Advisories
Please read our Vulnerability Disclosure Policy.
Full Textxine-lib <1.1.19 Free Uninitialised Variable
Aug 24, 2010
xine-lib is affected by a memory corruption vulnerability because it uses a variable without initialising it, this could be exploited by an attacker in order to execute arbitrary code on the target system with the privileges of the logged in user.
Mozilla Firefox 64-Bit SetTextInternal Heap Buffer Overflow
Jun 23, 2010
A heap buffer overflow vulnerability was discovered which is caused by an integer overflow in nsGenericDOMDataNode::SetTextInternal().
Due to the amount of data needed to trigger the vulnerability (> 8 gigbytes), this is only exploitable on 64-bit systems. This vulnerability was tested on Ubuntu AMD64 with the default install of Firefox.
See this white paper for more details on vulnerabilties specific to 64bit platforms.
References:
- http://www.mozilla.org/security/announce/2010/mfsa2010-29.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=534666
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1196
DotNetNuke Cross Site Request Forgery Vulnerability
Jun 14, 2010
DotNetNuke is a Content Management System (CMS) for the .NET platform, which powers “over 500,000” websites. This vulnerability affects version 5.4.2 and earlier.
It was discovered that the application enabled some sensitive actions, such as changing a registered email address, to be performed with only the session identifier used as authentication. This could enable an attacker to alter a user's email address through a Cross Site Request Forgery (CSRF) attack. The forgotten password functionality could then be used to reset the password and consequently compromise the account.
BT Home Hub - SSID Script Injection Vulnerability
May 10, 2010
The BT Home Hub administrative web interface has been identified as being vulnerable to a script injection attack that could allow remote attackers to compromise the security of the device by performing Cross Site Scripting Attacks (XSS).
An attacker could set up a fake access point broadcasting specially crafted 802.11 ‘beacon’ packets containing a malicious payload in the Service Set Identifier (SSID). The malicious SSID will be displayed in the Accessible Access Points Table page of the BT Home Hub administrative interface and will be executed when an administrator scans for wireless access points.
VMware - WebAccess HTTP Forwarding Vulnerability
Apr 16, 2010
A vulnerability was identified within multiple VMware products which would allow an unauthenticated attacker to utilise the WebAccess component of VMware as a proxy for making requests to other servers.
IBM WebSphere MQ - ziiVSendReceiveAgent Memory Corruption Vulnerability
Mar 04, 2010
A memory corruption vulnerability was discovered that could allow an attacker to copy data outside the bounds of a memory page causing a denial of service condition and potentially code execution.
IBM - WebSphere MQ - rriDecompress Remote Denial of Service Vulnerability
Mar 04, 2010
A vulnerability was identified with the packet handling routines which would allow a malicious attacker to cause a denial of service condition.
IBM WebSphere MQ - rriLookupGet Remote Denial of Service Vulnerability
Mar 04, 2010
A vulnerability exists in the state machine which handles incoming MQ networking packets; this issue could be exploited to disrupt the MQ service for legitimate users.
Symantec's Altiris Deployment Solution - AClntUsr Local Privilege Escalation
Jan 07, 2010
A vulnerability has been identified in the autorun AClntUsr.exe binary installed as part of the Altiris software agent on managed clients. It was found to allow write access to any user.
Symantec's Altiris Deployment Solution - Client/Server Authentication Bypass
Jan 07, 2010
A vulnerability has been identified in the software agent in the client that connects to the deployment server. It does not properly track the current authentication status of the server to which it connects and so can be tricked into accepting commands without verifying the authenticity of the server.
Symantec's Altiris Deployment Solution - DBManager Authentication Bypass
Jan 07, 2010
A vulnerability has been identified in the DBManager service on the deployment server which could allow the service to accept commands without the client providing valid authentication details.
Symantec's Altiris Deployment Solution - File Transfer Race Condition
Jan 07, 2010
A race condition vulnerability has been identified in the service that enables file transfer functionality between the deployment server and its clients. A remote attacker who was able to communicate with the deployment server could intercept the contents of files destined for clients and prevent their delivery.
Intersystems Cache CSP (Cache Server Pages) Stack Overflow
Dec 17, 2009
A stack based buffer overflow vulnerability exists in Intersystems Cache CSP (Cache Server Pages) Apache extension which can be exploited by a remote attacker to execute arbitrary code in the context of the web server's user rights.
