iDefense Security Advisory 08.01.08 - Local exploitation of a file permissions modification vulnerability in the "verifydb" utility, as included with Ingres Database 2006 Release 2 for Linux, allows attackers to modify the permissions of files owned by the Ingres database user. iDefense has confirmed the existence of this vulnerability in Ingres 2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other versions may also be affected.
b28cb79a42b876d64f3c82e9c2ebb2ef0693c68521a60c5f290fea357282e071iDefense Security Advisory 07.31.08 - Remote exploitation of an integer overflow vulnerability in Apple Inc.'s Mac OS X could allow an attacker to execute arbitrary code with the privileges of the currently logged in user. This vulnerability exists due to the way PDF files containing Type 1 fonts are handled. When processing a font with an overly large length, integer overflow could occur. This issue leads to heap corruption which can allow for arbitrary code execution. iDefense has confirmed the existence of this vulnerability in Mac OS X version 10.5.2. Previous versions may also be affected.
bd9422a741573a345861eba59adfc7d12e18e349884ec64a39129a4947283475iDefense Security Advisory 07.30.08 - Local exploitation of an untrusted path vulnerability in the "dbmsrv" program, as distributed with SAP AG's MaxDB, allow attackers to elevate privileges to that of the "sdb" user. When a local user runs the "dbmcli" program, the MaxDB executes a "dbmsrv" process on the user's behalf. The "dbmsrv" process, which is responsible for executing user commands, runs as the user "sdb" with group "sdba". This vulnerability exists due to improper sanitization of the "PATH" environment variable. By prefixing the "PATH" environment variable with a path under the attacker control, one is able to execute arbitrary code iDefense has confirmed the existence of this vulnerability in SAP MaxDB version 7.6.03.15 on Linux. Other versions may also be vulnerable. with "sdb:sdba" privileges.
158672240f8706b9c88752b0eb9e203b6dfa95613bb249e05f3a62e8c726652eiDefense Security Advisory 07.28.08 - Remote exploitation of a denial of service vulnerability in Hewlett-Packard's Internet Services Probe Builder product allows an unauthenticated attacker the ability to terminate any process. The Probe Builder Service, PBOVISServer.exe, listens by default on TCP port 32968. This process has a specific opcode that allows a remote unauthenticated user to terminate any process on the system by supplying a process ID number. iDefense has confirmed this vulnerability in HP's Internet Services Probe Builder 2.2 for Windows with all updates applied.
008faaa9a88b4025fae380301022c90d03ae8550c79cf5851d7a897c791bd88fiDefense Security Advisory 07.15.08 - Local exploitation of an untrusted library path vulnerability in Oracle Corp.'s Oracle Database product allows attackers to gain elevated privileges. This vulnerability specifically exists in a set-uid root program distributed with Oracle Database for Linux and Unix platforms. By replacing a module owned by the oracle user, which is loaded by this program, an attacker can execute arbitrary code as root. iDefense confirmed the existence of this vulnerability in Oracle 11g R1 version 11.1.0.6.0 on 32-bit Linux platform. Previous versions may also be affected.
01a615097a77c6303f3b770b31f3e4481133f468b5bad9ffbcfaea23ea933114iDefense Security Advisory 07.15.08 - Remote exploitation of a buffer overflow vulnerability in the DBMS_AQELM package in Oracle Corp.'s Oracle Database product allows attackers to execute arbitrary code with the privileges of the database user. This vulnerability exists due to improper input validation when handling a parameter passed to a procedure within the DBMS_AQELM package. Since the parameter is not properly validated, providing a long string can cause a buffer overflow to occur. This results in corruption of the database and could allow for the execution of arbitrary code as the database user. iDefense confirmed the existence of this vulnerability in Oracle Database version 10.2.0.3 and 11.1.0.6 with the October 2007 CPU applied. Previous versions may also be affected.
01ee6c67c85787f73c33c76013b6095d4c5cc691acac1583a9413464e178ede0iDefense Security Advisory 07.15.08 - Remote exploitation of a pre-authentication input validation vulnerability in Oracle Corp.'s Oracle Internet Directory allows an attacker to conduct a denial of service attack on a vulnerable host. Internet Directory consists of two processes. One process acts as a listener. It handles incoming connections and passes them off to the second process. The second process, which handles requests, contains the vulnerability. When processing a malformed LDAP request, it is possible to cause the handler to dereference a NULL pointer. This results in the process crashing. Future connection requests will be accepted by the listener process, and then immediately closed when it finds that there is no handler process running. iDefense confirmed the existence of this vulnerability in Oracle Internet Directory for Windows version 10.1.4.0.1 with the April 2007 CPU installed. Previous versions may also be affected.
b68c1567bcbb9c57e54d5c5d2a26fa9cc93258efcc805e6245e76fe2cfb9c7e1iDefense Security Advisory 07.09.08 - Remote exploitation of a heap buffer overflow vulnerability in Novell Inc.'s eDirectory could allow an attacker to execute arbitrary code with the privileges of the affected service. The vulnerability exists due to an incorrect calculation when allocating a heap buffer to store the search parameters. By passing NULL search parameters, it is possible to overflow a heap based buffer with the string "(null)". This can result in the corruption of heap management structures, and depending on the layout of the heap, possibly function pointers. iDefense has confirmed the existence of this vulnerability in eDirectory version 8.8 SP2 for Linux. Other versions may also be affected.
