Advisories (2010)
Please read our Vulnerability Disclosure Policy.
OpenSC - "Get Serial Number" Stack-based Buffer Overflow
Dec 13, 2010
MWR InfoSecurity identified a vulnerability in OpenSC. The vulnerability can be triggered using a malicious smart card. An attacker could use this vulnerability to execute arbitrary code in the target system. To successfully exploit this vulnerability the attacker will be required to insert a specially crafted smart card in the target system.
PCSC-Lite: pcscd ATR Handler Buffer Overflow
Dec 13, 2010
MWR InfoSecurity identified a vulnerability in PCSC-Lite’s pcscd daemon. The vulnerability can be triggered using a malicious smart card. An attacker could use this vulnerability to trigger a denial of service condition or potentially execute arbitrary code in the target system. To successfully exploit this vulnerability the attacker will be required to insert a specially crafted smart card in the target system.
PCSC-Lite: libccid Buffer Overflow
Dec 13, 2010
MWR InfoSecurity identified a vulnerability in PCSC-Lite’s pcscd daemon. The vulnerability can be triggered using a malicious smart card. An attacker could use this vulnerability to execute arbitrary code in the target system. To successfully exploit this vulnerability the attacker will be required to insert a malicious smart card reader in the target system.
Apple QuickTime JP2 Codestream Type Confusion
Nov 17, 2010
MWR InfoSecurity identified a vulnerability in Apple QuickTime for Windows. The vulnerability can be triggered using malicious JP2 image files. An attacker could use this vulnerability to execute arbitrary code in the target system. (Advisory detail updated 2010/12/08)
OpenVPN Local Privilege Escalation Vulnerability
Sep 24, 2010
A local privilege escalation vulnerability exists in the OpenVPN client which could be exploited by an attacker to execute commands on the affected machine under the context of the SYSTEM user.
IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Vulnerability
Sep 14, 2010
An unauthenticated remote code execution vulnerability was identified in the code handling the conversion and checking of an iCalendar email address parameter. An overly large email address string can lead to the overflow of a stack allocated buffer due to insufficient bounds checking when a CStrcpy (string copy) is performed. A remote, unauthenticated attacker could execute code in the context of the Lotus Domino server process (nrouter.exe) by sending a specially crafted malicious email to the Lotus Domino SMTP server.
xine-lib <1.1.19 Free Uninitialised Variable
Aug 24, 2010
xine-lib is affected by a memory corruption vulnerability because it uses a variable without initialising it, this could be exploited by an attacker in order to execute arbitrary code on the target system with the privileges of the logged in user.
Mozilla Firefox 64-Bit SetTextInternal Heap Buffer Overflow
Jun 23, 2010
A heap buffer overflow vulnerability was discovered which is caused by an integer overflow in nsGenericDOMDataNode::SetTextInternal().
Due to the amount of data needed to trigger the vulnerability (> 8 gigabytes), this is only exploitable on 64-bit systems. This vulnerability was tested on Ubuntu AMD64 with the default install of Firefox.
See this white paper for more details on vulnerabilities specific to 64bit platforms.
References:
- http://www.mozilla.org/security/announce/2010/mfsa2010-29.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=534666
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1196
DotNetNuke Cross Site Request Forgery Vulnerability
Jun 14, 2010
DotNetNuke is a Content Management System (CMS) for the .NET platform, which powers “over 500,000” websites. This vulnerability affects version 5.4.2 and earlier.
It was discovered that the application enabled some sensitive actions, such as changing a registered email address, to be performed with only the session identifier used as authentication. This could enable an attacker to alter a user’s email address through a Cross Site Request Forgery (CSRF) attack. The forgotten password functionality could then be used to reset the password and consequently compromise the account.
BT Home Hub - SSID Script Injection Vulnerability
May 10, 2010
The BT Home Hub administrative web interface has been identified as being vulnerable to a script injection attack that could allow remote attackers to compromise the security of the device by performing Cross Site Scripting Attacks (XSS).
An attacker could set up a fake access point broadcasting specially crafted 802.11 ‘beacon’ packets containing a malicious payload in the Service Set Identifier (SSID). The malicious SSID will be displayed in the Accessible Access Points Table page of the BT Home Hub administrative interface and will be executed when an administrator scans for wireless access points.
VMware - WebAccess HTTP Forwarding Vulnerability
Apr 16, 2010
A vulnerability was identified within multiple VMware products which would allow an unauthenticated attacker to utilise the WebAccess component of VMware as a proxy for making requests to other servers.
IBM WebSphere MQ - rriLookupGet Remote Denial of Service Vulnerability
Mar 04, 2010
A vulnerability exists in the state machine which handles incoming MQ networking packets; this issue could be exploited to disrupt the MQ service for legitimate users.
IBM - WebSphere MQ - rriDecompress Remote Denial of Service Vulnerability
Mar 04, 2010
A vulnerability was identified with the packet handling routines which would allow a malicious attacker to cause a denial of service condition.
IBM WebSphere MQ - ziiVSendReceiveAgent Memory Corruption Vulnerability
Mar 04, 2010
A memory corruption vulnerability was discovered that could allow an attacker to copy data outside the bounds of a memory page causing a denial of service condition and potentially code execution.
Symantec's Altiris Deployment Solution - AClntUsr Local Privilege Escalation
Jan 07, 2010
A vulnerability has been identified in the autorun AClntUsr.exe binary installed as part of the Altiris software agent on managed clients. It was found to allow write access to any user.
Symantec's Altiris Deployment Solution - Client/Server Authentication Bypass
Jan 07, 2010
A vulnerability has been identified in the software agent in the client that connects to the deployment server. It does not properly track the current authentication status of the server to which it connects and so can be tricked into accepting commands without verifying the authenticity of the server.
Symantec's Altiris Deployment Solution - File Transfer Race Condition
Jan 07, 2010
A race condition vulnerability has been identified in the service that enables file transfer functionality between the deployment server and its clients. A remote attacker who was able to communicate with the deployment server could intercept the contents of files destined for clients and prevent their delivery.
Symantec's Altiris Deployment Solution - DBManager Authentication Bypass
Jan 07, 2010
A vulnerability has been identified in the DBManager service on the deployment server which could allow the service to accept commands without the client providing valid authentication details.