MWR InfoSecurity have made the decision to release this advisory due to the current existence of exploit code for the vulnerability within the public domain.
It should be noted that this vulnerability was also found recently by other security researchers and exploits were created for the Metasploit and Canvas exploitation frameworks. MWR InfoSecurity independently discovered this vulnerability and disclosed details of it to the vendor through CPNI in October 2009.
MWR InfoSecurity discovered and researched this issue on the Linux platform, whilst the Canvas and Metasploit exploits both target Microsoft Windows systems. This advisory details the vulnerability on the Linux platform and therefore provides further information about the issue that may be of value to interested parties.
The following links provide more information about this vulnerability as documented by other security researchers:
http://www.securityfocus.com/bid/37177
http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/intersystems_cache.rb
https://forum.immunityinc.com/board/thread/1077/intersystems-cache-bof/?page=1#post-1077
Linux USB Device Driver - Buffer Overflow
Oct 29, 2009
The Auerswald Linux USB device driver is used to allow compability of an Auerswald PBX/System telephone with Linux Operating Systems via the USB port.
This device driver is vulnerable to a buffer overflow which could be exploited by an attacker with physical access to the system. This vulnerability could be exploited in order to execute arbitrary code on the target system.
IBM WebSphere MQ: Multiple Vulnerabilities
Oct 05, 2009
Multiple vulnerabilities have been identified in IBM WebSphere MQ which could lead to a denial of service attack or potentially remote code execution. Please note that specific MQ security controls can partially mitigate the risk associated with these issues if these have been deployed in an appropriate manner.
A combined fix pack has been released which addresses these issues found:
http://www-01.ibm.com/support/docview.wss?uid=swg24024153
Due to the nature of these vulnerabilities full details will not be provided at the present time so that customers are able to apply the appropriate security patches. However, a full advisory will be released in approximately 3 months time. MWR InfoSecurity customers can obtain further information about the issue by contacting their account manager.
IBM WebSphere MQ rriAcceptOAMUserAuth Heap Overflow Vulnerability
Oct 02, 2009
In June MWR InfoSecurity reported an IBM WebSphere MQ Remote Buffer Overflow. Due to the nature of the vulnerability full details were not released at that time. IBM have since released a patch and therefore the full details of the vulnerability can now be released:
The WebSphere MQ service can be used to transfer messages between systems and applications. It has been identified that incorrect data validation is performed leading to a subsequent heap overflow vulnerability in the packet handling routines. This vulnerability is associated with the memory allocation code and can result in the overwriting of data on the heap. This vulnerability could be exploited remotely from an unauthenticated perspective in order to execute arbitrary code.
The full advisory can be found from the download link above.
Altiris Deployment Solution Vulnerabilities
Sep 07, 2009
MWR InfoSecurity have identified a number of vulnerabilities in the Altiris Deployment Solution software. Symantec have now issued patches for a number of issues that may have a significant impact on an environment utilising this technology. It is therefore recommended that the patches be applied to affected systems as soon as possible.
Symantec's advisory along with a link to the patch can be found at the following URL: -
Due to the potential impact of the vulnerabilities full details will not be provided at the present time so that customers are able to apply the appropriate security patches. However, a full advisory will be released in the near future. MWR InfoSecurity customers can obtain further information about the issues by contacting their account manager.
IBM WebSphere MQ Remote Buffer Overflow
Jun 04, 2009
MWR InfoSecurity have identified that a number of versions of WebSphere MQ are vulnerable to a security issue due to the incorrect validation of user supplied data. This can lead to a heap overflow vulnerability in the packet handling routines. This vulnerability is associated with the software's memory allocation code and can result in the overwriting of data on the heap. This vulnerability could be exploited remotely from an unauthenticated perspective in order to execute arbitrary code. Please note that specific MQ security controls can partially mitigate the risk associated with this issue if these have been deployed in an appropriate manner.
Due to the nature of the vulnerability full details will not be provided at the present time so that customers are able to apply the appropriate security patches. However, a full advisory will be released in approximately 3 months time. MWR InfoSecurity customers can obtain further information about the issue by contacting their account manager.
Fixes for the issue can be obtained via the following link: -
http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24023135
Author: A Plaskett
CVE: CVE-2009-0896
Update (2nd Oct 2009): The advisory has now been released and can be downloaded here.
