Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VIII, Issue: 1
January 2, 2009

SANS Newsletters Home

A very quiet week, but if you are using RealNetworks Helix Server, update it today. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 2
    • Linux
    • 2
    • Cross Platform
    • 11 (#1, #2, #3)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 10
    • Web Application
    • 8

******************** Sponsored By ArcSight, Inc. ************************

Webcast Update: ArcSight Logger 7100 v.3.0 Review, featuring SANS Analyst Jerry Shenk and ArcSight's Ansh Patnaik This Webcast will cover drivers and basic requirements when adding to, developing or acquiring log management systems, followed by an overview of the ArcSight Log Management system. http://www.sans.org/info/36754

*************************************************************************

TRAINING UPDATE - - SANS 2009 in Orlando in early march - the largest security training conference and expo in the world. lots of evening sessions: http://www.sans.org/index.php - - SANS Security West Las Vegas (1/24-2/01) http://sans.org/securitywest09/ - - Looking for training in your own Community? http://sans.org/community/ For a list of all upcoming events, on-line and live: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

******************* SCADA Security Summit *****************************

Rediscover New Orleans and hear about Process Control Security issues. - Process Control & SCADA Summit January 16-17. http://www.sans.org/info/36759

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: RealNetworks Helix Server Multiple Vulnerabilities
  • Affected:
    • RealNetworks Helix Server versions 11.x

  • Description: Helix Server is a popular streaming media server from RealNetworks. It contains multiple vulnerabilities in its processing of a variety of Real Time Streaming Protocol (RTSP) and other requests. A specially crafted request could trigger one of these vulnerabilities, allowing an attacker to execute arbitrary code with the privileges of the vulnerable process. Technical details for these vulnerabilities are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (2) HIGH: xterm Escape Sequence Vulnerability
  • Affected:
    • X.org xterm versions prior to patch #237

  • Description: xterm is the terminal emulator of the X Window System, the standard network-enabled windowing system for Unix and Unix-like platforms. It contains a flaw in its handling of certain escape sequences (sequences of characters that, when read by the terminal, cause it to take action). A specially crafted "DECRQSS Device Control Request Status" escape sequence could trigger this vulnerability, allowing an attacker to execute arbitrary commands with the privileges of the current user. An attacker could exploit this vulnerability by tricking a user into displaying a malicious text file in an xterm window, or sending such characters in a network terminal session (for example, during an SSH or telnet session). Note that this affects the reference implementation of xterm from X.org, and presumably also affects versions of xterm that share that codebase (such as XFree86).

  • Status: Vendor confirmed, updates available.

  • References:
  • (3) MODERATE: Forged Trusted Certification Authority Certificate
  • Affected:
    • Most web browsers

  • Description: Most web browsers support HTTPS, the Secure Hypertext Transfer Protocol. This protocol provides for various levels of security, including verification that a website is who it claims to be. This is made possible via public key cryptography. In such a cryptographic system, certificates are used to verify identity. Such certificates are "signed" using a cryptographic hash function, such as MD5 or SHA. Web browsers keep track of a certain set of trusted Certification Authority certificates; these certificates are used by trusted third parties (certification authorities) to prove the identity of a website or other user of a certificate. A flaw has been known in the MD5 hash function (often used for digital signatures) for several years, but until now no practical attack had been demonstrated. A group of researchers has now exploited this flaw to create a forged Certification Authority certificate that is accepted by most major web browsers. Using such a certificate, an attacker could trick a user into believing that a given web site has been verified as the site it claims to be (for example, a web browser could be tricked into believing that a malicious site is a banking site). Note that, while much research on this flaw is publicly available, the exact method of exploitation has not been published.

