From zdi-disclosures at tippingpoint.com Tue Jan 4 16:39:46 2011 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 4 Jan 2011 16:39:46 -0600 Subject: [VIM] ZDI-10-200: Tivoli Storage Manager FastBack 0xfafbfcfd Packet Remote Code Execution Vulnerability (fwd) Message-ID: Hi Brian, Unfortunately we weren't given a CVE for this. Best, Kate -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Tuesday, December 28, 2010 4:13 AM To: ZDI Disclosures Cc: vim at attrition.org Subject: [Full-disclosure] ZDI-10-200: Tivoli Storage Manager FastBack 0xfafbfcfd Packet Remote Code Execution Vulnerability (fwd) Hey ZDI, Do you know which CVE this corresponds to? There are multiple FastBackServer.exe overflows. Thanks, Brian ---------- Forwarded message ---------- From: ZDI Disclosures To: "'Full Disclosure (full-disclosure at lists.grok.org.uk)'" , "'Bugtraq (bugtraq at securityfocus.com)'" Date: Tue, 12 Oct 2010 16:12:00 -0500 Subject: [Full-disclosure] ZDI-10-200: Tivoli Storage Manager FastBack 0xfafbfcfd Packet Remote Code Execution Vulnerability ZDI-10-200: Tivoli Storage Manager FastBack 0xfafbfcfd Packet Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-200 October 12, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: IBM -- Affected Products: IBM Tivoli Storage Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10533. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Tivoli Storage Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within FastBackServer.exe which listens by default on TCP port 1320. When handling a packet with header type 0xFAFBFCFD the process blindly copies user supplied data into a heap buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: IBM states: http://www-01.ibm.com/support/docview.wss?uid=swg21443820 Issue 2 -- Disclosure Timeline: 2010-06-17 - Vulnerability reported to vendor 2010-10-12 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi From theall at tenable.com Fri Jan 7 20:59:08 2011 From: theall at tenable.com (George A. Theall) Date: Fri, 7 Jan 2011 21:59:08 -0500 Subject: [VIM] CVE-2010-0904 Message-ID: <0D274B5B-C128-4DBA-9707-BC475B7BBC2A@tenable.com> I noticed that ZDI-10-118 and ZDI-10-123 both reference CVE-2010-0904. The CVE entry only says "Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect integrity via unknown vectors." and links to Oracle's CPU for July 2010. Is one ZDI advisory more "correct" for this CVE? George -- theall at tenablesecurity.com From theall at tenable.com Wed Jan 19 12:50:06 2011 From: theall at tenable.com (George A. Theall) Date: Wed, 19 Jan 2011 13:50:06 -0500 Subject: [VIM] CVE-2010-1795 vs CVE-2010-1894 Message-ID: <2D9BAC4D-9DD7-4F8E-AC7E-4A063B60BBF3@tenable.com> Is there a difference between CVE-2010-1795 and CVE-2010-1894? The former is for a local win32k.sys DoS issue reported by Vigil at nce; the latter for an exception handling issue in win32k.sys that can be triggered only by local users and that was addressed by MS10-048. George -- theall at tenablesecurity.com From coley at rcf-smtp.mitre.org Thu Jan 20 18:01:50 2011 From: coley at rcf-smtp.mitre.org (Steven M. Christey) Date: Thu, 20 Jan 2011 19:01:50 -0500 (EST) Subject: [VIM] CVE-2010-1795 vs CVE-2010-1894 In-Reply-To: <2D9BAC4D-9DD7-4F8E-AC7E-4A063B60BBF3@tenable.com> References: <2D9BAC4D-9DD7-4F8E-AC7E-4A063B60BBF3@tenable.com> Message-ID: George, I assume you mean CVE-2010-1735 instead of CVE-2010-1795? CVE-2010-1795 is a DLL injection issue in iTunes :) I don't know if these are the same or not. CVE-2010-1734 also affects win32k.sys with the same results, and it looks like win32k.sys has gotten a good deal of attention in the last year or so. Time to consult with Microsoft... - Steve On Wed, 19 Jan 2011, George A. Theall wrote: > Is there a difference between CVE-2010-1795 and CVE-2010-1894? The former is > for a local win32k.sys DoS issue reported by Vigil at nce; the latter for an > exception handling issue in win32k.sys that can be triggered only by local > users and that was addressed by MS10-048. > > George > -- > theall at tenablesecurity.com > > > From theall at tenable.com Thu Jan 20 18:47:00 2011 From: theall at tenable.com (George A. Theall) Date: Thu, 20 Jan 2011 19:47:00 -0500 Subject: [VIM] CVE-2010-1795 vs CVE-2010-1894 In-Reply-To: References: <2D9BAC4D-9DD7-4F8E-AC7E-4A063B60BBF3@tenable.com> Message-ID: <6BA8D446-90A2-4372-B867-9829304AB3DA@tenable.com> On Jan 20, 2011, at 7:01 PM, Steven M. Christey wrote: > > George, > > I assume you mean CVE-2010-1735 instead of CVE-2010-1795? > CVE-2010-1795 is a DLL injection issue in iTunes :) Yes, I'm sorry for adding to the confusion. > I don't know if these are the same or not. CVE-2010-1734 also > affects win32k.sys with the same results, and it looks like > win32k.sys has gotten a good deal of attention in the last year or so. > > Time to consult with Microsoft... Thanks for checking it out. George -- theall at tenablesecurity.com From theall at tenable.com Fri Jan 28 10:55:04 2011 From: theall at tenable.com (George A. Theall) Date: Fri, 28 Jan 2011 11:55:04 -0500 Subject: [VIM] PHP Link Directory Software (sbcat_id) SQL Injection Vulnerability Message-ID: <67655BE7-EEE5-4A58-8666-C2A45D6712DA@tenable.com> FYI: Exploit DB 16061 / Bugtraq 46048 is just a rehash of OSVDB 62563 / Bugtraq 38418. Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Fri Jan 28 12:09:24 2011 From: rkeith at securityfocus.com (rkeith) Date: Fri, 28 Jan 2011 11:09:24 -0700 Subject: [VIM] PHP Link Directory Software (sbcat_id) SQL Injection Vulnerability In-Reply-To: <67655BE7-EEE5-4A58-8666-C2A45D6712DA@tenable.com> References: <67655BE7-EEE5-4A58-8666-C2A45D6712DA@tenable.com> Message-ID: <4D430654.8090208@securityfocus.com> Hey George, Yep, looks like the same, will be retiring the new BID shortly. Thanks, Rob On 01/28/2011 09:55 AM, George A. Theall wrote: > FYI: Exploit DB 16061 / Bugtraq 46048 is just a rehash of OSVDB 62563 / > Bugtraq 38418. Rob? > > > George