Retain Resource Server Remote Code Execution
Apr 07, 2009
A vulnerability exists in the Retain Planner Server networking protocol which could allow an attacker to execute code remotely by crafting a malicious packet in order to hijack the flow of execution.
WebEx Remote Support Application Vulnerability
Apr 06, 2009
The Remote Support Center application utilises the WebEx portal to provide a mechanism which allows remote assistance of users or the sharing of an application such as a PowerPoint presentation or browser session. A vulnerability was identified whereby the security controls within the application could be overridden and that all actions could have been taken without the permission of the user or of the Meeting Host.
This document is intended to provide further information about security vulnerabilities previously identified in the WebEx Remote Support Center Application. The information included here should be used to identify how use of the service might impact on an organisation’s security posture and how it can be ensured that its usage does not expose unnecessary risk. This document is not intended as a statement of MWR InfoSecurity’s opinion about the security of this application, or of the service in general.
Sophos RMS / TAO Component Denial of Service
Jan 16, 2009
The Remote Management System (RMS) router component of Sophos Anti-Virus utilises TAO, which is a third party developed message request broker that contains a vulnerability. This RMS component is used by a service in installations of Sophos software. By constructing a specially crafted packet it is possible to cause the service to terminate. This attack could be performed without authenticating to the remote system.
WebSphere MQ TCPReceive Heap Overflow
Jan 12, 2009
The WebSphere MQ service can be used to transfer messages between systems and applications. A signed check error and subsequent heap buffer overflow vulnerability has been identified in the TCPReceive function. The vulnerability is associated with the copying of data received in MQ packets on the heap. This could be used to terminate a core MQ process and although this would restart, this technique could still be used to perform a Denial of Service (DoS) attack. Given sufficient time and effort this issue could potentially result in the execution of arbitrary code. The vulnerable function can be reached in a number of ways and could be exploited by unauthenticated attackers.
WebSphere MQ xcsGetMem Heap Overflow
Jan 12, 2009
The WebSphere MQ service can be used to transfer messages between systems and applications. An integer overflow and subsequent heap overflow vulnerability has been identified in the packet parsing routines. This vulnerability is associated with the memory allocation code and can result in the overwriting of data on the heap. This vulnerability could be exploited to execute arbitrary code.
HP Quality Center Authentication Bypass
Oct 03, 2008
HP Quality Center versions 9.0 and 9.2 makes extensive use of ActiveX components and auxiliary client side DLL's. During use of the application, allot of client side processing takes place. By exploiting the weak trust boundary between the server and the client components, it is possible to bypass authentication for the HP Quality Center administrative pages.
PluggedOut CMS User Authentication Bypass Vulnerability
Jul 31, 2008
The PluggedOut Content Management System allows user’s to manage the content of their website through a web based administration portal. The administration is performed through a PHP script and allows authenticated users to manage the website and upload new PHP content. Using this vulnerability an attacker could gain access to the CMS system and would be able to upload new PHP content.
DD-WRT SSID Script Injection Vulnerability
Jul 28, 2008
DD-WRT is a third party developed firmware released under the terms of the GPL for many ieee802.11a/b/g/h/n wireless routers based on a Broadcom or Atheros chip reference design. As a result of the research conducted to produce the paper Behind Enemy Lines it was discovered that the DD-WRT administrative web interface is vulnerable to a SSID script injection attack. An attack could be crafted that could allow remote attackers to fully compromise the device. To resolve this vulnerability it is recommended that the software be upgraded to the latest available version.
pfSense DHCP Script Injection Vulnerability
Jul 28, 2008
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. As a result of the research conducted to produce the paper Behind Enemy Lines it was discovered that the pfSense firewall 1.0.1 administrative web interface is vulnerable to a DHCP script injection attack. An attack could be crafted to execute commands on the target system with root privileges through the exec.php script provided by the administrative web interface. To resolve this vulnerability it is recommended that the software be upgraded to the latest available version.
IBM Lotus Domino "Accept Language" Stack Overflow Advisory
May 20, 2008
MWR InfoSecurity published an advisory today relating to a stack based buffer overflow vulnerability in IBM Lotus Domino Web Server which can be exploited remotely.