  • Status: As long as common certification authorities use the MD5 algorithm, this problem will persist. Users who create their own digital certificates are recommended to use a more secure algorithm, such as SHA.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 1, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 08.1.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BulletProof FTP Client Bookmark File Heap Buffer Overflow
  • Description: BulletProof FTP Client is an FTP client application available for Microsoft Windows. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling malicious bookmark files. BulletProof FTP Client version 2.63 is affected.
  • Ref: http://www.securityfocus.com/bid/33007
  • 08.1.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SAWStudio ".prf" File Buffer Overflow
  • Description: SAWStudio is an audio mixer available for Microsoft Windows. SAWStudio is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling preference files (".prf") containing an excessively large string. SAWStudio version 3.9i is affected.
  • Ref: http://www.securityfocus.com/bid/33011
  • 08.1.3 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel "qdisc_run()" Local Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue caused by an error in the "qdisc_run()" function in the "net/sched/sch_generic.c" source file. Specifically, this loop is unbounded, and may run indefinitely within a "softirq" when under heavy network load. Linux kernel versions prior to 2.6.25 are affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=477744
  • 08.1.4 - CVE: CVE-2008-5702
  • Platform: Linux
  • Title: Linux Kernel "ib700wdt.c" Buffer Underflow
  • Description: The Linux kernel is exposed to a buffer underflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs in the "ibwdt_ioctl()" function of the "drivers/watchdog/ib700wdt.c" source file. Linux kernel versions prior to 2.6.28-rc1 are affected.
  • Ref: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.g it;a=commit;h=7c2500f17d65092d93345f3996cf82ebca17e9ff
  • 08.1.5 - CVE: CVE-2008-5498
  • Platform: Cross Platform
  • Title: PHP "imageRotate()" Uninitialized Memory Information Disclosure
  • Description: PHP is a programming language commonly used for web applications. PHP is exposed to an information disclosure issue that occurs in it's implementation of the "imageRotate()" function. PHP versions 5.2.8 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/33002
  • 08.1.6 - CVE: CVE-2008-5714
  • Platform: Cross Platform
  • Title: Qemu VNC "monitor.c" Insecure Password
  • Description: Qemu is a processor emulator that is available for various platforms. Qemu is exposed to an insecure password issue that resides in the VNC server. Specifically, an off-by-one error in the "do_change_vnc()" function in the "monitor.c" source code file may result in only seven characters of a password being used, as opposed to the expected eight. Qemu version 9.1 is affected.
  • Ref: http://lists.gnu.org/archive/html/qemu-devel/2008-11/msg01224.htm l
  • 08.1.7 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Psi Malformed Packet Remote Denial of Service
  • Description: Psi is an instant messaging client for the XMPP (Jabber) protocol, and is available for a number of platforms. Psi is exposed to a denial of service issue due to a failure to handle malformed packets. Psi version 0.12 is affected.
  • Ref: http://www.securityfocus.com/bid/32987
  • 08.1.8 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox "location.hash" Remote Denial of Service
  • Description: Mozilla Firefox is a browser available for multiple platforms. The browser is exposed to a remote denial of service issue because the application fails to perform adequate boundary checks on user-supplied data. Specifically, the application crashes when passing large amounts of data to the "location.hash" property. Firefox version 3.0.5 is affected.
  • Ref: http://www.securityfocus.com/bid/32988
  • 08.1.9 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PGP Desktop "PGPweded.sys" Local Denial of Service
  • Description: PGP Desktop is an encryption application. PGP Desktop is exposed to a local denial of service issue in the "PGPweded.sys" driver. This issue occurs because the driver fails to handle malicious calls to the IOCTL 0x80022038. PGP Desktop version 9.0.6 build 6060 is affected.
  • Ref: http://evilcodecave.wordpress.com/2008/12/23/pgp-desktop-906-deni al-of-service-vulnerability/
  • 08.1.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Getleft HTML Tags Multiple Buffer Overflow Vulnerabilities
  • Description: Getleft is an application that allows users to download HTML websites. The application is available for multiple operating systems. Getleft is exposed to multiple buffer overflow issues because it fails to perform adequate checks on user-supplied input. Getleft version 1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/32994
  • 08.1.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IntelliTamper "MAP" File Buffer Overflow
