WINDOWS CENTER: SecurityFocus Newsletter #421

SecurityFocus Newsletter #421
----------------------------------------

This issue is Sponsored by: Watchfire:

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? See for yourself. Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=7017000000093zq

SECURITY BLOGS
SecurityFocus has selected a few syndicated sources that stand out as conveying topics of interest for our community. We are proud to offer content from Matasano at this time and will be adding more in the coming weeks.
http://www.securityfocus.com/blogs

------------------------------------------------------------------
I. FRONT AND CENTER
1.Passive Network Analysis
2.Windows Anti-Debug Reference
II. BUGTRAQ SUMMARY
1. Sina UC BROWSER2UC.DLL ActiveX Control Multiple Remote Stack Buffer Overflow Vulnerabilities
2. HP Mercury Quality Center ActiveX Control Buffer Overflow Vulnerability
3. Tor ControlPort Missing Authentication Unauthorized Access Vulnerability
4. MD-Pro Index.PHP Firefox ID SQL Injection Vulnerability
5. Public Media Manager newstopic_inc.php Remote File Include Vulnerability
6. OpenSSL Montgomery Exponentiation Side-Channel Local Information Disclosure Vulnerability
7. Sun Fire X2100 M2 And X2200 M2 ELOM Unauthorized Access Vulnerability
8. Linux Kernel PTrace NULL Pointer Dereference Local Denial Of Service Vulnerability
9. Linux Kernel JFFS2 Filesystem Security Bypass Vulnerability
10. Linux Kernel CIFS Local Privilege Escalation Vulnerability
11. Apple iPhone Mail Unauthorized tel: Initiation Vulnerability
12. Apple iPhone Mobile Safari Cross-Domain URI Disclosure Vulnerability
13. Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities
14. Zomplog admin/upload_files.php Unauthorized Access Vulnerability
15. Apple iPhone Mobile Safari Browser Window Properties Same Origin Policy Bypass Vulnerability
16. Apple iPhone 1.1.1 Mobile Safari Browser iFrame Same Origin Policy Bypass Vulnerability
17. Samba MS-RPC Remote Shell Command Execution Vulnerability
18. Samba Deferred CIFS File Open Denial of Service Vulnerability
19. Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability
20. Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow Vulnerability
21. Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow Vulnerability
22. Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow Vulnerability
23. Samba SID Names Local Privilege Escalation Vulnerability
24. Samba NDR RPC Request LsarAddPrivilegesToAccount Heap-Based Buffer Overflow Vulnerability
25. Apple iPhone Safari Browser Same Domain Content Manipulation Vulnerability
26. Cisco Catalyst 6500 and Cisco 7600 Loopback Access Control Bypass Vulnerability
27. Sun Solaris Thread Handling Local Denial Of Service Vulnerability
28. Sun Solaris Human Interface Device Local Denial of Service Vulnerability
29. Pidgin MSN Nudge Messages Remote Denial Of Service Vulnerability
30. Linux Kernel USB PWC Driver Local Denial Of Service Vulnerability
31. Linux Kernel Ptrace Local Privilege Escalation Vulnerability
32. X.Org X Font Server Multiple Memory Corruption Vulnerabilities
33. Libpng Library Remote Denial of Service Vulnerability
34. ELinks HTTPS POST Request Information Disclosure Weakness
35. Poppawid ChildWindow.Inc.PHP Remote File Include Vulnerability
36. MIT Kerberos 5 KAdminD Server SVCAuth_GSS_Validate Stack Buffer Overflow Vulnerability
37. Altnet Download Manager ADM4 ActiveX Buffer Overflow Vulnerability
38. CenterTools DriveLock Remote Buffer Overflow Vulnerability
39. Xen pygrub TOOLS/PYGRUB/SRC/GRUBCONF.PY Local Command Injection Vulnerability
40. Computer Associates BrightStor Hierarchical Storage Manager CsAgent Multiple Remote Vulnerabilities
