drupal->5.1.tar.gz>>>> - To
patch Drupal 4.7.5 use>>
http://drupal.org/files/sa-2007-005/SA-2007-005-4.7.5.patch.>> - To patch
Drupal 5.0 use>>
http://drupal.org/files/sa-2007-005/SA-2007-005-5.0.patch.>>>> Please note that
the patches only contain changes related to>this advisory,>> and do not fix
bugs that were solved in 4.7.6 or 5.1.>>>> Reported by>> ----------->> The
Drupal security team.>>>> Contact>> ------->> The security contact for Drupal
can be reached at security at>drupal.org>> or using the form at
http://drupal.org/contact.>>>>>> // Uwe Hermann, on behalf of the Drupal
Security Team.>> -->> http://www.hermann-uwe.de |
http://www.holsham-traders.de>> http://www.crazy-hacks.org |
http://www.unmaintained-free->software.org>> -------------- next part
-------------->> A non-text attachment was scrubbed...>> Name: not available>>
Type: application/pgp-signature>> Size: 189 bytes>> Desc: Digital signature>>
Url :
http://lists.grok.org.uk/pipermail/full->disclosure/attachments/20070130/eb3c84da/attachment-0001.bin>>>>
------------------------------>>>> Message: 7>> Date: Mon, 29 Jan 2007
21:26:37 -0500>> From: Jim Popovitch <jimpop@yahoo.com>>> Subject:
[Full-disclosure] PC/Laptop microphones>> To:
full-disclosure@lists.grok.org.uk>> Message-ID:
<1170123997.26901.7.camel@localhost>>> Content-Type: text/plain;
charset="us-ascii">>>> I started this discussion elsewhere, but I feel that
there is>more>> experience and concern here. When I look at BIOS settings
I>see config>> options to disable sound cards, USB, CDROM, INTs, etc., but
what>about>> the PC or laptop microphone? Does disabling the sound card>remove
the>> availability of a built-in microphone? What if I want to play>mp3s but>>
never have the need to use a microphone? Given recent info about>the US>> FBIs
capabilities to remotely enable mobile phone microphones>> (presumably via
corporate cellular service providers), what>prevents my>> OS provider (or
distribution) and ISP from working on a way to>listen in>> on my office or home
conversations via the microphone or the>built-in>> speakers? Thoughts?>>>>
-Jim P.>> -------------- next part -------------->> A non-text attachment was
scrubbed...>> Name: not available>> Type: application/pgp-signature>> Size: 189
bytes>> Desc: This is a digitally signed message part>> Url :
http://lists.grok.org.uk/pipermail/full->disclosure/attachments/20070129/f4dd0b81/attachment-0001.bin>>>>
------------------------------>>>> Message: 8>> Date: Mon, 29 Jan 2007
21:31:00 -0500>> From: Clay Seaman-Kossmeyer <ckossmey@cisco.com>>> Subject:
Re: [Full-disclosure] S21sec-034-en: Cisco VTP DoS>> vulnerability>> To:
S21sec Labs <labs@s21sec.com>>> Cc: ckossmey@cisco.com,
full-disclosure@lists.grok.org.uk,>> bugtraq@securityfocus.com>>
Message-ID: <20070130023100.GH648@cisco.com>>> Content-Type: text/plain;
charset=us-ascii>>>> -----BEGIN PGP SIGNED MESSAGE----->> Hash: SHA1>>>>>>
Hello ->>>> Cisco has posted a Security Response in reference to this issue>at
the>> following URL:>>>>
http://www.cisco.com/warp/public/707/cisco-sr-20070129-vtp.shtml>>>> Cisco
Response>> ==============>>>> An issue has been reported to the Cisco PSIRT
involving>malformed VLAN>> Trunking Protocol (VTP) packets. This attack may
cause the>target>> device to reload, causing a Denial of Service (DoS).>>>>
Such an attack must be executed on a local ethernet segment, and>the>> VTP
domain name must be known to the attacker. Additionally,>these>> attacks must
be executed against a switch port that is>configured for>> trunking. Non-trunk
access ports are not affected.>>>> This issue is tracked as Cisco Bug ID
CSCsa67294.>>>> Details>> =======>>>> The VLAN Trunking Protocol (VTP) is a
Layer 2 protocol that>manages>> the addition, deletion, and renaming of VLANS
on a network-wide>basis>> in order to maintain VLAN configuration
consistency.>>>> VTP packets are exchanged by VLAN-aware switches. For
more>information>> on VTP, consult the following
