NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2006

RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 1

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Jan 05 2006 - 19:53:20 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This issue was delayed because we were waiting for the Microsoft patch
for the wmf vulnerability. It is now available directly from Microsoft.

A research project opportunity to give back to the community: for DoD
and other government employees and consultants who know about C&A and
DITSCAP. If you have knowledge of either good or bad practices, please
email infosans.org with subject C&A.

Alan

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
January 5, 2006 Vol. 5. Week 1
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
=======================================================================
Platform # of Updates & Vulnerabilities
=======================================================================
Windows 1 (#1)
Other Microsoft Products 1
Third Party Windows Apps 1
Linux 1
Cross Platform 2
Web Application 15
Hardware 3

************************ Sponsored Links: *****************************

1) Free SANS Webcasts! "Update on the Law of IT Security Policies:
New Guidance under GLBA"
Tuesday, January 10 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=975

2) Internet Storm Center: "Threat Update" webcast
Wednesday, January 11 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=976

*************************************************************************

Table of Contents:

Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)

Widely Deployed Software
(1) UPDATE: Microsoft WMF Handling Remote Code Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
06.01.24 Windows Graphics Rendering Engine WMF Format Code Execution
-- Other Microsoft Products
06.01.3 - Microsoft Internet Explorer MSHTML.DLL HTML Parsing Denial of Service
-- Third Party Windows Apps
06.01.8 - ARJ Archive Filename Handling Buffer Overflow
-- Linux
06.01.12 - PTnet IRCD Remote Denial of Service
-- Cross Platform
06.01.10 - VMWare ESX Server Management Interface Code Execution
06.01.13 - ImageMagick Image Filename Remote Command Execution
-- Web Application
06.01.1 - PHPSurveyor SID Parameter SQL Injection
06.01.2 - Koobi BBCode URL Tag Script Injection
06.01.4 - PHPDocumentor Remote and Local File Include Vulnerabilities
06.01.5 - GMailSite Cross-Site Scripting
06.01.6 - MyBB Globa.PHP Cookie Data SQL Injection
06.01.7 - TinyMCE Compressor Multiple Vulnerabilities
06.01.9 - Web Wiz Multiple Products SQL Injection Vulnerabilities
06.01.11 - PHPBB Multiple Unspecified Input Validation Vulnerabilities
06.01.14 - Kayako SupportSuite Multiple Cross-Site Scripting Vulnerabilities
06.01.15 - OOApp Guestbook Home Script Cross-Site Scripting
06.01.16 - Ades Design AdesGuestbook Read Script Cross-Site Scripting.
06.01.17 - iPei Guestbook Index.PHP Cross-Site Scripting
06.01.18 - MyBB Print Thread Script HTML Injection
06.01.19 - MyBB File Upload SQL Injection
06.01.23 - phpDocumentor Forum Lib Variable Cross-Site Scripting
-- Hardware
06.01.20 - Blackberry Enterprise Server TIFF Attachment Denial of Service
06.01.21 - Blackberry Handheld JAD File Browser Denial of Service
06.01.22 - Blackberry Enterprise Server Router SRP Packet Denial of Service
______________________________________________________________________

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of
3Com, as a by-product of that company's continuous effort to ensure that
its intrusion prevention products effectively block exploits using known
vulnerabilities. TippingPoint's analysis is complemented by input from
a council of security managers from twelve large organizations who
confidentially share with SANS the specific actions they have taken to
protect their systems. A detailed description of the process may be
found at http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

***************************
Widely Deployed Software
***************************

(1) UPDATE: Microsoft WMF Handling Remote Code Execution

Description: Updated exploit code has been publicly posted that
initially bypassed many AV software as well as IDS/IPS systems. The new
exploit code pads the malicious WMF file with certain benign metafile
function records. It is possible to create further variants by changing
the function numbers used in the padding. Reports indicate that the
malicious WMF files (that can be camouflaged with benign extensions like
jpg or gif) are being sent via links in IM chat. NIST has reported that
Lotus Notes uses the vulnerable Windows DLL to open WMF images and hence
is affected by the flaw as well. An unofficial patch has been published
by Ilfak Guilfanov (creator of IDAPro). The patch has been verified by
SANS Incident Handlers and works as intended. Due to a large number of
attack vectors for this vulnerability i.e. the malicious WMF file can
be downloaded via HTTP, file sharing, IM, e-mail, it is recommended to
apply the unofficial patch to protect the client systems. In the
meanwhile, Microsoft is getting ready to release the patch next Tuesday
(Jan 10, 2006) along with other security updates.