  • Description: IntelliTamper is a spider application for scanning websites. IntelliTamper is exposed to a buffer overflow issue because it fails to properly validate the size of attacker-supplied data before copying it into a finite-sized buffer. IntelliTamper versions 2.07 and 2.08 are affected.
  • Ref: http://www.securityfocus.com/bid/33022
  • 08.1.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Acoustica Mixcraft ".mx4" Project File Buffer Overflow
  • Description: Acoustica Mixcraft is multitrack audio and MIDI recording software. Acoustica Mixcraft is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Acoustica Mixcraft version 4.2 is affected.
  • Ref: http://www.securityfocus.com/bid/33012
  • 08.1.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun SNMP Management Agent Insecure Temporary File Creation
  • Description: SNMP Management Agent is an implementation of SNMP protocol. The application creates temporary files in an insecure manner. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in privilege escalation or cause a denial of service condition. Sun SNMP Management Agent "SUNWmasf" versions 1.4u2 up to and including 1.5.4 are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-248646-1
  • 08.1.14 - CVE: CVE-2008-5721
  • Platform: Cross Platform
  • Title: SapporoWorks BlackJumboDog Web Server Unspecified Authentication Bypass
  • Description: BlackJumboDog provides server functions (HTTP, FTP, etc) for an intranet. BlackJumboDog Web server is exposed to an unspecified authentication bypass vulnerability. BlackJumboDog versions 4.2.2 and earlier are affected.
  • Ref: http://jvn.jp/en/jp/JVN98063934/index.html
  • 08.1.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Personal Sticky Threads vBulletin Addon Unauthorized Access
  • Description: Personal Sticky Threads is an addon for vBulletin bulletin board software. The application is exposed to an unauthorized access issue because it fails to adequately limit access to certain threads. Personal Sticky Threads version 1.0.3c is affected.
  • Ref: http://www.securityfocus.com/archive/1/499562
  • 08.1.16 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TYPO3 SB Universal Plugin Unspecified Cross-Site Scripting Vulnerability
  • Description: SB Universal Plugin is an extension for TYPO3. The application is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. SB Universal Plugin version 2.0.1 is affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081222 - -4/
  • 08.1.17 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: W2B phpGreetCards "category" Parameter Cross-Site Scripting
  • Description: W2B phpGreetCards is a web application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "category" parameter of the "index.php" script. phpGreetCards version 3.7 is affected.
  • Ref: http://www.securityfocus.com/bid/33001
  • 08.1.18 - CVE: CVE-2008-5720
  • Platform: Web Application - Cross Site Scripting
  • Title: Mayaa Default Error Page Cross-Site Scripting
  • Description: Mayaa is a JavaServer template system. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the default error page. Mayaa versions 1.1.22 and earlier are vulnerable.
  • Ref: http://jvn.jp/en/jp/JVN17298485/index.html
  • 08.1.19 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SPIP "rubriques.php" SQL Injection
  • Description: SPIP is a website-publishing application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "/inc/rubriques.php" script.
  • Ref: http://www.spip-contrib.net/SPIP-1-8-3b-1-9-2g-2-2
  • 08.1.20 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TYPO3 TU-Clausthal ODIN Extension Unspecified SQL Injection
  • Description: TYPO3 TU-Clausthal ("tuc_odin") is an extension for the TYPO3 content manager. The extension is exposed to an SQL injection issue because it fails to sufficiently sanitize input before using it in an SQL query.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081222 - -4/
  • 08.1.21 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP Link Directory "page.php" SQL Injection
  • Description: PHP Link Directory (also known as phpLD) is a web-based directory application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. This issue affects the "name" parameter of the "page.php" script. PHP Link Directory version 3.3 is affected.
  • Ref: http://www.securityfocus.com/bid/32989
  • 08.1.22 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AIST NetCat "password_recovery.php" SQL Injection
  • Description: AIST NetCat is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "password_recovery.php" script. NetCat version 3.12 is affected.
  • Ref: http://www.securityfocus.com/bid/32990
  • 08.1.23 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: stormBoards "thread.php" SQL Injection
  • Description: stormBoards is a web-based forum application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. This issue affects the "id" parameter of the "thread.php" script. stormBoards version 1.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/32993
  • 08.1.24 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ILIAS "repository.php" SQL Injection
  • Description: ILIAS is a web-based learning management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. This issue affects the "ref_id" parameter of the "repository.php" script. ILIAS version 3.7.4 is affected.