The vulnerability would enable an attacker to execute arbitrary code on the system in the majority of installations this will be with local SYSTEM privileges.
Users should upgrade to the latest secure version of the product by applying the appropriate vendor provided security fix. The versions not affected by this issue are Lotus Domino 7.0.3 FixPack 1 (FP1) and 8.0.1. Information about the location of updated packages can be discovered at the following location: http://www.ibm.com/support/docview.wss?rs=463&uid=swg21303057
National Rail Live Enquiries Departure Board Gadget Vulnerability
Apr 24, 2008
The National Rail Live Departure Board gadget has been identified as being vulnerable to a script injection attack that could potentially allow remote attackers to execute commands on the target system. An attacker successfully exploiting this vulnerability could execute arbitrary commands in the context of the current logged in user.
The National Rail Live Departure Board Sidebar gadget vulnerability is present because of a lack of sufficient sanitisation on arguments passed from the web server to the Sidebar gadget application.
The vendor has addressed this vulnerability and implemented a fix in version 1.1. This version has yet to be tested.
National Rail Live Enquiries Departure Board Gadget upgrade can be found in the following location:- http://gallery.live.com/LiveItemDetail.aspx?li=aef90e44-18cf-4246-b1d9-4ab83e0e13db
IBM Informix Pre-Authentication Stack Overflow
Apr 15, 2008
An advisory has been released today by MWR InfoSecurity relating to a Pre-authentication stack overflow in IBM Informix.
The IBM Informix Database service is vulnerable to a stack based buffer overflow which can be exploited remotely before the authentication has been completed.
The vulnerability would enable an attacker to execute arbitrary code on the system with the privileges of the Informix user. By default, this account is a member of the administrators group on a Microsoft Windows system.
The code responsible for parsing the parameters within the first packet of the protocol handshake does not validate the number of arguments it accepts. This results in the ability to overflow a stack buffer which in turn allows arbitrary code to be executed.
The vendor has released updates to resolve this issue, please refer to the following links. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only.
Watchguard Firebox User Enumeration Vulnerability
Apr 04, 2008
An advisory has been published today by MWR InfoSecurity relating to a user enumeration vulnerability present in Watchguard Firebox software prior to Version 10. The vendor has released a patch to address the issue which may be downloaded from https://www.watchguard.com/archive/softwarecenter.asp.
The impact of this vulnerability is that password guessing attacks can be performed much more efficiently by conducting them only against those usernames known to be valid. Additionally, these usernames may be valid on other systems and may also aid social engineering attacks.
Interwoven WorkSite - Active X Control Remote Code Execution
Apr 03, 2008
Worksite is a document management and email management solution from Interwoven Inc (Interwoven). Some of the functionality of the application is made available through ActiveX controls which are distributed within the iManFile.cab file. The ActiveX controls were found to be unsafe and permit code to be executed remotely by an attacker who is able to direct a user to a website containing exploit code.
The most serious of these vulnerabilities could enable an attacker to execute arbitrary code on a user’s computer remotely. This code would be executed with the permissions of the user logged into the system. However, other vulnerabilities are present.
The vendor has addressed this vulnerability in their latest service pack (WorkSite Web 8.2 SP1 P2) available from http://worksitesupport.interwoven.com.
IBM Websphere MQ MCAUSER Bypass
Mar 28, 2008
The Websphere MQ service can be used to transfer messages between systems and applications. It is possible to lock down access to channels by setting an invalid MCAUSER. A method of bypassing this authorisation control has been discovered which would enable unauthorised access to be gained.
The vendor has released a fix for this vulnerability and download details are available within the advisory.
IBM Websphere MQ Security Exit Bypass
Mar 28, 2008
The Websphere MQ service can be used to transfer messages between systems and applications. It is possible to protect the channels within the Queue Manager with a security exit which requires that an authentication check be passed before a connection can be established. A method of bypassing this authentication has been discovered which would enable unauthorised access to be gained.
The vendor has released a fix pack that addresses these issues and download details are available within the advisory.
Elastic Path Arbitrary File Systems Access
Mar 07, 2008
An advisory has been released today by MWR InfoSecurity relating to Elastic Path ecommerce software versions 4.1 and 4.1.1.
Multiple input validation vulnerabilities were identified within the Elastic Path application. As a result, directory traversal was possible allowing unrestricted file system access to the remote server. The impact of the vulnerabilities could enable an attacker to upload and download files from arbitrary locations on the affected system.
