Books & Papers Security Vulnerabilities

CVE-2003-1309

The DeviceIoControl function in the TrueVector Device Driver (VSDATANT) in ZoneAlarm before 3.7.211, Pro before 4.0.146.029, and Plus before 4.0.146.029 allows local users to gain privileges via certain signals (aka "Device Driver...

CVE-2003-1310

The DeviceIoControl function in the Norton Device Driver (NAVAP.sys) in Symantec Norton AntiVirus 2002 allows local users to gain privileges by overwriting memory locations via certain control codes (aka "Device Driver...

CVE-2003-0961

Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root...

CVE-2003-0961

Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root...

I2S-LAB-10-15-03.Shell32-Do.txt

...

[Full-Disclosure] Cisco Security Advisory: SNMP trap Reveals WEP Key in Cisco Aironet AP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: SNMP trap Reveals WEP Key in Cisco Aironet AP Revision 1.0 For Public Release 2003 December 02 17:00 UTC (GMT) Summary Cisco Aironet Access Points (AP) running Cisco IOS software will send any static Wired Equivalent Privacy...

CVE-2003-0961

Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root...

HMAP Web Server Fingerprinting

Nessus was able to identify the remote web server type by sending several valid and invalid HTTP requests. In some cases, its version can also be approximated, as well as some...

Microsoft PCHealth 2003/XP Buffer Overflow (#NISR15102003)

NGSSoftware Insight Security Research Advisory Name: Microsoft PCHealth Buffer Overflow Vulnerability Systems Affected: Windows 2003 and XP Severity: Critical Risk Vendor URL: http://www.microsoft.com/ Author: David Litchfield [ [email protected] ] Date Vendor Notified: 23rd July 2003 Date...

[Advisory] Powerslave 4.3 Information Leak Vuln.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ========================================================= H Zero Seven Security Advisory Product : FlyingDog Software - Powerslave Portalmanager Impact : information leak vulnerability Issue date: 19 Sept. 2003 Update :...

[UNIX] Asterisk CallerID CDR SQL Injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source....

Webcalendar <= 0.9.42 Cross Site Scripting Attacks and Potential SQL Injection Attack

Webcalendar <= 0.9.42 http://webcalendar.sourceforge.net/ WebCalendar is a PHP application used to maintain a calendar for one or more persons Cross Site Scripting Files (Mabe Others): includes/js/colors.php Code Sniplet: [...] window.opener.document.prefform.<?php echo $color?>.value= col...

Real security information is hard to come by

Before you read this, I recommend you type "man memfrob" and "man strfry" on your nearest Linux system. I had no idea Linux libC had so many inside jokes. I think it says a lot about the character of the system. In other news, Real was finally told about my HelixServer remote, after a copy of...

[sec-labs] Zone Alarm Device Driver vulnerability

sec-labs team proudly presents: Local ZoneAlarm Firewall (probably all versions - tested on v3.1) Device Driver vulnerability. by Lord YuP 04/08/2003 I. BACKGROUND ZoneAlarm is a very powerful and very common nowadays firewall for Windows produced by Zone Labs....

[Full-Disclosure] [sec-labs] Zone Alarm Device Driver vulnerability

sec-labs team proudly presents: Local ZoneAlarm Firewall (probably all versions - tested on v3.1) Device Driver vulnerability. by Lord YuP 04/08/2003 I. BACKGROUND ZoneAlarm is a very powerful and very common nowadays firewall for Windows produced by Zone Labs....

[CLA-2003:711] Conectiva Security Announcement - mnogosearch

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : mnogosearch SUMMARY : Remote buffer overflow vulnerabilities DATE : 2003-07-28 13:40:00 ID : CLA-2003:711 RELEVANT RELEASES : 9 DESCRIPTION mnoGoSearch[1] is a full-featured web...

Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet Revision 1.0 For Public Release 2003 July 17 at 0:00 UTC (GMT) Please provide your feedback on this document. Contents Summary Affected Products Details Impact Software Versions and...