  • Ref: http://www.securityfocus.com/bid/33006
  • 08.1.25 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! Ice Gallery Component "catid" Parameter SQL Injection
  • Description: Ice Gallery is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter to the "com_ice" component. Ice Gallery version 0.5 beta 2 is affected.
  • Ref: http://www.securityfocus.com/bid/33008
  • 08.1.26 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: mDigg Component for Joomla! "category" Parameter SQL Injection
  • Description: Joomla Apps mDigg Component is a PHP-based component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "category" parameter to the "com_mdigg" component. mDigg Component version 2.2.8 is affected.
  • Ref: http://www.securityfocus.com/archive/1/499618
  • 08.1.27 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! LiveTicker "tid" Parameter SQL Injection
  • Description: LiveTicker is a live sports feed component for the Joomla! content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "tid" parameter of the "com_liveticker" component. LiveTicker version 1.0.0 is affected.
  • Ref: http://www.securityfocus.com/bid/33010
  • 08.1.28 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Fusion TI Blog System Module "blog.php" SQL Injection
  • Description: TI Blog System is a blog module for PHP-Fusion. The application is expsoed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "blog.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/archive/1/499583
  • 08.1.29 - CVE: Not Available
  • Platform: Web Application
  • Title: TYPO3 Simple File Browser Unspecified Information Disclosure
  • Description: Simple File Browser ("simplefilebrowser") is an extension for the TYPO3 content manager. Simple File Browser is exposed to an unspecified information disclosure issue. Simple File Browser version 1.0.2 is affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20081222 - -4/
  • 08.1.30 - CVE: Not Available
  • Platform: Web Application
  • Title: W2B phpEmployment "auth.php" Arbitrary File Upload
  • Description: W2B phpEmployment is a web application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. phpEmployment version 1.8 is affected.
  • Ref: http://www.securityfocus.com/bid/33000
  • 08.1.31 - CVE: Not Available
  • Platform: Web Application
  • Title: AIST Netcat 3.1.2 Multiple Input Validation Vulnerabilities
  • Description: AIST Netcat is a PHP-based content manager. AIST Netcat is exposed to multiple input validation issues. Attackers can exploit these issues to compromise the affected application, misrepresent how web content is served, cached, or interpreted, execute arbitrary script code and PHP code within the context of the webserver process, and gain access to sensitive information. Other attacks are also possible. AIST Netcat version 3.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/32992
  • 08.1.32 - CVE: Not Available
  • Platform: Web Application
  • Title: W2B phpGreetCards "index.php" Arbitrary File Upload
  • Description: W2B phpGreetCards is a web application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. phpGreetCards version 3.7 is affected.
  • Ref: http://www.securityfocus.com/bid/32995
  • 08.1.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Google Chrome "chromeHTML://" Command Line Parameter Injection
  • Description: Google Chrome is a web browser available for various operating systems. Google Chrome is exposed to an issue that lets attackers inject command-line parameters through protocol handlers. This issue occurs because the application fails to adequately sanitize user-supplied input. Google Chrome version 1.0.154.36 is affected.
  • Ref: http://www.securityfocus.com/archive/1/499570
  • 08.1.34 - CVE: Not Available
  • Platform: Web Application
  • Title: W2B phpAdBoard "index.php" Arbitrary File Upload
  • Description: W2B phpAdBoard is a web application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. phpAdBoard version 1.8 is affected.
  • Ref: http://www.securityfocus.com/bid/32998
  • 08.1.35 - CVE: Not Available
  • Platform: Web Application
  • Title: doop Administration Page Arbitrary File Upload
  • Description: doop is a PHP-based content manager. The application is exposed to an issue that lets attackers upload arbitrary files because it fails to sufficiently sanitize user-supplied input. Specifically the application fails to sanitize file extensions before uploading files through the administration page. doop version 1.4.0b is affected.
  • Ref: http://www.securityfocus.com/bid/33005
  • 08.1.36 - CVE: Not Available
  • Platform: Web Application
  • Title: bloofoxCMS "dialog.php" Local File Include
  • Description: bloofoxCMS is a web-based content management system. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "lang" parameter of the "dialog.php" script. bloofoxCMS version 0.3.4 is affected.
  • Ref: http://www.securityfocus.com/bid/33013

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

I have attended several of SANS rivals and SANS blew them away!
-Alton Thompson, US Marines

SANS Pen Test Hackfest 2013 - Washington

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc