Advisories (2009)
Please read our Vulnerability Disclosure Policy.
Intersystems Cache CSP (Cache Server Pages) Stack Overflow
Dec 17, 2009
A stack based buffer overflow vulnerability exists in Intersystems Cache CSP (Cache Server Pages) Apache extension which can be exploited by a remote attacker to execute arbitrary code in the context of the web server’s user rights.
MWR InfoSecurity have made the decision to release this advisory due to the current existence of exploit code for the vulnerability within the public domain.
It should be noted that this vulnerability was also found recently by other security researchers and exploits were created for the Metasploit and Canvas exploitation frameworks. MWR InfoSecurity independently discovered this vulnerability and disclosed details of it to the vendor through CPNI in October 2009.
MWR InfoSecurity discovered and researched this issue on the Linux platform, whilst the Canvas and Metasploit exploits both target Microsoft Windows systems. This advisory details the vulnerability on the Linux platform and therefore provides further information about the issue that may be of value to interested parties.
The following links provide more information about this vulnerability as documented by other security researchers:
- http://www.securityfocus.com/bid/37177
- http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/intersystems_cache.rb
- https://forum.immunityinc.com/board/thread/1077/intersystems-cache-bof/?page=1#post-1077
Linux USB Device Driver - Buffer Overflow
Oct 29, 2009
The Auerswald Linux USB device driver is used to allow compability of an Auerswald PBX/System telephone with Linux Operating Systems via the USB port.
This device driver is vulnerable to a buffer overflow which could be exploited by an attacker with physical access to the system. This vulnerability could be exploited in order to execute arbitrary code on the target system.
IBM WebSphere MQ: Multiple Vulnerabilities
Oct 05, 2009
Multiple vulnerabilities have been identified in IBM WebSphere MQ which could lead to a denial of service attack or potentially remote code execution. Please note that specific MQ security controls can partially mitigate the risk associated with these issues if these have been deployed in an appropriate manner.
A combined fix pack has been released which addresses these issues found:
http://www-01.ibm.com/support/docview.wss?uid=swg24024153
Due to the nature of these vulnerabilities full details will not be provided at the present time so that customers are able to apply the appropriate security patches. However, a full advisory will be released in approximately 3 months time. MWR InfoSecurity customers can obtain further information about the issue by contacting their account manager.
IBM WebSphere MQ rriAcceptOAMUserAuth Heap Overflow Vulnerability
Oct 02, 2009
In June MWR InfoSecurity reported an IBM WebSphere MQ Remote Buffer Overflow. Due to the nature of the vulnerability full details were not released at that time. IBM have since released a patch and therefore the full details of the vulnerability can now be released:
The WebSphere MQ service can be used to transfer messages between systems and applications. It has been identified that incorrect data validation is performed leading to a subsequent heap overflow vulnerability in the packet handling routines. This vulnerability is associated with the memory allocation code and can result in the overwriting of data on the heap. This vulnerability could be exploited remotely from an unauthenticated perspective in order to execute arbitrary code.
The full advisory can be found from the download link above.
Altiris Deployment Solution Vulnerabilities
Sep 07, 2009
MWR InfoSecurity have identified a number of vulnerabilities in the Altiris Deployment Solution software. Symantec have now issued patches for a number of issues that may have a significant impact on an environment utilising this technology. It is therefore recommended that the patches be applied to affected systems as soon as possible.
Symantec’s advisory along with a link to the patch can be found at the following URL: -
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090826_00
Due to the potential impact of the vulnerabilities full details will not be provided at the present time so that customers are able to apply the appropriate security patches. However, a full advisory will be released in the near future. MWR InfoSecurity customers can obtain further information about the issues by contacting their account manager.
IBM WebSphere MQ Remote Buffer Overflow
Jun 04, 2009
MWR InfoSecurity have identified that a number of versions of WebSphere MQ are vulnerable to a security issue due to the incorrect validation of user supplied data. This can lead to a heap overflow vulnerability in the packet handling routines. This vulnerability is associated with the software’s memory allocation code and can result in the overwriting of data on the heap. This vulnerability could be exploited remotely from an unauthenticated perspective in order to execute arbitrary code. Please note that specific MQ security controls can partially mitigate the risk associated with this issue if these have been deployed in an appropriate manner.
Due to the nature of the vulnerability full details will not be provided at the present time so that customers are able to apply the appropriate security patches. However, a full advisory will be released in approximately 3 months time. MWR InfoSecurity customers can obtain further information about the issue by contacting their account manager.
Fixes for the issue can be obtained via the following link: -
http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg24023135
Author: A Plaskett
CVE: CVE-2009-0896
Update (2nd Oct 2009): The advisory has now been released and can be downloaded here.
Retain Resource Server Remote Code Execution
Apr 07, 2009
A vulnerability exists in the Retain Planner Server networking protocol which could allow an attacker to execute code remotely by crafting a malicious packet in order to hijack the flow of execution.
WebEx Remote Support Application Vulnerability
Apr 06, 2009
The Remote Support Center application utilises the WebEx portal to provide a mechanism which allows remote assistance of users or the sharing of an application such as a PowerPoint presentation or browser session. A vulnerability was identified whereby the security controls within the application could be overridden and that all actions could have been taken without the permission of the user or of the Meeting Host.
This document is intended to provide further information about security vulnerabilities previously identified in the WebEx Remote Support Center Application. The information included here should be used to identify how use of the service might impact on an organisation’s security posture and how it can be ensured that its usage does not expose unnecessary risk. This document is not intended as a statement of MWR InfoSecurity’s opinion about the security of this application, or of the service in general.
Sophos RMS / TAO Component Denial of Service
Jan 16, 2009
The Remote Management System (RMS) router component of Sophos Anti-Virus utilises TAO, which is a third party developed message request broker that contains a vulnerability. This RMS component is used by a service in installations of Sophos software. By constructing a specially crafted packet it is possible to cause the service to terminate. This attack could be performed without authenticating to the remote system.
WebSphere MQ xcsGetMem Heap Overflow
Jan 12, 2009
The WebSphere MQ service can be used to transfer messages between systems and applications. An integer overflow and subsequent heap overflow vulnerability has been identified in the packet parsing routines. This vulnerability is associated with the memory allocation code and can result in the overwriting of data on the heap. This vulnerability could be exploited to execute arbitrary code.
WebSphere MQ TCPReceive Heap Overflow
Jan 12, 2009
The WebSphere MQ service can be used to transfer messages between systems and applications. A signed check error and subsequent heap buffer overflow vulnerability has been identified in the TCPReceive function. The vulnerability is associated with the copying of data received in MQ packets on the heap. This could be used to terminate a core MQ process and although this would restart, this technique could still be used to perform a Denial of Service (DoS) attack. Given sufficient time and effort this issue could potentially result in the execution of arbitrary code. The vulnerable function can be reached in a number of ways and could be exploited by unauthenticated attackers.