link:>>>>>http://www.cisco.com/en/US/products/hw/switches/ps663/products_conf>iguration_guide_chapter09186a00800e47e3.html.>>>>
Upon receiving a malformed VTP packet, certain devices may>reload. The>>
attack could be executed repeatedly causing a extended Denial of>> Service.>>>>
In order to successfully exploit this vulnerability, the>attacker must>> know
the VTP domain name, as well as send the malformed VTP>packet to>> a port on
the switch configured for trunking.>>>> This does not affect switch ports that
are configured for voice>> vlans. A complete Inter-Switch Link (ISL) or 802.1q
trunk port>is>> required for the device to be vulnerable.>>>> These platforms
are affected:>>>> * Cisco 2900XL Series Switches>> * Cisco 2950 Series
Switches>> * Cisco 2955 Series Switches>> * Cisco 3500XL Series
Switches>> * Cisco 3550 Series Switches>> * Cisco 3570 Series
Switches>>>> No other Cisco products are known to be vulnerable to
this>issue.>>>> This issue was made public on 26-Jan-2007 on the
Full-Disclosure>and>> Bugtraq mailing lists. The Cisco bug ID CSCsa67294 was
made>available>> to registered customers in May of 2005.>>>> We would like to
thank David Barroso Berrueta and Alfredo Andres>> Omella for reporting this
vulnerability to us. You can find>their>> release here:
http://www.s21sec.com/es/avisos/s21sec-034-en.txt.>>>> We greatly appreciate
the opportunity to work with researchers>on>> security vulnerabilities and
welcome the opportunity to review>and>> assist in security vulnerability
reports against Cisco products.>>>> Workarounds>> ===========>>>> In order to
mitigate your exposure, ensure that only known,>trusted>> devices are connected
to ports configured for ISL or 802.1q>trunking.>>>> More information on
securing L2 networks can be found in the>Cisco>> SAFE Layer 2 Security document
at this
location:>>>>>http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networkin>g_solutions_white_paper09186a008014870f.shtml>>>>
Additional Information>> ======================>>>> THIS DOCUMENT IS PROVIDED
ON AN "AS IS" BASIS AND DOES NOT IMPLY>ANY>> KIND OF GUARANTEE OR WARRANTY,
INCLUDING THE WARRANTIES OF>> MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.
YOUR USE OF THE>> INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE>DOCUMENT IS>> AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR
UPDATE>THIS>> DOCUMENT AT ANY TIME.>>>> Revision History>> ================>>>>
+--------------+------------------+------------------------+>> | Revision 1.0 |
2007-January-29 | Initial public release |>>
+--------------+------------------+------------------------+>>>> Cisco Security
Procedures>> =========================>>>> Complete information on reporting
security vulnerabilities in>Cisco>> products, obtaining assistance with
security incidents, and>> registering to receive security information from
Cisco, is>available>> on Cisco's worldwide website
at>>>http://www.cisco.com/en/US/products/products_security_vulnerability>_policy.html.>>
This includes instructions for press inquiries regarding Cisco>> security
notices. All Cisco security advisories are available at>>
http://www.cisco.com/go/psirt.>>>>>>>> On Fri, Jan 26, 2007 at 02:46:43PM
-0500, S21sec Labs wrote:>>
###############################################################>> > ID:
S21SEC-034-en>> > Title: Cisco VTP Denial Of Service>> > Date: 26/01/2007>> >
Status: Vendor contacted, bug fixed>> > Severity: Medium - DoS - remote from
the local subnet>> > Scope: Cisco Catalyst Switch denial of service>> >
Platforms: IOS>> > Author: Alfredo Andres Omella, David Barroso Berrueta>> >
Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt>> > Release:
Public>> >>###############################################################>>
S 2 1 S E C>> >>> >
http://www.s21sec.com>> >>> > Cisco VTP Denial Of
Service>> >>> >>> > About VTP>> > --------->> >>> > VTP (VLAN Trunking
Protocol) is a Cisco proprietary protocol>used for>> > VLAN centralized