Remote Buffer Overrun WebAdmin.exe

NGSSoftware Insight Security Research Advisory Name: Remote System Buffer Overrun WebAdmin.exe Systems Affected: Windows Severity: High Risk Category: Buffer Overrun Vendor URL: http://www.altn.com/ Author: Mark Litchfield ([email protected]) Date: 24th June 2003 Advisory number:...

Maelstrom Server 3.0.x - Argument Buffer Overflow (2)

...

Maelstrom Server 3.0.x - Argument Buffer Overflow (2)

Maelstrom Server 3.0.x - Argument Buffer Overflow...

Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003)

NGSSoftware Insight Security Research Advisory Name: Oracle Database Link Buffer Overflow Systems Affected: All platforms; Oracle9i Database Release 2 and 1, 8i all releases, 8 all releases, 7.3.x Severity: High Risk Vendor URL: http://www.oracle.com Author: David Litchfield...

Internet Explorer Plugin.ocx heap overflow (#NISR24042003)

NGSSoftware Insight Security Research Advisory Name: Internet Explorer ActiveX Control Heap Overflow Systems Affected: IE 5.01 SP3, 5.5 SP2, 6.0 Gold, 6.0 SP1 Severity: Critical Risk Category: Heap Overflow Vendor URL: http://www.microsoft.com Author: Mark Litchfield...

SSL/TLS implementations disclose side channel information via PKCS #1 v1.5 version number extension

Overview SSL/TLS implementations that respond distinctively to an incorrect PKCS #1 v1.5 encoded SSL/TLS version number expose the premaster secret to a modified Bleichenbacher attack. An attacker could decrypt a given SSL/TLS session or forge a signature on behalf of a vulnerable application's...

CVE-2001-1371

The default configuration of Oracle Application Server 9iAS 1.0.2.2 enables SOAP and allows anonymous users to deploy applications by default via urn:soap-service-manager and...

CVE-2001-1371

The default configuration of Oracle Application Server 9iAS 1.0.2.2 enables SOAP and allows anonymous users to deploy applications by default via urn:soap-service-manager and...

CVE-2002-0569

Oracle 9i Application Server allows remote attackers to bypass access restrictions for configuration files via a direct request to the XSQL Servlet...

CVE-2002-0569

Oracle 9i Application Server allows remote attackers to bypass access restrictions for configuration files via a direct request to the XSQL Servlet...

CVE-2003-0109

Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS...

CVE-2003-0109

Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS...

CVE-2003-0147

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms....

CVE-2003-0147

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms....

Cryptographic libraries and applications do not adequately defend against timing attacks

Overview Cryptographic libraries and applications do not provide adequate defense against a side-channel timing attack against RSA private keys. Such an attack has been shown to be practical using currently available hardware on systems and networks with sufficiently low variance in latency....

CVE-2003-0109

Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS...

CVE-2003-0147

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms....

Buffer Overflow in Core Microsoft Windows DLL

Overview A buffer overflow vulnerability exists in the Win32 API libraries shipped with all versions of Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows NT 4.0, and Microsoft Windows NT 4.0 Terminal Server Edition. This vulnerability, which is being actively exploited on...

ISMAIL (All Versions) Remote Buffer Overrun

NGSSoftware Insight Security Research Advisory Name: ISMAIL v 1.25 & v 1.4.3 Remote Buffer Overrun Systems Affected: WinNT, Win2K, XP Severity: High Risk Category: Remote Buffer Overrun Vendor URL: http://instantservers.com/ismail.html...

gnome-terminal allows arbitrary command execution when viewing files containing crafted escape sequences

Overview gnome-terminal may allow a remote attacker to execute arbitrary commands via crafted escape sequences. Description gnome-terminal affords users the ability to utilize an escape sequence to "export" the title of the current window title directly to the shell command line. By viewing a...

[VSA0307] Battlefield 1942 remote DoS

[void.at Security Advisory VSA0307 - mailto:crew at void dot at] Battlefield 1942 is a game (c) by Electronic Arts[1]. Overview By sending a specially crafted packet to the bf1942-server remote administration port, an attacker can cause the server to crash. It could even be possible to remotely...