627e6dd7ce09a52c670678f4c422f600ab53d2e3e6fcfe6e750bf708d64d17c2iDefense Security Advisory 07.08.08 - Remote exploitation of an integer underflow vulnerability within Microsoft Corp.'s SQL Server could allow a remote attacker to execute arbitrary code with the privileges of the SQL Server. The vulnerability exists within the code responsible for parsing a stored backup file. A 32-bit integer value, representing the size of a record, is taken from the file and used to calculate the number of bytes to read into a heap buffer. This calculation can underflow, which leads to insufficient memory being allocated. The buffer is subsequently overfilled leading to an exploitable condition. iDefense confirmed the existence of this vulnerability in Microsoft SQL Server 2005 Service Pack 2 Hot Fix 4. Additional tests against SQL Server 2005 without any updates suggest it is also vulnerable. Previous versions are also suspected to be vulnerable.
fe9c3148cb2d757ad46ba64750e372614bfc507af907dfccd2670469cfd270b0iDefense Security Advisory 06.11.08 - Local exploitation of an information disclosure vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to gain access to sensitive information stored in server memory. The vulnerability exists when creating a Pixmap in the fbShmPutImage() function. The width and height of the Pixmap, which are controlled by the user, are not properly validated to ensure that the Pixmap they define are within the bounds of the shared memory segment. This allows an attacker to read arbitrary areas of memory in the X server process. iDefense has confirmed the existence of this vulnerability in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.
f996dc34179e536c8cec80e7e1ab0c8b3841cce7dc4a40b66986828681ff031diDefense Security Advisory 06.11.08 - Local exploitation of multiple memory corruption vulnerabilities in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. iDefense has confirmed the existence of these vulnerabilities in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.
23de174b019234410fd1fed2d2601eac065e96395b47d5efd0aa7b395e84b241iDefense Security Advisory 06.11.08 - Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. iDefense has confirmed the existence of this vulnerability in X.org X11 version R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.
01fb73cd7aa428fb3937fe703ea544212b782097950d51a7c35ef592e91f7208iDefense Security Advisory 06.11.08 - Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to create a denial of service (DoS) condition on the affected X server. The vulnerability exists within the ProcRenderCreateCursor() function. When parsing a client request, values are taken from the request and used in an arithmetic operation that calculates the size of a dynamic buffer. This calculation can overflow, which results in an undersized buffer being allocated. This leads to an invalid memory access, which crashes the X server. iDefense has confirmed the existence of these this vulnerability in X.org X11 version R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.
8ee084f756e81279ec599dbaa545459efdc06ef3a6da7b39b149058126cb1b07iDefense Security Advisory 06.11.08 - Local exploitation of an integer overflow vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root. The vulnerability exists within the AllocateGlyph() function, which is called from several request handlers in the render extension. This function takes several values from the request, and multiplies them together to calculate how much memory to allocate for a heap buffer. This calculation can overflow, which leads to a heap overflow. iDefense has confirmed the existence of this vulnerability in X server 1.4 included with X.org X11R7.3, with all patches as of 03/01/08 applied. Previous versions may also be affected.
8af2a005f2bcb28930e75e027ff46599b31bf9c3361ab9c6cb6a2f8bbff1df5diDefense Security Advisory 06.10.08 - Remote exploitation of multiple heap overflow vulnerabilities in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. iDefense has confirmed the existence of these vulnerabilities in FreeType2 version 2.3.5. Previous versions may also be affected.
9a4ef45fbc6785b0af6fa5c6bf4ca83872c3fb8be357ebe78481f18cc310c0fdiDefense Security Advisory 06.10.08 - Remote exploitation of a memory corruption vulnerability in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. iDefense has confirmed the existence of this vulnerability in FreeType2 version 2.3.5. Previous versions may also be affected.
f2c22e428f5c55adfcda2877e8130ea56ec91d743b89e502b2f96e1f422a73e6iDefense Security Advisory 06.10.08 - Remote exploitation of an integer overflow vulnerability in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. iDefense has confirmed the existence of this vulnerability in FreeType2 version 2.3.5. Previous versions may also be affected.
18935846eb0ff2f48ca7a704216e84691e9e214cb67b355c026afedfc4490df0iDefense Security Advisory 06.10.08 - Remote exploitation of an integer overflow vulnerability in OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged-in user. The vulnerability exists due to the rtl_allocateMemory() function rounding up allocation requests to be aligned on an 8 byte boundary without checking if this rounding results in an integer overflow condition. iDefense has confirmed the existence of this vulnerability in OpenOffice version 2.4. Previous versions may also be affected.