management.>> > For instance, when you configure a VLAN in a switch, the
VLAN>>> > information (the VLAN name and its identifier)>> > will be configured
automatically in all the switches that>belong to>> > the same VTP domain.>> >>>
Description of vulnerability>> > ---------------------------->> >>> > VTP
uses Subset-Advert messages to advertise the existing>VLANs>> > within a VTP
domain,>> > sending a malformed crafted packet it is possible to force
a>switch>> > "crash & reload". In order to trigger the vulnerability,>> > you
need to previously set up the trunking (manually or using>>> > Yersinia DTP
attack).>> >>> >>> > Affected Versions and platforms>> >
------------------------------->> >>> > This vulnerability has been tested
against Cisco Catalyst>2950T>> > switches with IOS 12.1(22)EA3.>> > Other
versions are probably vulnerable.>> >>> >>> > Solution>> > -------->> >>> >
According to Cisco PSIRT, it is already fixed. We don't know>all the>> >
details because>> > Cisco tagged (back in 2005) the issue as an "internal
bug",>not as a>> > security vulnerability.>> > Upgrade your IOS to the latest
release.>> >>> >>> > Additional information>> > ---------------------->> >>> >
This vulnerability has been found and researched by:>> >>> > David Barroso
Berrueta dbarroso@s21sec.com>> > Alfredo Andres Omella
aandres@s21sec.com>> >>> > It was found on January 2005 and shown in a real
demo at>BlackHat>> > Europe Briefings 2005 (March 2005) (Yersinia, a framework
for>layer 2>> > attacks).>> > Some months later, FX from Phenoelit found other
VTP>vulnerabilities:>> >
http://www.securityfocus.com/archive/1/445896/30/0/threaded>> > Cisco released
then an answer to FX>(http://www.cisco.com/warp/public/>> >
707/cisco-sr-20060913-vtp.shtml) but as there is no any>comment about>> >
this>> > specific vulnerability we suppose that it is not related with>this
one.>> >>> > This vulnerability has been implemented in the current>Yersinia>>
version, under the VTP attacks (see the src/vtp.c file) .>> > Yersinia
homepage: http://www.yersinia.net>> >>> > You can find this advisory at:>> >
http://www.s21sec.com/en/avisos/s21sec-034-en.txt>> >>> > Other S21SEC
advisories availabe at>http://www.s21sec.com/en/avisos/>> >>> >
_______________________________________________>> > Full-Disclosure - We
believe in it.>> > Charter:
http://lists.grok.org.uk/full-disclosure-charter.html>> > Hosted and sponsored
by Secunia - http://secunia.com/>> -----BEGIN PGP SIGNATURE----->> Version:
GnuPG v1.4.5 (Darwin)>>>>
iD8DBQFFvq3REHa/Ybuq8nARAlZ9AJ4zzh8a7qwluYP94oAf/WFMfmzrZwCgpiDl>>
JxK2NENYveWy7rIf/SL/dBo=>> =IaMi>> -----END PGP SIGNATURE----->>>>>>>>
------------------------------>>>> Message: 9>> Date: Tue, 30 Jan 2007 03:52:51
+0100>> From: "Tyop?" <tyoptyop@gmail.com>>> Subject: Re: [Full-disclosure]
PC/Laptop microphones>> To: "Jim Popovitch" <jimpop@yahoo.com>,>>
full-disclosure@lists.grok.org.uk>> Message-ID:>>
<985b1a3d0701291852o369898e6nf2fa1c34b4af86fb@mail.gmail.com>>> Content-Type:
text/plain; charset=ISO-8859-1; format=flowed>>>> On 1/30/07, Jim Popovitch
<jimpop@yahoo.com> wrote:>> > Given recent info about the US>> > FBIs
capabilities to remotely enable mobile phone microphones>> > (presumably via
corporate cellular service providers),>>>> Do you have some links on that?>>
Paranoia inside :p>>>> -->> Tyop?>> Etudiant.>>
http://altmylife.blogspot.com>>>>>>>> ------------------------------>>>>
Message: 10>> Date: Mon, 29 Jan 2007 22:02:14 -0500>> From: Simon Smith
<simon@snosoft.com>>> Subject: Re: [Full-disclosure] PC/Laptop microphones>>
To: Jim Popovitch <jimpop@yahoo.com>, Untitled>>
<full-disclosure@lists.grok.org.uk>>> Message-ID:
<C1E41F66.17BF5%simon@snosoft.com>>> Content-Type: text/plain;
charset="US-ASCII">>>> Jim,>> In all reality you don't have to be an agent
to do this.>You could just>> write an exploit that when successfully executed
would>compromise the target>> and then fetch an application from a remote site.
