Packet Storm - Information Security News, Files, Tools, Exploits, Advisories and Whitepapers http://packetstormsecurity.org/ en-us Wed, 23 May 2012 12:56:21 GMT 144400 http://packetstormsecurity.org/ http://www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=1527293096&utmcs=ISO-8859-1&utmsr=31337x31337&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmcn=1&utmdt=Files%u2248%20Packet%20Storm&utmhn=packetstormsecurity.org&utmr=-&utmp=%2Ffiles%2F&utmac=UA-18885198-1&utmcc=__utma%3D32867617.1527293096.1337777781.1337777781.1337777781.1%3B%2B__utmz%3D32867617.1337777781.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none) http://packetstormsecurity.org/files/112970/ajamintgallery-lfi.txt http://packetstormsecurity.org/files/112970/ajamintgallery-lfi.txt http://packetstormsecurity.org/files/112970/Ajaxmint-Gallery-1.0-Local-File-Inclusion.html Wed, 23 May 2012 02:52:42 GMT Ajaxmint Gallery version 1.0 suffers from a local file inclusion vulnerability. http://packetstormsecurity.org/files/112969/ruubik111-xssdisclosetraversal.txt http://packetstormsecurity.org/files/112969/ruubik111-xssdisclosetraversal.txt http://packetstormsecurity.org/files/112969/RuubikCMS-1.1.0-Beta-XSS-Disclosure-Directory-Traversal.html Wed, 23 May 2012 02:50:41 GMT RuubikCMS version 1.1.0 Beta suffers from cross site scripting, information disclosure, and directory traversal vulnerabilities. http://packetstormsecurity.org/files/112968/novell491-escalate.txt http://packetstormsecurity.org/files/112968/novell491-escalate.txt http://packetstormsecurity.org/files/112968/Novell-Client-4.91-SP3-4-Privilege-Escalation.html Wed, 23 May 2012 02:49:43 GMT Novell Client version 4.91 SP3/4 privilege escalation exploit for Win2K3 and WinXP. http://packetstormsecurity.org/files/112967/winxpkeyboard.zip http://packetstormsecurity.org/files/112967/winxpkeyboard.zip http://packetstormsecurity.org/files/112967/Windows-XP-Keyboard-Layouts-Pool-Corruption-Proof-Of-Concept.html Wed, 23 May 2012 02:45:29 GMT This proof of concept code demonstrates a Microsoft Windows XP keyboard layouts pool corruption vulnerability, post MS12-034. The vulnerability exists in the function win32k!ReadLayoutFile() that parses keyboard layout file data. http://packetstormsecurity.org/files/112966/supernews261-sql.txt http://packetstormsecurity.org/files/112966/supernews261-sql.txt http://packetstormsecurity.org/files/112966/Supernews-2.6.1-SQL-Injection.html Wed, 23 May 2012 02:44:00 GMT Supernews versions 2.6.1 and below remote SQL injection exploit. http://packetstormsecurity.org/files/112965/Failure_to_restrict_access_tool.pdf http://packetstormsecurity.org/files/112965/Failure_to_restrict_access_tool.pdf http://packetstormsecurity.org/files/112965/Failure-To-Restrict-Access.html Wed, 23 May 2012 02:33:16 GMT This is a brief whitepaper discussing methods of validating a lack of access restriction for various pages on sites. It discusses everything from visual viewing and comparison between cookies used and using an implementation of the Damerau-Levensthein model. They also have a tool for download. http://packetstormsecurity.org/files/112964/phpcollab-disclose.txt http://packetstormsecurity.org/files/112964/phpcollab-disclose.txt http://packetstormsecurity.org/files/112964/PHPCollab-2.5-Database-Backup-Disclosure.html Wed, 23 May 2012 02:29:01 GMT PHPCollab version 2.5 suffers from an unauthenticated database backup download vulnerability. http://packetstormsecurity.org/files/112963/tftpd32-dos.txt http://packetstormsecurity.org/files/112963/tftpd32-dos.txt http://packetstormsecurity.org/files/112963/Tftpd32-DHCP-Serve-4.00-Denial-Of-Service.html Wed, 23 May 2012 02:27:39 GMT Tftpd32 DHCP server version 4.00 suffers from a denial of service vulnerability. http://packetstormsecurity.org/files/112956/USN-1449-1.txt http://packetstormsecurity.org/files/112956/USN-1449-1.txt http://packetstormsecurity.org/files/112956/Ubuntu-Security-Notice-USN-1449-1.html Tue, 22 May 2012 20:37:23 GMT Ubuntu Security Notice 1449-1 - It was discovered that feedparser did not properly sanitize