Council Site Actions: All reporting council sites are responding to this
issue. Most are keeping their AV signatures up to date and are waiting
for the official MS patch. Most sites will deploy the MS patch on an
expedited basis when it arrives and after they have completed QA. Some
sites have also updated their IDS/IPS signatures and are also
black-holing URLS with malicious content as they become known and
removing all WMF attachments. Several sites have tested unregistering
the DLL but this broke several of their applications. Several sites are
also considering deploying the unofficial patch if the risk increases.

References:
Updated Exploit Code
http://metasploit.com/projects/Framework/exploits.ie_xp_pfv_metafile.pm
SANS Handler's Diary Posting (Includes Excellent FAQ Regarding the Vulnerability)
http://isc.sans.org/diary.php?date=2006-01-02
http://isc.sans.org/diary.php?date=2006-01-01
Unofficial Patch Download
http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
Metafile Format
http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt
NIST Posting About Lotus Notes
http://www.nist.org/nist_plugins/content/content.php?content.25
IM Worm Exploiting the Vulnerability
http://www.viruslist.com/en/weblog?discuss=176892530&return=1
Microsoft Patch Announcement
http://www.microsoft.com/technet/security/advisory/912840.mspx

****************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 1, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4750 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

______________________________________________________________________

06.01.1 CVE: Not Available
Platform: Web Application
Title: PHPSurveyor SID Parameter SQL Injection
PHPSurveyor is a web-based application for performing online surveys.
Insufficient sanitization of the "sid" parameter exposes the application
to an SQL injection issue. PHPSurveyor version 0.99 is affected.
Ref: http://www.securityfocus.com/bid/16077
______________________________________________________________________

06.01.2 CVE: Not Available
Platform: Web Application
Title: Koobi BBCode URL Tag Script Injection
Description: Koobi is prone to a script injection issue due to
insufficient sanitization of user supplied input. Attacker-supplied
HTML and script code would be able to access properties of the site,
potentially allowing for theft of cookie-based authentication credentials.
Koobi version 5 is affected.
Ref: http://www.securityfocus.com/bid/16078
______________________________________________________________________

06.01.3 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer MSHTML.DLL HTML Parsing Denial of Service
Description: Microsoft Internet Explorer is affected by a denial of
service vulnerability issue because the application fails to properly
parse certain malformed HTML content. An attacker may exploit this issue
by enticing a user to visit a malicious site resulting in a denial of
service condition in the application. Internet Explorer versions 6.0
and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/16079/info
______________________________________________________________________

06.01.4 CVE: CVE-2005-4593
Platform: Web Application
Title: phpDocumentor Remote and Local File Include Vulnerabilities
Description: phpDocumentor is a web-based application that is used to
create professional documentation from php source code. It is vulnerable
to multiple remote and local file include issues due to insufficient
sanitization of user-supplied data. phpDocumentor versions 1.3.0 RC4
and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/16080
______________________________________________________________________

06.01.5 CVE: Not Available
Platform: Web Application
Title: GMailSite Cross-Site Scripting
Description: GMailSite is a web-based application that archives messages
from users' GMail accounts. GFHost is a similar script. Both are vulnerable
to a cross-site scripting issue due to insufficient sanitization of
user-supplied input to the "lng" parameter of the "index.php" script.
GMailSite versions 1.0.4 and earlier are vulnerable. GFHost version 0.4.2
is vulnerable.
Ref: http://lostmon.blogspot.com/2005/12/gmailsite-variable-cross-site.html
______________________________________________________________________

06.01.6 CVE: Not Available
Platform: Web Application
Title: MyBB Globa.PHP Cookie Data SQL Injection
Description: MyBB is web forum software. It is prone to an SQL injection
vulnerability due to improper sanitization of user-supplied input. The
vulnerability presents itself when user-supplied input via cookie data
is passed to the "logon" parameter of the "admin/globa.php" script.
MyBB version 1.0 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/16082/exploit
______________________________________________________________________

06.01.7 CVE: CVE-2005-4599, CVE-2005-4600
Platform: Web Application
Title: TinyMCE Compressor Multiple Vulnerabilities
Description: TinyMCE is a platform independent Web-based JavaScript
HTML WYSIWYG editor control. TinyMCE Compressor is a script that may
be optionally used with the application for compression of generated
JavaScript output. TinyMCE Compressor is prone to a file disclosure
vulnerability and also affected by multiple cross-site scripting and
HTML injection vulnerabilities. TinyMCE Compressor versions 1.0.5 and
prior are vulnerable.
Ref: http://www.securityfocus.com/bid/16083
______________________________________________________________________