I'm sure that>things like>> this have been done in the past. Hell imagine what
you could do>with a web>> cam! ;]>>>> New telephones are no different I'm
sure.>>>> On 1/29/07 9:26 PM, "Jim Popovitch" <jimpop@yahoo.com> wrote:>>>> > I
started this discussion elsewhere, but I feel that there is>more>> > experience
and concern here. When I look at BIOS settings I>see config>> > options to
disable sound cards, USB, CDROM, INTs, etc., but>what about>> > the PC or
laptop microphone? Does disabling the sound card>remove the>> > availability
of a built-in microphone? What if I want to play>mp3s but>> > never have the
need to use a microphone? Given recent info>about the US>> > FBIs capabilities
to remotely enable mobile phone microphones>> > (presumably via corporate
cellular service providers), what>prevents my>> > OS provider (or distribution)
and ISP from working on a way to>listen in>> > on my office or home
conversations via the microphone or the>built-in>> > speakers? Thoughts?>> >>>
-Jim P.>> > _______________________________________________>> >
Full-Disclosure - We believe in it.>> > Charter:
http://lists.grok.org.uk/full-disclosure-charter.html>> > Hosted and sponsored
by Secunia - http://secunia.com/>>>>>>>>>> ------------------------------>>>>
Message: 11>> Date: Mon, 29 Jan 2007 22:34:18 -0500>> From: "Clement Dupuis"
<cdupuis@cccure.org>>> Subject: Re: [Full-disclosure] PC/Laptop microphones>>
To: "'Simon Smith'" <simon@snosoft.com>, "'Jim Popovitch'">>
<jimpop@yahoo.com>, "'Untitled'" <full->disclosure@lists.grok.org.uk>>>
Message-ID: <00d301c7441f$894d2dc0$c1b211ac@papslaptop>>> Content-Type:
text/plain; charset="us-ascii">>>> This was discussed in the past. It is one
of the features>within Core>> Impact from Core Security. Here is an old post
on the subject:>>>> > CORE IMPACT has a Python module (uses win32api)to do
just>that, it is>> called>> > "Record audio file" (there is also a "play audio
file" and a>"grab 1 frame>> > from Webcam")>> >>> > Basically, it uses the
Windows MCI interface:>> >>>
http://msdn.microsoft.com/library/default.asp?url=/library/en->us/multimed/ht>>
m/_win32_about_mci.asp>> >>>
http://msdn.microsoft.com/library/default.asp?url=/library/en->us/multimed/ht>>
m/_win32_mci_reference.asp>> >>> > There is also a generic "Execute MCI string"
that we commonly>use to amuse>> > ourselves by opening/closing the CD door
remotely once we've>gain access>> to>> > a target system running windows.>> >>>
It should not be difficult to write your own quickly with>Python and the>> >
above reference from the MSDN>> >>>>> -----Original Message----->> From: Simon
Smith [mailto:simon@snosoft.com]>> Sent: Monday, January 29, 2007 10:02 PM>>
To: Jim Popovitch; Untitled>> Subject: Re: [Full-disclosure] PC/Laptop
microphones>>>> Jim,>> In all reality you don't have to be an agent to do
this.>You could just>> write an exploit that when successfully executed
would>compromise the target>> and then fetch an application from a remote site.
I'm sure that>things like>> this have been done in the past. Hell imagine what
you could do>with a web>> cam! ;]>>>> New telephones are no different I'm
sure.>>>> On 1/29/07 9:26 PM, "Jim Popovitch" <jimpop@yahoo.com> wrote:>>>> > I
started this discussion elsewhere, but I feel that there is>more>> > experience
and concern here. When I look at BIOS settings I>see config>> > options to
disable sound cards, USB, CDROM, INTs, etc., but>what about>> > the PC or
laptop microphone? Does disabling the sound card>remove the>> > availability
of a built-in microphone? What if I want to play>mp3s but>> > never have the
need to use a microphone? Given recent info>about the US>> > FBIs capabilities
to remotely enable mobile phone microphones>> > (presumably via corporate
cellular service providers), what>prevents my>> > OS provider (or distribution)
and ISP from working on a way to>listen in>> > on my office or home
conversations via the microphone or the>built-in>> > speakers? Thoughts?>> >>>