41. QEMU Multiple Local Vulnerabilities
42. OpenSSL SSL_Get_Shared_Ciphers Off-by-One Buffer Overflow Vulnerability
43. id Software Doom 3 Engine Console String Visualization Format String Vulnerability
44. DVDdb Multiple Cross Site Scripting Vulnerabilities
45. iScripts MultiCart Multiple SQL Injection Vulnerabilities
46. Ruby Net::HTTP SSL Insecure Certificate Validation Weakness
47. id3lib Insecure Temporary File Creation Vulnerability
48. Google Mini Search Appliance IE Parameter Cross-Site Scripting Vulnerability
49. SmbFTPD SMBDirList Format String Vulnerability
50. Microsoft Windows Logon Process Remote Buffer Overflow Vulnerability
51. Microsoft Windows Management Local Privilege Escalation Vulnerability
52. Microsoft Windows Utility Manager Local Privilege Escalation Vulnerability
53. Microsoft Windows Local Descriptor Table Local Privilege Escalation Vulnerability
54. MPlayer AVIHeader.C Heap Based Buffer Overflow Vulnerability
55. XOOPS Uploader Class Arbitrary File Upload Vulnerability
56. Quicksilver Forums Information Disclosure Vulnerability and PM Deletion Vulnerability
57. Segue CMS themesdir Parameter Remote File Include Vulnerability
58. OdysseySuite Mailbox.MWS Cross-Site Scripting Vulnerability
59. Ohesa Emlak Portal Multiple SQL Injection Vulnerabilities
60. CyberLink PowerDVD CLAVSetting.DLL Arbitrary File Overwrite Vulnerability
61. EDraw Office Viewer Component FtpDownloadFile ActiveX Buffer Overflow Vulnerability
62. EDraw Office Viewer Component HttpDownloadFileToTempDir ActiveX Buffer Overflow Vulnerability
63. rPath rMake Local Privilege Escalation Vulnerability
64. Check Point SecurePlatform Multiple Buffer Overflow Vulnerabilities
65. Ilient SysAid Cross-Site Request Forgery Vulnerability
66. X-script Guestbook mes_add.php Multiple SQL Injection Vulnerabilities
67. AlstraSoft Affiliate Network Pro Multiple Access Validation Vulnerabilities
68. FSD Exechelp And Execmulticast Multiple Remote Buffer Overflow Vulnerabilities
69. ASP Product Catalog Default.ASP SQL Injection Vulnerability
70. libsndfile FLAC.C Buffer Overflow Vulnerability
71. Monolith Lithtech Game Engine Multiple Remote Format String Vulnerabilities
72. i-Systems Inc. Feedreader3 RSS Feed HTML-Injection Vulnerability
73. Epic Games Unreal Engine Logging Function Remote Denial of Service Vulnerability
74. Microsoft Process Monitor SSDT Hooks Multiple Local Vulnerabilities
75. Y&K Iletisim Formu Multiple HTML-Injection Vulnerabilities
76. X-Scripts X-Statistics X-Statistics.PHP SQL Injection Vulnerability
77. OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
78. eGov Manager Multiple Cross-Site Scripting Vulnerabilities
79. phpFreeLog log.php Local File Include Vulnerability
80. Expanded Calendar PHP-Fusion Module Show_Single.PHP SQL Injection Vulnerability
81. phpwcms-xt HTML_MENU_DirPath Multiple Remote File Include Vulnerabilities
82. Microsoft Windows Vista ARP Table Entries Denial of Service Vulnerability
83. Netkamp Emlak Scripti Multiple Input Validation Vulnerabilities
84. Trolltech Qt ToUnicode Function Off By One Buffer Overflow Vulnerability
85. MySQL Access Validation and Denial of Service Vulnerabilities
86. Open Translation Engine Header.PHP Remote File Include Vulnerability
87. GNU Emacs Image Processing Remote Denial of Service Vulnerability
88. GNU Tar Hostile Destination Path Variant Vulnerability
89. GNU Tar Hostile Destination Path Vulnerability
90. PopTop PPTP Server GRE Packet Denial Of Service Vulnerability
91. Balsa Fetch Command Remote Stack Buffer Overflow Vulnerability
92. GroupLink eHelpDesk Multiple Cross-Site Scripting Vulnerabilities
93. actSite NEWS.PHP Local File Include Vulnerability