ENTITY declarations in encoded fields. A remote attacker could exploit this to cause a denial of service via memory exhaustion. http://packetstormsecurity.org/files/112971/phpcgi-exploit.txt http://packetstormsecurity.org/files/112971/phpcgi-exploit.txt http://packetstormsecurity.org/files/112971/PHP-CGI-Argument-Injection.html Tue, 22 May 2012 11:11:11 GMT PHP CGI argument injection remote exploit version 0.3. Works on versions up to 5.3.12 and 5.4.2. http://packetstormsecurity.org/files/112951/nmap-6.00.tgz http://packetstormsecurity.org/files/112951/nmap-6.00.tgz http://packetstormsecurity.org/files/112951/Nmap-Port-Scanner-6.00.html Tue, 22 May 2012 04:00:28 GMT Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. http://packetstormsecurity.org/files/112950/MDVSA-2012-079.txt http://packetstormsecurity.org/files/112950/MDVSA-2012-079.txt http://packetstormsecurity.org/files/112950/Mandriva-Linux-Security-Advisory-2012-079.html Tue, 22 May 2012 03:54:01 GMT Mandriva Linux Security Advisory 2012-079 - A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers. The updated packages have been patched to correct this issue. http://packetstormsecurity.org/files/112945/yandex-xss.txt http://packetstormsecurity.org/files/112945/yandex-xss.txt http://packetstormsecurity.org/files/112945/Yandex.Server-2010-9.0-Enterprise-Cross-Site-Scripting.html Tue, 22 May 2012 03:38:00 GMT Yandex.Server version 2010 9.0 Enterprise suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/files/112919/flexnet_lmgrd_bof.rb.txt http://packetstormsecurity.org/files/112919/flexnet_lmgrd_bof.rb.txt http://packetstormsecurity.org/files/112919/FlexNet-License-Server-Manager-lmgrd-Buffer-Overflow.html Tue, 22 May 2012 01:40:17 GMT This Metasploit module exploits a vulnerability in the FlexNet License Server Manager. The vulnerability is due to the insecure usage of memcpy in the lmgrd service when handling network packets, which results in a stack buffer overflow. In order to improve reliability, this module will make lots of connections to lmgrd during each attempt to maximize its success. http://packetstormsecurity.org/files/112918/foxit_reader_launch.rb.txt http://packetstormsecurity.org/files/112918/foxit_reader_launch.rb.txt http://packetstormsecurity.org/files/112918/Foxit-Reader-3.0-Open-Execute-Action-Stack-Based-Buffer-Overflow.html Tue, 22 May 2012 01:39:05 GMT This Metasploit module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. Due to the way Foxit Reader handles the input from an "Launch" action, it is possible to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code execution under the context of the user. http://packetstormsecurity.org/files/112917/hp_vsa_exec.rb.txt http://packetstormsecurity.org/files/112917/hp_vsa_exec.rb.txt http://packetstormsecurity.org/files/112917/HP-StorageWorks-P4000-Virtual-SAN-Appliance-Command-Execution.html Tue, 22 May 2012 01:38:49 GMT This Metasploit module exploits a vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838. http://packetstormsecurity.org/files/112916/activecollab_chat.rb.txt http://packetstormsecurity.org/files/112916/activecollab_chat.rb.txt http://packetstormsecurity.org/files/112916/Active-Collab-chat-module-2.3.8-Remote-PHP-Code-Injection.html Tue, 22 May 2012 01:37:25 GMT This Metasploit module exploits an arbitrary code injection vulnerability in the chat module that is part of Active Collab by abusing a preg_replace() using the /e modifier and its replacement string using double quotes. The vulnerable function can be found in activecollab/application/modules/chat/functions/html_to_text.php. http://packetstormsecurity.org/files/112912/dsa-2476-1.txt http://packetstormsecurity.org/files/112912/dsa-2476-1.txt http://packetstormsecurity.org/files/112912/Debian-Security-Advisory-2476-1.html Tue, 22 May 2012 00:25:44 GMT Debian Linux Security Advisory 2476-1 - intrigeri discovered a format string error in pidgin-otr, an off-the-record messaging plugin for Pidgin. http://packetstormsecurity.org/files/112911/USN-1448-1.txt http://packetstormsecurity.org/files/112911/USN-1448-1.txt