-Jim P.>> > _______________________________________________>> >
Full-Disclosure - We believe in it.>> > Charter:
http://lists.grok.org.uk/full-disclosure-charter.html>> > Hosted and sponsored
by Secunia - http://secunia.com/>>>>>>
_______________________________________________>> Full-Disclosure - We believe
in it.>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html>>
Hosted and sponsored by Secunia - http://secunia.com/>>>>>>>>
------------------------------>>>> Message: 12>> Date: Mon, 29 Jan 2007
23:13:01 -0500>> From: Jim Popovitch <jimpop@yahoo.com>>> Subject: Re:
[Full-disclosure] PC/Laptop microphones>> To: full-disclosure
<full-disclosure@lists.grok.org.uk>>> Message-ID:
<1170130381.3177.1.camel@localhost>>> Content-Type: text/plain;
charset="us-ascii">>>> On Tue, 2007-01-30 at 03:52 +0100, Tyop? wrote:>> > On
1/30/07, Jim Popovitch <jimpop@yahoo.com> wrote:>> > > Given recent info about
the US>> > > FBIs capabilities to remotely enable mobile phone>microphones>> >
(presumably via corporate cellular service providers),>> >>> > Do you have
some links on that?>> > Paranoia inside :p>>>> ;-) Paranoia is a good
characteristic to have.>>>> Here's a few references:>>
http://www.google.com/search?hl=en&q=FBI+Mob+microphone>>>>>>>> -Jim P.>>
-------------- next part -------------->> A non-text attachment was
scrubbed...>> Name: not available>> Type: application/pgp-signature>> Size: 189
bytes>> Desc: This is a digitally signed message part>> Url :
http://lists.grok.org.uk/pipermail/full->disclosure/attachments/20070129/3ecbecb4/attachment-0001.bin>>>>
------------------------------>>>> Message: 13>> Date: Mon, 29 Jan 2007
23:29:26 -0500>> From: Simon Smith <simon@snosoft.com>>> Subject: Re:
[Full-disclosure] PC/Laptop microphones>> To: Jim Popovitch <jimpop@yahoo.com>,
Untitled>> <full-disclosure@lists.grok.org.uk>>> Message-ID:
<C1E433D6.17BFA%simon@snosoft.com>>> Content-Type: text/plain;
charset="US-ASCII">>>> Who's paranoid, I'm not paranoid, stop talking about
me!>>>>>> On 1/29/07 11:13 PM, "Jim Popovitch" <jimpop@yahoo.com> wrote:>>>> >
On Tue, 2007-01-30 at 03:52 +0100, Tyop? wrote:>> >> On 1/30/07, Jim Popovitch
<jimpop@yahoo.com> wrote:>> >>> Given recent info about the US>> >>> FBIs
capabilities to remotely enable mobile phone>microphones>> >>> (presumably via
corporate cellular service providers),>> >>>> >> Do you have some links on
that?>> >> Paranoia inside :p>> >>> > ;-) Paranoia is a good characteristic to
have.>> >>> > Here's a few references:>> >
http://www.google.com/search?hl=en&q=FBI+Mob+microphone>> >>> >>> >>> > -Jim
P.>> > _______________________________________________>> > Full-Disclosure - We
believe in it.>> > Charter:
http://lists.grok.org.uk/full-disclosure-charter.html>> > Hosted and sponsored
by Secunia - http://secunia.com/>>>>>>>>>> ------------------------------>>>>
Message: 14>> Date: Tue, 30 Jan 2007 01:03:48 -0500>> From: Clay
Seaman-Kossmeyer <ckossmey@cisco.com>>> Subject: Re: [Full-disclosure]
S21sec-034-en: Cisco VTP DoS>> vulnerability>> To: S21sec Labs
<labs@s21sec.com>>> Cc:
full-disclosure@lists.grok.org.uk,>bugtraq@securityfocus.com,>>
psirt@cisco.com>> Message-ID: <20070130060348.GC823@cisco.com>>> Content-Type:
text/plain; charset=us-ascii>>>> -----BEGIN PGP SIGNED MESSAGE----->> Hash:
SHA1>>>>>> Hello ->>>> Cisco's response follows for this issue:>>>> Cisco
Response>> ==============>>>> An issue has been reported to the Cisco PSIRT
involving>malformed VLAN>> Trunking Protocol (VTP) packets. This attack may
cause the>target>> device to reload, causing a Denial of Service (DoS).>>>>
Such an attack must be executed on a local ethernet segment, and>the>> VTP
domain name must be known to the attacker. Additionally,>these>> attacks must
be executed against a switch port that is>configured for>> trunking. Non-trunk
access ports are not affected.>>>> This issue is tracked as Cisco Bug ID
CSCsa67294.>>>> Details>> =======>>>> The VLAN Trunking Protocol (VTP) is a
Layer 2 protocol that>manages>> the addition, deletion, and renaming of VLANS
on a network-wide>basis>> in order to maintain VLAN configuration
consistency.>>>> VTP packets are exchanged by VLAN-aware switches. For
more>information>> on VTP, consult the following
link:>>>>>http://www.cisco.com/en/US/products/hw/switches/ps663/products_conf>iguration_guide_chapter09186a00800e47e3.html.>>>>
Upon receiving a malformed VTP packet, certain devices may>reload. The>>
attack could be executed repeatedly causing a extended Denial of>> Service.>>>>
In order to successfully exploit this vulnerability, the>attacker must>> know
the VTP domain name, as well as send the malformed VTP>packet to>> a port on
the switch configured for trunking.>>>> This does not affect switch ports that
are configured for voice>> vlans. A complete Inter-Switch Link (ISL) or 802.1q
trunk port>is>> required for the device to be vulnerable.>>>> These platforms
are affected:>>>> * Cisco 2900XL Series Switches>> * Cisco 2950 Series
Switches>> * Cisco 2955 Series Switches>> * Cisco 3500XL Series
Switches>> * Cisco 3550 Series Switches>> * Cisco 3570 Series
Switches>>>> No other Cisco products are known to be vulnerable to
this>issue.>>>> This issue was made public on 26-Jan-2007 on the
Full-Disclosure>and>> Bugtraq mailing lists. The Cisco bug ID CSCsa67294 was
made>available>> to registered customers in May of 2005.>>>> We would like to
thank David Barroso Berrueta and Alfredo Andres>> Omella for reporting this
vulnerability to us. You can find>their>> release here:
http://www.s21sec.com/es/avisos/s21sec-034-en.txt.>>>> We greatly appreciate
the opportunity to work with researchers>on>> security vulnerabilities and
welcome the opportunity to review>and>> assist in security vulnerability
reports against Cisco products.>>>> Workarounds>> ===========>>>> In order to
mitigate your exposure, ensure that only known,>trusted>> devices are connected
to ports configured for ISL or 802.1q>trunking.>>>> More information on
securing L2 networks can be found in the>Cisco>> SAFE Layer 2 Security document
at this
location:>>>http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networkin>g_solutions_white_paper09186a008014870f.shtml>>>>
Additional Information>> ======================>>>> THIS DOCUMENT IS PROVIDED
ON AN "AS IS" BASIS AND DOES NOT IMPLY>ANY>> KIND OF GUARANTEE OR WARRANTY,
INCLUDING THE WARRANTIES OF>> MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE.
YOUR USE OF THE>> INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE>DOCUMENT IS>> AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR
UPDATE>THIS>> DOCUMENT AT ANY TIME.>>>> Revision History>> ================>>>>
+--------------+-----------------+------------------------+>> | Revision 1.0 |
2007-January-29 | Initial public release |>>
+--------------+-----------------+------------------------+>>>> Cisco Security
Procedures>> =========================>>>> Complete information on reporting
security vulnerabilities in>Cisco>> products, obtaining assistance with
security incidents, and>> registering to receive security information from
Cisco, is>available>> on Cisco's worldwide website
at>>>http://www.cisco.com/en/US/products/products_security_vulnerability>_policy.html.>>
This includes instructions for press inquiries regarding Cisco>> security
notices. All Cisco security advisories are available at>>
http://www.cisco.com/go/psirt.>>>>>> On Fri, Jan 26, 2007 at 02:46:43PM -0500,
S21sec Labs wrote:>>
###############################################################>> > ID:
S21SEC-034-en>> > Title: Cisco VTP Denial Of Service>> > Date: 26/01/2007>> >
Status: Vendor contacted, bug fixed>> > Severity: Medium - DoS - remote from
the local subnet>> > Scope: Cisco Catalyst Switch denial of service>> >
Platforms: IOS>> > Author: Alfredo Andres Omella, David Barroso Berrueta>> >
Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt>> > Release:
Public>> >>###############################################################>>
S 2 1 S E C>> >>> >
http://www.s21sec.com>> >>> > Cisco VTP Denial Of
Service>> >>> >>> > About VTP>> > --------->> >>> > VTP (VLAN Trunking
Protocol) is a Cisco proprietary protocol>used for>> > VLAN centralized
management.>> > For instance, when you configure a VLAN in a switch, the
VLAN>>> > information (the VLAN name and its identifier)>> > will be configured
automatically in all the switches that>belong to>> > the same VTP domain.>> >>>
Description of vulnerability>> > ---------------------------->> >>> > VTP
uses Subset-Advert messages to advertise the existing>VLANs>> > within a VTP
domain,>> > sending a malformed crafted packet it is possible to force
a>switch>> > "crash & reload". In order to trigger the vulnerability,>> > you
need to previously set up the trunking (manually or using>>> > Yersinia DTP
attack).>> >>> >>> > Affected Versions and platforms>> >
------------------------------->> >>> > This vulnerability has been tested
against Cisco Catalyst>2950T>> > switches with IOS 12.1(22)EA3.>> > Other
versions are probably vulnerable.>> >>> >>> > Solution>> > -------->> >>> >
According to Cisco PSIRT, it is already fixed. We don't know>all the>> >
details because>> > Cisco tagged (back in 2005) the issue as an "internal
bug",>not as a>> > security vulnerability.>> > Upgrade your IOS to the latest
release.>> >>> >>> > Additional information>> > ---------------------->> >>> >
This vulnerability has been found and researched by:>> >>> > David Barroso
Berrueta dbarroso@s21sec.com>> > Alfredo Andres Omella
aandres@s21sec.com>> >>> > It was found on January 2005 and shown in a real
demo at>BlackHat>> > Europe Briefings 2005 (March 2005) (Yersinia, a framework
for>layer 2>> > attacks).>> > Some months later, FX from Phenoelit found other
VTP>vulnerabilities:>> >
http://www.securityfocus.com/archive/1/445896/30/0/threaded>> > Cisco released
then an answer to FX>(http://www.cisco.com/warp/public/>> >
707/cisco-sr-20060913-vtp.shtml) but as there is no any>comment about>> >
this>> > specific vulnerability we suppose that it is not related with>this
one.>> >>> > This vulnerability has been implemented in the current>Yersinia>>
version, under the VTP attacks (see the src/vtp.c file) .>> > Yersinia
homepage: http://www.yersinia.net>> >>> > You can find this advisory at:>> >
http://www.s21sec.com/en/avisos/s21sec-034-en.txt>> >>> > Other S21SEC
advisories availabe at>http://www.s21sec.com/en/avisos/>> >>> >
_______________________________________________>> > Full-Disclosure - We
believe in it.>> > Charter:
http://lists.grok.org.uk/full-disclosure-charter.html>> > Hosted and sponsored
by Secunia - http://secunia.com/>> -----BEGIN PGP SIGNATURE----->> Version:
GnuPG v1.4.5 (Darwin)>>>>
iD8DBQFFvt+IEHa/Ybuq8nARAmapAKCDVkXuNcSL/E5wSf2FBh298vmcOgCfTbKm>>
oaFNJ9jqXSbTzrp5foSQLa8=>> =q2ut>> -----END PGP SIGNATURE----->>>>>>>>
------------------------------>>>> Message: 15>> Date: Tue, 30 Jan 2007
15:56:59 +0800>> From: "COSEINC" <alu@coseinc.com>>> Subject: [Full-disclosure]
COSEINC Alert: Microsoft Agent Heap>> Overflow Vulnerability Technical
Details (Patched)>> To: <full-disclosure@lists.grok.org.uk>>> Message-ID:
<044f01c74444$388c9270$d201000a@HP77591890519>>> Content-Type: text/plain;
format=flowed; charset="iso-8859-1";>> reply-type=original>>>> Microsoft
Agent Heap Overflow Vulnerability>>>> COSEINC Alert>>
http://www.coseinc.com/alert.html>>>> Vendor:>> Microsoft>>>> Systems
Affected:>> Windows 2000 All Service Packs>> Windows XP All Service Packs>>>>
Overview:>> Microsoft Agent is a software technology that enables an>enriched
form of>> user interaction that makes learning to use a computer easier.>With
the>> software service, developers can enhance the user interface of>their>>
applications and Web pages with interactive personalities in the>form of>>
animated characters.>>>> This feature is preinstalled on Win2k/XP and allows
loading of>remote>> character data via HTTP through Internet Explorer.
Microsoft>actually>> utilizes a custom compression algorithm to compress
the>character data file>> (.acf) which we presume is to speed up the
distribution over>network.>>>> A security researcher of COSEINC Vulnerability
Research Lab has>discovered>> that Microsoft Agent has a heap overflow
vulnerability. This>vulnerability>> is triggered when Microsoft Agent parses
the malformed character>file in its>> uncompressed state in memory, by having
an overly large value in>a length>> field. This will lead to an integer
overflow during the>allocation of>> buffer. Subsequently, when data is copied
to the buffer, the>heap overflow>> will occur. The result is possible remote
code execution.>>>> Technical Details:>> The vulnerability exists in the
ReadWideString function in>agentdpv.dll:>>>> 711a2cc4 mov
eax,[ebp+0xc]>> 711a2cc7 cmp eax,ebx>> 711a2cc9 jz
agentdpv!ReadWideStringW+0x6b (711a2d0e)>> 711a2ccb lea
eax,[eax+eax+0x2]>> 711a2ccf push eax>> 711a2cd0 call
agentdpv!operator new (711aaa6c)>>>> The .acf format when uncompressed in
memory, stores strings with>their>> lengths prepended to them. To trigger the
vulnerability, a large>value>> 7FFFFFFF can be set in the length field of a
string before>compression takes>> place to create a malformed .acf file (This
can be done using>the Microsoft->> supplied Agent Character Editor and editing
the memory contents>when>> creating the .acf file). When Microsoft Agent parses
the .acf>file, this>> length is read after uncompressing the file in
memory:>>>> 711a2cc4 mov eax,[ebp+0xc] ; length of string>>>> An
integer overflow occurs presumably during the calculation of>the size of>> the
memory to allocate for a widestring using the supplied>length, resulting>> in
an allocation of 0 bytes:>>>> 711a2ccb lea eax,[eax+eax+0x2]>> 711a2ccf
push eax>> 711a2cd0 call agentdpv!operator new (711aaa6c)>>>>
Sometime after, the string will be read from memory allocated>earlier and>>
copied to the buffer leading to the overflow and corrupting the>heap.>>>>
711a2ce8 push ebx>> 711a2ce9 add edx,edx>> 711a2ceb push
edx>> 711a2cec push eax>> 711a2ced push edi>> 711a2cee call
dword ptr [ecx+0xc]{ole32!CMemStm::Read>(771e7a1f)}>>>> Notes:>> The string
has been earlier written (together with other data)>to a>> temporary buffer as
a result of the uncompressing procedure. The>2nd DWORD>> in the .acf file
specifies the total size of the file in its>uncompressed>> state and is used
internally to allocate the required memory for>the>> temporary buffer.>>>> The
number of bytes to copy from this temporary buffer is>apparently>> determined
by subtracting from the total size, the size of>previous data>> chunks and does
not utilize the supplied string length.>>>> Hence, the amount of overflow can
be controlled by simply using>a string of>> the desired length. This is why the
large length of 7FFFFFFF>does not result>> in continuous copying leading to
access violation (usually in>the case of an>> integer overflow). Consequently,
an arbitrary 4-byte overwrite>will occur>> resulting in possible code
execution.>>>> Vendor Status:>> Microsoft has released a patch for this
vulnerability. The patch>is>> available at:>>
http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx>>>> Credit:>>
This vulnerability was discovered by Willow, a Windows security>researcher>> of
the COSEINC Vulnerability Research Lab (VRL).>>>> Disclaimer:>> The information
within this paper may change without notice. Use>of this>> information
constitutes acceptance for use in an AS IS>condition. There are>> no
warranties, implied or express, with regard to this>information. In no>> event
shall the author or the company be liable for any direct>or indirect>> damages
whatsoever arising out of or in connection with the use>or spread of>> this
information. Any use of this information is at the user's>own risk.>>>>>>>>>>>>
------------------------------>>>>
_______________________________________________>> Full-Disclosure - We believe
in it.>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html>>
Hosted and sponsored by Secunia - http://secunia.com/>>>> End of
Full-Disclosure Digest, Vol 23, Issue 56>>
***********************************************>>>>----------------------------------------->Email
sent from www.ntlworld.com>Virus-checked using McAfee(R) Software>Visit
www.ntlworld.com/security for more
information>>_______________________________________________>Full-Disclosure -
We believe in it.>Charter:
http://lists.grok.org.uk/full-disclosure-charter.html>Hosted and sponsored by
Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE-----Note: This signature
can be verified at https://www.hushtools.com/verifyVersion: Hush 2.5
wpwEAQECAAYFAkW/gUYACgkQgSMOKd40iZg6UAP/WLx0GdnlvJQVbVzxFZ5k2pW6DzsaAGIDNEzqkrVXEff2rO7QyPRTNchJ6iTAYoF52L42/PiYbJ4iwF9alMnyU2XEIhH1hnRjaaQislNzxVnCYdWzor8FRNU3wHK4Ojo1K5vi7Rl+90Ai3VXchEhfC5AKU5Zjx24jLIbNogW0M6o==Xx0l-----END
PGP SIGNATURE-----
Concerned about your privacy? Instantly send FREE secure email, no account
requiredhttp://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from
Hushmailhttps://www.hushssl.com?l=485
_______________________________________________Full-Disclosure - We believe in
it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and
sponsored by Secunia - http://secunia.com/