94. actSite BASE.PHP BASECFG[BASEDIR] Parameter Remote File Include Vulnerability
95. phpBB openID OPENID_ROOT_PATH Parameter Remote File Include Vulnerability
96. Linux Kernel ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability
97. T1lib intT1_Env_GetCompletePath Buffer Overflow Vulnerability
98. Bugzilla Multiple Remote Vulnerabilities
99. MXBB MX Glance Module PHPBB_Root_Path Remote File Include Vulnerability
100. MambAds Mambo Component CAID Parameter SQL Injection Vulnerability
III. SECURITYFOCUS NEWS
1. DHS, Unisys scrutinized after data breach
2. Customers: TD Ameritrade failed to warn of breach
3. Max Vision charged with hacking -- again
4. Embassy leaks highlight pitfalls of Tor
IV. SECURITY JOBS LIST SUMMARY
1. [SJ-JOB] Security Architect, St. Louis
2. [SJ-JOB] Penetration Engineer, FLEX
3. [SJ-JOB] Penetration Engineer, FLEX
4. [SJ-JOB] Penetration Engineer, Munich/Hamburg - FLEX other areas
5. [SJ-JOB] Security Engineer, Hartford / Middletown
6. [SJ-JOB] Application Security Engineer, New York
7. [SJ-JOB] Security Engineer, Cupertino
8. [SJ-JOB] Manager, Information Security, St. Louis
9. [SJ-JOB] Sr. Product Manager, Cupertino
10. [SJ-JOB] Penetration Engineer, Hong Kong
11. [SJ-JOB] Jr. Security Analyst, Washington
12. [SJ-JOB] Jr. Security Analyst, Gurgaon
13. [SJ-JOB] Security Engineer, Leeds
14. [SJ-JOB] Software Engineer, St. Paul
15. [SJ-JOB] Technical Support Engineer, Columbia
16. [SJ-JOB] Security Consultant, London
17. [SJ-JOB] Security System Administrator, jacksonville
18. [SJ-JOB] Security System Administrator, jacksonville
19. [SJ-JOB] Information Assurance Analyst, Washington
20. [SJ-JOB] Information Assurance Engineer, Washington
21. [SJ-JOB] Security Engineer, Tucson
22. [SJ-JOB] Security Consultant, Arlington
23. [SJ-JOB] Sr. Security Engineer, Tucson
24. [SJ-JOB] Sr. Security Engineer, Herndon
25. [SJ-JOB] Security Engineer, Arlington
26. [SJ-JOB] Security Consultant, Arlington
27. [SJ-JOB] Security Product Manager, Mountain View
28. [SJ-JOB] Sales Engineer, Atlanta
29. [SJ-JOB] Sales Engineer, Detroit
30. [SJ-JOB] Sr. Product Manager, Mountain View
31. [SJ-JOB] Software Engineer, Livonia
32. [SJ-JOB] Forensics Engineer, Mountain View
33. [SJ-JOB] Software Engineer, Columbia
34. [SJ-JOB] Security Engineer, KANSAS CITY
35. [SJ-JOB] Software Engineer, Livonia
36. [SJ-JOB] Customer Service, St. Paul
37. [SJ-JOB] Security Consultant, New York
38. [SJ-JOB] Customer Support, Mountain View
39. [SJ-JOB] Customer Service, Mountain View
40. [SJ-JOB] Information Assurance Analyst, Chantilly
41. [SJ-JOB] Security Engineer, Philadelphia
42. [SJ-JOB] Instructor, Novi
43. [SJ-JOB] Sr. Security Analyst, Leatherhead / Reading
44. [SJ-JOB] Senior Software Engineer, Mountain View
45. [SJ-JOB] Senior Software Engineer, St.Louis
46. [SJ-JOB] Security Engineer, Reading
47. [SJ-JOB] Application Security Engineer, St.Louis
48. [SJ-JOB] Security Consultant, Reading
49. [SJ-JOB] Manager, Information Security, New York
50. [SJ-JOB] Software Engineer, Redmond
51. [SJ-JOB] Jr. Security Analyst, Calgary
V. INCIDENTS LIST SUMMARY
1. Interesting mail sender
VI. VULN-DEV RESEARCH LIST SUMMARY
VII. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #361
VIII. SUN FOCUS LIST SUMMARY
IX. LINUX FOCUS LIST SUMMARY
X. UNSUBSCRIBE INSTRUCTIONS
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1.Passive Network Analysis
By Stephen Barish
In sports, it's pretty much accepted wisdom that home teams have the advantage; that's why teams with winning records on the road do so well in the playoffs. But for some reason we rarely think about "the home field advantage" when we look at defending our networks.

http://www.securityfocus.com/infocus/1894

2.Windows Anti-Debug Reference
By Nicolas Falliere
This paper classifies and presents several anti-debugging techniques used on Windows NT-based operating systems.

http://www.securityfocus.com/infocus/1893

II. BUGTRAQ SUMMARY
--------------------
1. Sina UC BROWSER2UC.DLL ActiveX Control Multiple Remote Stack Buffer Overflow Vulnerabilities
BugTraq ID: 21958
Remote: Yes
Last Updated: 2007-10-03
Relevant URL: http://www.securityfocus.com/bid/21958
Summary:
Sina UC ActiveX control is prone to multiple remote stack-based buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions.

Sina UC 2006 and prior versions are vulnerable to this issue.

2. HP Mercury Quality Center ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 23239
Remote: Yes
Last Updated: 2007-10-03
Relevant URL: http://www.securityfocus.com/bid/23239
Summary:
HP Mercury Quality Center ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Exploiting this issue allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and possibly to compromise affected computers.

HP Mercury Quality Center 8.2 SP1 and 9.0 are vulnerable to this issue.

3. Tor ControlPort Missing Authentication Unauthorized Access Vulnerability
BugTraq ID: 25188
Remote: Yes
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25188
Summary:
Tor is prone to an unauthorized-access vulnerability due to a design error when handling multiple connections to the ControlPort.

An attacker can exploit this issue to reconfigure Tor and significantly weaken the anonymity provided by the software.

Tor 0.1.2.15 is confirmed vulnerable; previous versions may also be affected.

4. MD-Pro Index.PHP Firefox ID SQL Injection Vulnerability
BugTraq ID: 25864
Remote: Yes
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25864
Summary:
MD-Pro is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

MD-Pro 1.0.76 is vulnerable to this issue; other versions may also be affected.

5. Public Media Manager newstopic_inc.php Remote File Include Vulnerability
BugTraq ID: 25860
Remote: Yes
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25860
Summary:
Public Media Manager is prone to a remote file-include vulnerability because the application fails to properly sanitize user-supplied input before using it in a PHP 'include()' function call.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process.

This issue affects Public Media Manager 1.3; other versions may also be vulnerable.

6. OpenSSL Montgomery Exponentiation Side-Channel Local Information Disclosure Vulnerability
BugTraq ID: 25163
Remote: No
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25163
Summary:
OpenSSL is prone to a local information-disclosure vulnerability because of an implementation flaw in the RSA algorithm.

Successfully exploiting this issue allows local attackers to gain access to private key information of other processes that use the affected library. Information harvested may aid in further attacks.

OpenSSL 0.9.8 is vulnerable to this issue; other versions may also be affected.

7. Sun Fire X2100 M2 And X2200 M2 ELOM Unauthorized Access Vulnerability
BugTraq ID: 25863
Remote: Yes
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25863
Summary:
Sun Fire X2100 M2 and X2200 M2 servers are prone to a vulnerability that allows unauthorized access.

This issue affects the Embedded Lights Out Manager (ELOM).

Remote attackers can leverage this issue to use a vulnerable server as a proxy for sending spam email messages.

8. Linux Kernel PTrace NULL Pointer Dereference Local Denial Of Service Vulnerability
BugTraq ID: 25801
Remote: No
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25801
Summary:
The Linux kernel is prone to a local denial-of-service vulnerability.

This issue occurs because of a NULL-pointer dereference in certain 'ptrace' operations.

A local attacker can exploit this issue to crash the affected kernel, denying service to legitimate users.

9. Linux Kernel JFFS2 Filesystem Security Bypass Vulnerability
BugTraq ID: 25838
Remote: No
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25838
Summary:
The Linux kernel is prone to a security-bypass vulnerability because the software fails to properly store POSIX ACLs in the JFFS2 filesystem.

A local attacker may exploit this issue to bypass ACL security restrictions, which may lead to other attacks.

10. Linux Kernel CIFS Local Privilege Escalation Vulnerability
BugTraq ID: 25672
Remote: No
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25672
Summary:
The Linux kernel is prone to a local privilege-escalation vulnerability.