Domino Advisories UPDATE

Hi All, Please note the following correction - The Notes Client Up-Date can be found at http://www14.software.ibm.com/webapp/download/search.jsp?q=&cat=&pf=&k=&dt=& go=y&rs=ESD-NOTECLNTi&S_TACT=&S_CMP=&sb=r The Domino Web Server Update can be found at...

Lotus Domino Web Server iNotes Overflow (#NISR17022003b)

NGSSoftware Insight Security Research Advisory Name: Lotus Domino Web Server iNotes Overflow Systems Affected: Release 6.0 Severity: Critical Risk Category: Remote System Buffer Overrun Vendor URL: http://www.lotus.com Author: Mark Litchfield ([email protected]) Date: ...

Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a)

NGSSoftware Insight Security Research Advisory Name: Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability Systems Affected: Release 6.0 Severity: Critical Risk Category: Remote System Buffer Overrun Vendor URL: http://www.lotus.com Author: Mark Litchfield...

Oracle bfilename function buffer overflow vulnerability (#NISR16022003e)

NGSSoftware Insight Security Research Advisory Name: ORACLE bfilename function buffer overflow vulnerability Systems Affected: All platforms; Oracle9i Database Release 2, 9i Release 1, 8i, 8.1.7, 8.0.6 Severity: High Risk Category: Remote System Buffer Overrun Vendor URL: ...

Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c)

NGSSoftware Insight Security Research Advisory Name: Lotus iNotes Client ActiveX Control Buffer Overrun Systems Affected: Release 6.0 Severity: Medium Risk Category: Remote System Buffer Overrun Vendor URL: http://www.lotus.com Author: Mark Litchfield ([email protected]) Date: 17th...

Oracle unauthenticated remote system compromise (#NISR16022003a)

NGSSoftware Insight Security Research Advisory Name: Oracle unauthenticated remote system compromise Systems Affected: All platforms; Oracle9i Database Release 2, 9i Release 1, 8i, 8.1.7, 8.0.6 Severity: Critical Risk Category: Remote System Buffer Overrun Vendor URL: ...

Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c)

NGSSoftware Insight Security Research Advisory Name: Oracle TZ_OFFSET Remote System Buffer Overrun Systems Affected: All platforms; Oracle9i Database Release 2, 9i Release 1, 8i, 8.1.7, 8.0.6 Severity: High Risk Category: Remote System Buffer Overrun Vendor URL: ...

Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun (#NISR16022003b)

NGSSoftware Insight Security Research Advisory Name: Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun Systems Affected: All platforms; Oracle9i Database Release 2, 9i Release 1, 8i, 8.1.7, 8.0.6 Severity: High Risk Category: Remote System Buffer Overrun Vendor URL: ...

Oracle 9iAS Nonexistent .jsp File Request Error Message Path Disclosure

Oracle 9iAS allows remote attackers to obtain the physical path of a file under the server root via a request for a nonexistent .JSP file. The default error generated leaks the pathname in an error...

Oracle 9iAS OWA_UTIL Stored Procedures Information Disclosure

Oracle 9iAS can provide access to the PL/SQL application OWA_UTIL that provides web access to some stored procedures. These procedures, without authentication, can allow users to access sensitive information such as source code of applications, user credentials to other database servers and run...

Oracle 9iAS Default SOAP Configuration Unauthorized Application Deployment

In a default installation of Oracle 9iAS v.1.0.2.2, it is possible to deploy or undeploy SOAP services without the need of any kind of credentials. This is due to SOAP being enabled by default after installation in order to provide a convenient way to use SOAP samples. However, this feature poses.....

Oracle 9iAS soapdocs Directory Remote Information Disclosure

It is possible to access the Oracle 9iAS Application Server's SOAP documentation directory, which contain the install scripts used with the default SOAP install. These files might be useful for an attacker to determine which application server is in use as well as the name of the disk where...