http://packetstormsecurity.org/files/112911/Ubuntu-Security-Notice-USN-1448-1.html Tue, 22 May 2012 00:25:24 GMT Ubuntu Security Notice 1448-1 - A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. Various other issues were also addressed. http://packetstormsecurity.org/files/112910/USN-1447-1.txt http://packetstormsecurity.org/files/112910/USN-1447-1.txt http://packetstormsecurity.org/files/112910/Ubuntu-Security-Notice-USN-1447-1.html Tue, 22 May 2012 00:25:14 GMT Ubuntu Security Notice 1447-1 - Juri Aedla discovered that libxml2 contained an off by one error in its XPointer functionality. If a user or application linked against libxml2 were tricked into opening a specially crafted XML file, an attacker could cause the application to crash or possibly execute arbitrary code with the privileges of the user invoking the program. http://packetstormsecurity.org/files/112909/RHSA-2012-0683-01.txt http://packetstormsecurity.org/files/112909/RHSA-2012-0683-01.txt http://packetstormsecurity.org/files/112909/Red-Hat-Security-Advisory-2012-0683-01.html Tue, 22 May 2012 00:24:55 GMT Red Hat Security Advisory 2012-0683-01 - The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers. A flaw was found in the way bind-dyndb-ldap handled LDAP query errors. If a remote attacker were able to send DNS queries to a named server that is configured to use bind-dyndb-ldap, they could trigger such an error with a DNS query leveraging bind-dyndb-ldap's insufficient escaping of the LDAP base DN. This would result in an invalid LDAP query that named would retry in a loop, preventing it from responding to other DNS queries. With this update, bind-dyndb-ldap only attempts to retry one time when an LDAP search returns an unexpected error. http://packetstormsecurity.org/files/112908/RHSA-2012-0681-01.txt http://packetstormsecurity.org/files/112908/RHSA-2012-0681-01.txt http://packetstormsecurity.org/files/112908/Red-Hat-Security-Advisory-2012-0681-01.html Tue, 22 May 2012 00:23:56 GMT Red Hat Security Advisory 2012-0681-01 - Apache Tomcat is a servlet container. JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime support for Tomcat. This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs. It also resolves multiple flaws that weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. http://packetstormsecurity.org/files/112907/RHSA-2012-0679-01.txt http://packetstormsecurity.org/files/112907/RHSA-2012-0679-01.txt http://packetstormsecurity.org/files/112907/Red-Hat-Security-Advisory-2012-0679-01.html Tue, 22 May 2012 00:22:52 GMT Red Hat Security Advisory 2012-0679-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime support for Tomcat. This update includes bug fixes as documented in JBPAPP-4873 and JBPAPP-6133. http://packetstormsecurity.org/files/112906/RHSA-2012-0682-01.txt http://packetstormsecurity.org/files/112906/RHSA-2012-0682-01.txt http://packetstormsecurity.org/files/112906/Red-Hat-Security-Advisory-2012-0682-01.html Tue, 22 May 2012 00:21:41 GMT Red Hat Security Advisory 2012-0682-01 - Apache Tomcat is a servlet container. JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime support for Tomcat. This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs. It also addresses multiple flaws that weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. http://packetstormsecurity.org/files/112905/RHSA-2012-0677-01.txt http://packetstormsecurity.org/files/112905/RHSA-2012-0677-01.txt http://packetstormsecurity.org/files/112905/Red-Hat-Security-Advisory-2012-0677-01.html Tue, 22 May 2012 00:21:29 GMT Red Hat Security Advisory 2012-0677-01 - PostgreSQL is an advanced object-relational database management system. The pg_dump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by an SQL command. This SQL command might then be executed by a privileged user during later restore of the backup dump, allowing privilege escalation. CREATE TRIGGER did not do a permissions check on the trigger function to be called. This could possibly allow an authenticated database user to call a privileged trigger function on data of their choosing.