An attacker could exploit this issue to execute arbitrary code with the privileges of the victim.

11. Apple iPhone Mail Unauthorized tel: Initiation Vulnerability
BugTraq ID: 25862
Remote: Yes
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25862
Summary:
Apple iPhone is prone to a vulnerability that lets attackers make unauthorized phone calls.

This issue affects the phone's Mail application.

Attackers may exploit this issue to initiate unauthorized telephone calls to arbitrary phone numbers.

NOTE: This issue was initially disclosed along with several other issues in BID 25834 (Apple iPhone 1.1.1 Update Multiple Security Vulnerabilities). Each issue has been assigned its own BID to better document the details.

Versions prior to iPhone 1.1.1 are vulnerable.

12. Apple iPhone Mobile Safari Cross-Domain URI Disclosure Vulnerability
BugTraq ID: 25859
Remote: Yes
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25859
Summary:
Apple iPhone is prone to an information-disclosure vulnerability.

This issue affects the phone's Mobile Safari application.

Attackers may exploit this issue to access potentially sensitive information; other attacks are also possible.

Versions prior to iPhone 1.1.1 are vulnerable.

13. Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities
BugTraq ID: 25837
Remote: Yes
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25837
Summary:
Axis Communications 2100 Network Camera is prone to multiple input-validation vulnerabilities, including a cross-site scripting issue, multiple HTML-injection issues, and a cross-site request-forgery issue, because the application fails to properly sanitize user-supplied input.

Exploiting these issues could allow an attacker to execute arbitrary script code in the context of the webserver process, control how the site is rendered to the user, compromise the application, obtain sensitive information, and access or modify data.

These issues affect 2100 Network Cameras with firmware version 2.43; other firmware versions and models may also be affected.

14. Zomplog admin/upload_files.php Unauthorized Access Vulnerability
BugTraq ID: 25861
Remote: Yes
Last Updated: 2007-10-01
Relevant URL: http://www.securityfocus.com/bid/25861
Summary:
Zomplog is prone to an unauthorized-access vulnerability because it fails to adequately limit access to administrative scripts.

An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may allow the attacker to gain unauthorized access or to escalate privileges; other attacks are also possible.

This issue affects Zomplog 3.8.1; other versions may also be vulnerable.

15. Apple iPhone Mobile Safari Browser Window Properties Same Origin Policy Bypass Vulnerability
BugTraq ID: 25857
Remote: Yes
Last Updated: 2007-09-29
Relevant URL: http://www.securityfocus.com/bid/25857
Summary:
Apple iPhone Mobile Safari Browser is prone to a vulnerability that allows attackers to bypass the same-origin policy.

Attackers can exploit this issue to execute arbitrary JavaScript in the context of another domain.

Versions prior to iPhone 1.1.1 are vulnerable.

16. Apple iPhone 1.1.1 Mobile Safari Browser iFrame Same Origin Policy Bypass Vulnerability
BugTraq ID: 25850
Remote: Yes
Last Updated: 2007-09-29
Relevant URL: http://www.securityfocus.com/bid/25850
Summary:
Apple iPhone Mobile Safari Browser is prone to a vulnerability that lets attackers bypass the same-origin policy.

Attackers can exploit this issue to execute arbitrary JavaScript in the context of another domain.

Versions prior to iPhone 1.1.1 are vulnerable.

17. Samba MS-RPC Remote Shell Command Execution Vulnerability
BugTraq ID: 23972
Remote: Yes
Last Updated: 2007-09-29
Relevant URL: http://www.securityfocus.com/bid/23972
Summary:
Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application.

This issue affects Samba 3.0.0 to 3.0.25rc3.

18. Samba Deferred CIFS File Open Denial of Service Vulnerability
BugTraq ID: 22395
Remote: No
Last Updated: 2007-09-29
Relevant URL: http://www.securityfocus.com/bid/22395
Summary:
The smbd daemon is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to consume excessive memory resources, ultimately crashing the affected application.

This issue affects Samba versions 3.0.6 through 3.0.23d, inclusive.

19. Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow Vulnerability
BugTraq ID: 24198
Remote: Yes
Last Updated: 2007-09-29
Relevant URL: http://www.securityfocus.com/bid/24198
Summary:
Samba is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete remote compromise of affected computers. Failed exploit attempts will result in a denial of service.