Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] TPTI-07-10: Centennial Software XferWan.exe Stack Over

from [TSRT] Network Security [Permanent Link]
Subject: [Full-disclosure] TPTI-07-10: Centennial Software XferWan.exe Stack Overflow Vulnerability
Date: Mon, 4 Jun 2007 17:50:05 -0700 
TPTI-07-10: Centennial Software XferWan.exe Stack Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-07-10
June  4, 2007

-- CVE ID:
CVE-2007-2514

-- Affected Vendor:
Centennial Software

-- Affected Products:
Symantec Discovery 6.5

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since April  3, 2007 by Digital Vaccine protection
filter ID 5231. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of software utilizing Centennial Software
XferWan. Authentication is not required to exploit this vulnerability.

The specific flaw exists during the parsing of overly long requests to
the XferWAN process. When logging requests, user-supplied data is
copied to the stack resulting in an exploitable buffer overflow
condition. The following disassembly excerpt from the logging function
demonstrates the issue:

    004047A0 mov cl, Filename[eax]
    004047A6 mov [esp+eax+890h+ExistingFileName], cl
    004047AD inc eax
    004047AE test cl, cl
    004047B0 jnz short loc_4047A0

A lack of sanity checking on the size of 'Filename' results in an
exploitable stack-based  buffer overflow vulnerability that can result
in a system compromise running under the context of the SYSTEM user.

-- Vendor Response:
Centennial has rectified an issue in the XFERWAN omponent of Centennial
Discovery which could be remotely exploited by malicious people to
compromise a system.

This issue only affects systems running non-secure communications,
which comprise a very small percentage of installations worldwide. 
Customers can find instructions on how to identify if they are
susceptible to the vulnerability and correct, if necessary on the
Centennial Customer Support website.

-- Disclosure Timeline:
2007.03.07 - Vulnerability reported to vendor
2007.04.03 - Digital Vaccine released to TippingPoint customers
2007.06.04 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Cody Pierce, TippingPoint DVLabs


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com. 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] TPTI-07-10: Centennial Software XferWan.exe Stack Overflow Vulnerability, TSRT <=
Previous by Date:  [Full-disclosure] iDefense Security Advisory 06.01.07: Symantec VERITAS Storage Foundation Administration Service DoS Vulnerability, iDefense Labs
Next by Date:  [Full-disclosure] TPTI-07-08: Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass Vulnerability, TSRT
Previous by Thread:  [Full-disclosure] iDefense Security Advisory 06.01.07: Symantec VERITAS Storage Foundation Administration Service DoS Vulnerability, iDefense Labs
Next by Thread:  [Full-disclosure] TPTI-07-08: Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass Vulnerability, TSRT
Indexes:  [Date] [Thread] [Top] [All Lists]