The vendor has released a patch to address these vulnerabilities. To obtain the patch users must contact the vendor at support@elasticpath.com or http://www.elasticpath.com/support/.
ITN News Sidebar Gadget
Feb 07, 2008
An advisory has been released today by MWR InfoSecurity relating to the ITN News Windows Vista sidebar gadget which is vulnerable to a script injection attack that could allow remote attackers to execute commands on the target system. The vendor has addressed this vulnerability and implemented a fix in version 1.23. The full advisory, including a link to the upgrade can be viewed from the download link above.
Meridio Cross Site Scripting Vulnerability
Jan 15, 2008
Meridio Document and Records Management has been identified as being vulnerable to an embedded Cross Site Scripting attack that could potentially allow remote attackers to inject JavaScript into the application. This would then be executed within the context of the browser of the application user. The impact of this attack is only limited by the creativity of the attacker exploiting this vulnerability. The most dangerous form of XSS involves hostile code being permanently stored within the application. This means the embedded code would be executed by every user accessing the affected page and this is the case in this instance. Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher.
Plogger SQL Injection
Dec 17, 2007
An SQL injection vulnerability was identified in Plogger, a popular open source PHP photo gallery. CPNI (The Centre for the Protection of National Infrastructure) have been informed of this vulnerability. The vendor has also been informed and has released a code fix which is available from change set 489. The vulnerability would enable an attacker to inject arbitrary SQL statements. SQL injection inference techniques were used to develop a proof of concept exploit that could be used to access any field from the Plogger database (and potentially any field of any database accessible by the database user Plogger is configured to use).
IBM Lotus Domino "If-Modified-Since" Stack Overflow
Oct 15, 2007
The IBM Lotus Domino Web Server service is vulnerable to a stack based buffer overflow which can be exploited remotely. Upon reporting this issue to IBM it was discovered that this was a known issue which had been resolved in a number of previous releases and Fix Packs. However, the previously reported issue did not correctly assess the impact of the vulnerability or provide a description that allowed the vulnerability of a given system to be accurately assessed.
Merak Webmail XSS
Sep 17, 2007
The Merak Mail Server provides a web based interface called IceWarp which allows users to send and retrieve emails using a web browser. However, email content is not sufficiently sanitised which can result in the execution of arbitrary scripts. On accessing the web interface of the application the user is assigned two session IDs. An attacker could harvest these sessions IDs by sending specially crafted emails to users. The session IDs would be transmitted to the attacker when the users opened the malicious emails. With this information the attacker would be able to gain access to the users accounts.
Elastic Path - Administrative Session Hijacking through Embedded XSS
Apr 26, 2007
Elastic Path has been identified to be vulnerable to an embedded Cross Site Scripting (XSS) attack that could potentially allow remote attackers to hijack a legitimate administrator's session cookie. An attacker could exploit this vulnerability to gain unauthorised access to the Elastic Patch Commerce Manager and obtain administrative privileges.
Cache Sample Page XSS
Apr 04, 2007
The sample Cache Server pages shipped with the Cache database contain a number of Cross Site Scripting(XSS)vulnerabilities. These could enable an attacker to target users of a web application deployed on the same system.
Communigate XSS
Feb 27, 2007
The CommuniGate Pro application provides a web based application allowing users to retrieve emails using a web browser. However, email content is not sufficiently sanitised and can result in the execution of arbitrary scripts. On accessing the web interface of the application the user is assigned a session ID, by sending a specially crafted email an attacker would be able to trick the user into transmitting their session ID to the attacker.
Cisco IOS Invalid DLSw Handshake Denial of Service
Jan 10, 2007
Data Link Switching is primarily used for transporting SNA communications across an IP network. Support for this protocol is provided by Cisco networking devices as part of IOS although it is not enabled by default. In specific configurations an attacker could use the DLSw service to trigger a reload of the router's configuration resulting in a Denial of Service condition.
Crystal Reports Weak Sessions
Nov 28, 2006
Crystal Reports makes use of a cookie value called WCSID as a session identifier. This session identifier is not sufficiently random, not does it contain enough entropy. In addition, the session identifier is not tied to a user's IP address. This combination allows an attacker to hijack any currently authenticated users' sessions from any location.