06.01.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: ARJ Archive Filename Handling Buffer Overflow
Description: TUGZip is prone to a buffer overflow issue which is exposed
when the application extracts an ARJ archive that contains a file with
a long name. The cause of the vulnerability is insufficient bounds
checking on the length of the externally supplied file name before it
is copied into a finite process buffer. TUGZip version 3.4.0.0 is
affected.
Ref: http://www.securityfocus.com/bid/16084
______________________________________________________________________

06.01.9 CVE: Not Available
Platform: Web Application
Title: Web Wiz Multiple Products SQL Injection Vulnerabilities
Description: Web Wiz is affected by multiple SQL injection issues due
to insufficient sanitization of the "txtUserName" parameter in the
"check_user.asp" script. Web Wiz Site News 3.06 for Access 2000 and
Access 97, Web Wiz Journal 1.0 for Access 2000 and Access 97, Web Wiz
Polls 3.06 for Access 2000 and Access 97, Web Wiz Database Login 1.71
for Access 2000 and Access 97 are affetced.
Ref: http://www.securityfocus.com/bid/16085
______________________________________________________________________

06.01.10 CVE: Not Available
Platform: Cross Platform
Title: VMWare ESX Server Management Interface Code Execution
Description: VMWare ESX Server is a virtual machine server that allows
for multiple virtual servers to be deployed and managed. VMWare ESX
Server is prone to an unspecified remote code execution vulnerability.
Please refer to the following advisory for a list of vulnerable versions.
Ref: http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2001
______________________________________________________________________

06.01.11 CVE: CVE-2005-3417
Platform: Web Application
Title: PHPBB Multiple Unspecified Input Validation Vulnerabilities
Description: PHPBB is a bulletin board application. It is vulnerable
to multiple unspecified vulnerabilities due to insufficient sanitization
of user-supplied data. PHPBB versions 2.0.19 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/420537
______________________________________________________________________

06.01.12 CVE: Not Available
Platform: Linux
Title: PTnet IRCD Remote Denial of Service
Description: PTnet IRCD is an IRC server. It is vulnerable to a denial
of service issue when a remote unprivileged user attempts to open a
"#*.log" channel. PTnet IRCD versions 1.5 and 1.6 are vulnerable.
Ref: http://www.securityfocus.com/bid/16089/info
______________________________________________________________________

06.01.13 CVE: Not Available
Platform: Cross Platform
Title: ImageMagick Image Filename Remote Command Execution
Description: ImageMagick is an image editing application that supports
numerous image formats, including the PNM image format. It is prone to
a remote shell command execution vulnerability due to insufficient
sanitization of user-supplied data. ImageMagick 6.2.4.5 is reported to
be vulnerable; other versions may be affected as well.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345238
______________________________________________________________________

06.01.14 CVE: CVE-2005-0842
Platform: Web Application
Title: Kayako SupportSuite Multiple Cross-Site Scripting Vulnerabilities
Description: Kayako SupportSuite is a web-based customer service
application. It is prone to multiple cross-site scripting vulnerabilities.
These issues are due to a failure in the application to properly sanitize
user-supplied input to the "nav" parameter of the "index.php" script and
the "Full Name", "Email", "Subject", and "Registered Email" parameters of
the "register", "submit" and "lostpassword" modules. These issues affect
versions 3.00.26 and prior.
Ref: http://pridels.blogspot.com/2005/12/kayako-supportsuite-multiple-vuln.html
______________________________________________________________________

06.01.15 CVE: Not Available
Platform: Web Application
Title: OOApp Guestbook Home Script Cross-Site Scripting
Description: OOApp Guestbook is a web-based guestbook application. It
is affected by a cross-site scripting issue due to insufficient
sanitization of the "page" parameter of the "home.php" script. OOApp
Guestbook version 2.1 is affected.
Ref: http://www.securityfocus.com/bid/16091
______________________________________________________________________

06.01.16 CVE: Not Available
Platform: Web Application
Title: Ades Design AdesGuestbook Read Script Cross-Site Scripting.
Description: Ades Design AdesGuestbook is a web-based guestbook
application. Insufficient sanitization of the "read" parameter of the
"read.php" script exposes the application to a cross-site scripting
issue. AdesGuestbook version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/16090
______________________________________________________________________

06.01.17 CVE: Not Available
Platform: Web Application
Title: iPei Guestbook Index.PHP Cross-Site Scripting
Description: iPei Guestbook is a web site guestbook application
implemented in PHP. It is vulnerable to a cross-site scripting issue
due to a failure in the application to properly sanitize user-supplied
input to the email field parameters of "index.php" script. An attacker
may leverage this issue to steal cookie-based authentication credentials
as well as perform other attacks. iPei Guestbook versions 1.7 and
earlier are vulnerable.
Ref: http://pridels.blogspot.com/2005/12/ipei-guestbook-xss-vuln.html
______________________________________________________________________

06.01.18 CVE: CVE-2005-4603
Platform: Web Application
Title: MyBB Print Thread Script HTML Injection
Description: MyBulletinBoard (MYBB)is a web forum application. It is
vulnerable to an HTML injection vulnerability due to insufficient
sanitization of user-supplied input containing HTML and script code that
is viewed through the "print view of thread" feature in the
"printthread.php" script. MyBulletinBoard versions 1.0.1 and earlier
are vulnerable.
Ref: http://www.securityfocus.com/archive/1/420569
______________________________________________________________________

06.01.19 CVE: CVE-2005-4602
Platform: Web Application
Title: MyBB File Upload SQL Injection
Description: MyBulletinBoard(MYBB) is Web forum application. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user-supplied input to the inc/function_upload.php script.
MyBulletinBoard versions 1.0 PR2 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/420573
______________________________________________________________________

06.01.20 CVE: CVE-2005-2341
Platform: Hardware
Title: Blackberry Enterprise Server TIFF Attachment Denial of Service
Description: Blackberry Enterprise Server is communications middleware
for Blackberry devices. It is prone to denial of service attacks.
This issue affects the Attachment Service and may be triggered by a
malformed TIFF attachment. Blackberry Enterprise Server for Exchange
versions 4.0 SP1 and 4.0 are vulnerable.
Ref: http://blogs.washingtonpost.com/securityfix/2006/01/security_hole_e.html
______________________________________________________________________

06.01.21 CVE: CVE-2005-2343
Platform: Hardware
Title: Blackberry Handheld JAD File Browser Denial of Service
Description: Blackberry Handheld devices are prone to a denial of
service attack. The embedded Web browser will stop responding due to a
dialog box that has not been properly dismissed when handling a
malformed JAD (Java Application Description) file. The vulnerability
is caused when the user of the device downloads a malformed JAD file
from a Web site. The JAD file will specify a long application name and
vendor string of 256 bytes or more. This issue affects devices running
Blackberry Device Software versions prior to 4.0.2.
Ref:
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/725/8142/?nodeid=1167791
______________________________________________________________________

06.01.22 CVE: CVE-2005-2342
Platform: Hardware
Title: Blackberry Enterprise Server Router SRP Packet Denial of Service
Description: The Blackberry Enterprise Server Router component is prone to a denial
of service issue. This issue is triggered by sending malformed SRP
(Server Routing Protocol) packets to the Router. The issue could only
be exploited by an attacker who is in a position to impersonate the
Blackberry Infrastructure or possibly has access to the internal network
that the server is deployed on. The component accepts messages on TCP
port 3101.
Ref: http://www.securityfocus.com/bid/16100
______________________________________________________________________

06.01.23 CVE: Not Available
Platform: Web Application
Title: phpDocumentor Forum Lib Variable Cross-Site Scripting
Description: phpDocumentor is affected by a web documentation application.
Insufficient sanitization of the "FORUM[LIB]" parameter in the
"bug-559668.php" script exposes the application to a cross-site
scripting issue. phpDocumentor versions 1.3 RC4 and earlier are affected.
Ref: http://www.securityfocus.com/bid/16101

______________________________________________________________________

06.01.24 CVE: Not Available
Title: Windows Graphics Rendering Engine WMF Format Code Execution
Description: Microsoft Windows supports the Windows Metafile (WMF)
image format. A remote code execution issue presents itself when a user
views a malicious WMF formatted file. The vulnerability is triggered
when the engine attempts to parse the file. Any code execution that
occurs will be with SYSTEM privileges due to the nature of the affected
engine. Please see the attached link for a list of affected systems.
Ref: http://www.microsoft.com/technet/security/advisory/912840.mspx

______________________________________________________________________

(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDvcJY+LUG5KFpTkYRAq5vAKCY3r2i1SWjlM/Gk/MKBOrHdYhafQCdHh8t
usN+gKwO1hi+uVeZTtyhxkM=
=9mVa
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]