15340a7bbc8dd9478c22d89f115c6bb4901e3af89d82ce430bfc983d69017778iDefense Security Advisory 06.04.08 - Local exploitation of a input validation vulnerability within VMware's Hgfs.sys driver could allow an unprivileged attacker to execute arbitrary code within the kernel of a Windows guest operating system. When a VMware guest operating system has the VMware Tools package installed, the hgfs.sys driver is loaded on the machine. This driver allows any user to open the device "\\.\hgfs" and issue IOCTLs with a buffering mode of METHOD_NEITHER. This allows untrusted user mode code to pass kernel addresses as arguments to the driver. iDefense confirmed the existence of this vulnerability in hgfs.sys as included with VMware Workstation 5.5.4. Other versions are suspected vulnerable as well.
94965d18331de5c2c720b4857032236ba30344a29f60b2f9431727bdeac556faiDefense Security Advisory 06.04.08 - Local exploitation of an untrusted library path vulnerability in multiple products distributed by VMware Inc. could allow an attacker to execute arbitrary code with root privileges. The Linux version of VMware products include a program called 'vmware-authd', which is installed set-uid root. When this program is executed, it reads configuration options from the executing user's VMware configuration file. One such option allows the user to specify the directory in which to look for shared library modules needed by the program. By loading a specially crafted library, an attacker can execute arbitrary code with elevated privileges. iDefense confirmed the existence of this vulnerability in the following VMware products: VMware Workstation 6.0.2.59824 for Linux, VMware GSX Server 3.2.1.14497 for Linux, and VMware ESX Server 3.0.1.32039.
a82b3045bcbc7a5650e09e9a047819ec79df3ee1ffa50125706f3b923c1b76ebiDefense Security Advisory 06.04.08 - Remote exploitation of a security policy bypass in Skype could allow an attacker to execute arbitrary code in the context of the user. The "file:" URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats. If the link is found to contain a blacklisted file extension, a security warning dialog is shown to the user. The following file extensions are checked and considered dangerous by Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js. Due to improper logic when performing these checks, it is possible to bypass the security warning and execute the program. iDefense confirmed version 3.6.0.248 of Skype to be vulnerable. Previous versions are also suspected to be vulnerable.
6e1d4278ddd25067bb3840166b2556601b051ac2ab7e7e7434da7c39d4abd6c3iDefense Security Advisory 06.04.08 - Local exploitation of a stack-based buffer overflow in Kaspersky Lab's Internet Security could allow an attacker to execute arbitrary code in the context of the kernel. The kl1.sys kernel driver distributed with Internet Security contains a stack-based buffer overflow in the handling of IOCTL 0x800520e8. This issue is caused by a failure to properly perform bounds checks on user-supplied data that is passed to the swprintf function as a source buffer. The destination buffer in this case is a 2,000 element wide-character array. If the source buffer exceeds 2,000 characters, a buffer overflow will occur leading to the execution of arbitrary code. Kaspersky Lab's Internet Security version 7.0.1.325 is confirmed to be vulnerable to this issue. Previous versions are also suspected to be vulnerable.
76b1a9b68c1292103ca437e858f41f941b735e53432fe2069ab285b88ffe6825iDefense Security Advisory 06.03.08 - Remote exploitation of design error in Sun Microsystem's Java System Active Server Pages allows attackers to bypass administration server authentication mechanisms. The vulnerability exists due to improper design of the ASP application server. The administration application server exists as a stand-alone service that listens on TCP port 5102. By connecting directly to this service and making requests, attackers are able to bypass authentication mechanisms introduce by the administration HTTP server. iDefense has confirmed the existence of this vulnerability within version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server Pages. Older versions are suspected to be vulnerable.
2d4b1c50109624d2045044c60d6b665894482900ea27dac1d1192bf883ed8983iDefense Security Advisory 06.03.08 - Remote exploitation of multiple command injection vulnerabilities in Sun Microsystem's Java System Active Server Pages allows attackers to execute arbitrary code with root privileges. These vulnerabilities exist within several ASP applications that execute shell commands. The problem lies in the fact that these applications do not filter or escape the parameters passed to these commands. By inserting shell meta-characters into an HTTP request, an attacker is able to execute arbitrary shell commands. iDefense has confirmed the existence of these vulnerabilities within version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server Pages. Older versions are suspected to be vulnerable.
bb385586ed5b085d8de367bb6c7da6fe1d3365325ddb8e023922c855c7c1387ciDefense Security Advisory 06.03.08 - Remote exploitation of a buffer overflow vulnerability in Sun Microsystem's Java System Active Server Pages allows attackers to execute arbitrary code in the context of the ASP server. The vulnerability exists within the request handling code within the ASP server. An attacker supplied string is copied into a fixed size stack buffer without first validating that there is sufficient space available. By supplying a specially crafted request, an attacker can cause a stack-based buffer overflow. iDefense has confirmed the existence of this vulnerability within version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server Pages. Older versions are suspected to be vulnerable.
e2f254af6aff69047008749f49ba6f0fb9cd30aa7d3d81dc5c29e530df9bbcff
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed