From coley at rcf-smtp.mitre.org Tue May 17 13:31:24 2011 From: coley at rcf-smtp.mitre.org (Steven M. Christey) Date: Tue, 17 May 2011 14:31:24 -0400 (EDT) Subject: [VIM] Common Vulnerability Reporting Framework (CVRF) 1.0 released Message-ID: An effort to standardize format of security advisories into XML. Cisco and other big org's have contributed, so it has a bigger chance of success than other efforts. If widely adopted, this could be a boon to consumers everywhere (not to mention simplifying data collection for vuln DBs everywhere?) http://icasi.org/cvrf - Steve From mjc at redhat.com Tue May 17 14:23:57 2011 From: mjc at redhat.com (Mark J Cox) Date: Tue, 17 May 2011 20:23:57 +0100 (BST) Subject: [VIM] Common Vulnerability Reporting Framework (CVRF) 1.0 released In-Reply-To: References: Message-ID: <1105172023210.16227@mjc.redhat.com> > http://icasi.org/cvrf I've popped a few Red Hat examples in a zip file for your interest: https://www.redhat.com/security/data/metrics/redhat-cvrf-samples.zip Mark From jericho at attrition.org Wed May 18 02:00:30 2011 From: jericho at attrition.org (security curmudgeon) Date: Wed, 18 May 2011 02:00:30 -0500 (CDT) Subject: [VIM] [DSECRG-11-005] Oracle Document Capture empop3.dll - insecure method In-Reply-To: <1147995696.20110125173052@dsec.ru> References: <1147995696.20110125173052@dsec.ru> Message-ID: Hi Alexandr; : Digital Security Research Group [DSecRG] Advisory DSECRG-11-005 (internal #DSECRG-00154) : CVE-number: CVE-2010-3591 : Oracle Document Capture contains ActiveX component EMPOP3Lib : (empop3.dll) Lib GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24} which is : contains insecure method "DownloadSingleMessageToFile" that can delete : any file in system. http://seclists.org/bugtraq/2011/Jan/141 [DSECRG-00153] Oracle Document Capture Actbar2.ocx - insecure method CVE-number: CVE-2010-3591 Oracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9} which is contains insecure method "SaveLayoutChanges" that can overwrite any unhidden file in system. ^ Could you clarify this? Seems the same CVE is listed for both of these, but cover different ActiveX controls and methods. Thanks, Brian OSVDB.org From jericho at attrition.org Fri May 20 22:28:00 2011 From: jericho at attrition.org (security curmudgeon) Date: Fri, 20 May 2011 22:28:00 -0500 (CDT) Subject: [VIM] [Full-disclosure] ZDI-11-032: Symantec Intel Alert Originator Service iao.exe Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: http://www.zerodayinitiative.com/advisories/ZDI-11-028 http://www.zerodayinitiative.com/advisories/ZDI-11-029 http://www.zerodayinitiative.com/advisories/ZDI-11-030 http://www.zerodayinitiative.com/advisories/ZDI-11-031 http://www.zerodayinitiative.com/advisories/ZDI-11-032 All of these advisories have the wrong CVE. Could you clarify which CVE is associated with each advisory? Brian OSVDB.org On Thu, 27 Jan 2011, ZDI Disclosures wrote: : ZDI-11-032: Symantec Intel Alert Originator Service iao.exe Remote Code Execution Vulnerability : : http://www.zerodayinitiative.com/advisories/ZDI-11-032 : : January 27, 2011 : : -- CVE ID: : CVE-2010-111 : : -- CVSS: : 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) : : -- Affected Vendors: : Symantec : : -- Affected Products: : Symantec Alert Management System : : -- TippingPoint(TM) IPS Customer Protection: : TippingPoint IPS customers have been protected against this : vulnerability by Digital Vaccine protection filter ID 5959. : For further product information on the TippingPoint IPS, visit: : : http://www.tippingpoint.com : : -- Vulnerability Details: : This vulnerability allows remote attackers to execute arbitrary code on : vulnerable installations of multiple Symantec products. Authentication : is not required to exploit this vulnerability. : : The specific flaw exists within the Intel Alert Originator (iao.exe) : service. While processing messages sent from the msgsys.exe process a : size check can be bypassed and a subsequent stack-based buffer overflow : can be triggered. This can be leveraged by remote attackers to execute : arbitrary code under the context of the Alert service. : : -- Vendor Response: : Symantec has issued an update to correct this vulnerability. More : details can be found at: : : http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00 : : -- Disclosure Timeline: : 2009-10-27 - Vulnerability reported to vendor : 2011-01-27 - Coordinated public release of advisory : : -- Credit: : This vulnerability was discovered by: : * Anonymous : : -- About the Zero Day Initiative (ZDI): : Established by TippingPoint, The Zero Day Initiative (ZDI) represents : a best-of-breed model for rewarding security researchers for responsibly : disclosing discovered vulnerabilities. : : Researchers interested in getting paid for their security research : through the ZDI can find more information and sign-up at: : : http://www.zerodayinitiative.com : : The ZDI is unique in how the acquired vulnerability information is : used. TippingPoint does not re-sell the vulnerability details or any : exploit code. Instead, upon notifying the affected product vendor, : TippingPoint provides its customers with zero day protection through : its intrusion prevention technology. Explicit details regarding the : specifics of the vulnerability are not exposed to any parties until : an official vendor patch is publicly available. Furthermore, with the : altruistic aim of helping to secure a broader user base, TippingPoint : provides this vulnerability information confidentially to security : vendors (including competitors) who have a vulnerability protection or : mitigation product. : : Our vulnerability disclosure policy is available online at: : : http://www.zerodayinitiative.com/advisories/disclosure_policy/ : : Follow the ZDI on Twitter: : : http://twitter.com/thezdi : : : From jericho at attrition.org Sat May 21 17:44:21 2011 From: jericho at attrition.org (security curmudgeon) Date: Sat, 21 May 2011 17:44:21 -0500 (CDT) Subject: [VIM] [Full-disclosure] ZDI-11-035: IBM DB2 db2dasrrm validateUser Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: On Mon, 31 Jan 2011, ZDI Disclosures wrote: : ZDI-11-035: IBM DB2 db2dasrrm validateUser Remote Code Execution Vulnerability : : http://www.zerodayinitiative.com/advisories/ZDI-11-035 : v9.1 fp10 : IC69986 https://www-304.ibm.com/support/entdocview.wss?uid=swg1IC66811 Small discrepancy here, IC69986 but the link is to IC66811. From jericho at attrition.org Mon May 23 16:18:15 2011 From: jericho at attrition.org (security curmudgeon) Date: Mon, 23 May 2011 16:18:15 -0500 (CDT) Subject: [VIM] VUPEN Security Research - Microsoft Windows Shell Graphics BMP "width" Integer Overflow Vulnerability In-Reply-To: <33636EB615874E858495C62E1A30638A@unknown> References: <33636EB615874E858495C62E1A30638A@unknown> Message-ID: : VUPEN Security Research - Microsoft Windows Shell Graphics BMP "width" : Integer Overflow Vulnerability : The vulnerability is caused by an integer overflow error in the Windows : Shell graphics processor when parsing the "width" value within BMP : images, which could be exploited by remote attackers to compromise a : vulnerable system by tricking a user into opening or previewing a : malformed Office file or browsing to a network share, UNC, or WebDAV : location containing a specially crafted image. : Apply the MS11-006 security update. : http://www.vupen.com/english/advisories/2011/0018 : http://www.microsoft.com/technet/security/bulletin/MS11-006.mspx The MS11-006 advisory only crosses to CVE-2010-3970. This was originally disclosed 2010-12-15 during a presentation called 'A Vulnerability in My Heart' by Moti & Xu Hao. It was further written about by Dan Goodin of The Register on 2011-01-04. The conference it was presented at was actually sponsored by VUPEN, among others. I am curious about your disclosure timeline: : 2011-01-15 - Vulnerability Discovered by VUPEN Is this correct? You discovered it almost a month later, and published less details in your advisory than iDefense did on 2011-02-08? Brian OSVDB.org From thomas.mackenzie at upsploit.com Mon May 23 16:36:15 2011 From: thomas.mackenzie at upsploit.com (Thomas Mackenzie) Date: Mon, 23 May 2011 22:36:15 +0100 Subject: [VIM] Vulnerabilities in services Message-ID: <078546C2-65E8-4A5A-B5A1-904371BFC3F3@upsploit.com> Hi all, About 170 days ago we had a vulnerability released for Apple. The vulnerability was a problem within a service and not a product. I was made aware this evening by the researcher that Apple probably wouldn't get in touch when they fixed the service issue due to it being a problem behind the scenes within the service. He was made aware of this by a security manager in ZDI, is this the case? We believe the problem has been fixed and would like to release the vulnerability before the 180 policy we follow and just wanted to make sure that Apple are likely not to reply to an issue within their service? Tom https://www.upsploit.com From coley at rcf-smtp.mitre.org Thu May 26 10:48:40 2011 From: coley at rcf-smtp.mitre.org (Steven M. Christey) Date: Thu, 26 May 2011 11:48:40 -0400 (EDT) Subject: [VIM] VUPEN database advisories offline? Message-ID: The VUPEN database appears to have been offline for a week or more. http://www.vupen.com/english/security-advisories/ says "VUPEN security advisories are not currently available." Does anybody know what's going on? VUPEN? - Steve From jericho at attrition.org Fri May 27 02:29:59 2011 From: jericho at attrition.org (security curmudgeon) Date: Fri, 27 May 2011 02:29:59 -0500 (CDT) Subject: [VIM] prison bugs! (IE? Windows? RadiantOne?) Message-ID: http://gcn.com/articles/2011/05/30/colorado-prison-sidebar.aspx [..] For instance, the inmates discovered that if they opened more than 200 windows in Internet Explorer at a time, it would cause a buffer overflow, Jubic said. .Once they caused the buffer overflow, group policy stopped completely,. and access was restored to additional function keys on the keyboards. [..] Any guesses as to where the vulnerability lies? From theall at tenable.com Fri May 27 12:40:56 2011 From: theall at tenable.com (George A. Theall) Date: Fri, 27 May 2011 13:40:56 -0400 Subject: [VIM] Joomla! 'com_restaurante' Component 'id' Parameter SQL Injection Vulnerability Message-ID: <908FDF14-CD4F-4C1D-A7B6-1617AC5C49CD@tenable.com> Bugtraq 48012 was created today for a SQL injection vulnerability. It offers a link to a PoC but that's broken. And while the discussion doesn't hold details about which script and parameter(s) are affected, I suspect it's the same as http://packetstormsecurity.org/files/view/101735/joomlarestaurants-sql.txt . If so, it looks like the vulnerability is already covered by BID 28324, from back in 2008. Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Fri May 27 12:50:12 2011 From: rkeith at securityfocus.com (Rob keith) Date: Fri, 27 May 2011 11:50:12 -0600 Subject: [VIM] Joomla! 'com_restaurante' Component 'id' Parameter SQL Injection Vulnerability In-Reply-To: <908FDF14-CD4F-4C1D-A7B6-1617AC5C49CD@tenable.com> References: <908FDF14-CD4F-4C1D-A7B6-1617AC5C49CD@tenable.com> Message-ID: <4DDFE454.3050706@securityfocus.com> Thanks George, they look the same to me. We'll get that fixed up. -Rob On 11-05-27 11:40 AM, George A. Theall wrote: > Bugtraq 48012 was created today for a SQL injection vulnerability. It > offers a link to a PoC but that's broken. And while the discussion > doesn't hold details about which script and parameter(s) are affected, > I suspect it's the same as > http://packetstormsecurity.org/files/view/101735/joomlarestaurants-sql.txt. > > If so, it looks like the vulnerability is already covered by BID > 28324, from back in 2008. > > Rob? > > > George