Tuesday, December 4, 2007

SonicWALL Global VPN Client Format String

==============================
=======================================================
title: SonicWALL Global VPN Client Format String
Vulnerability
program: SonicWALL Global VPN Client
vulnerable version: < 4.0.0.830
homepage: www.sonicwall.com
found: 06-12-2007
by: lofi42*
perm. link: http://www.sec-consult.com/305.html
=====================================================================================

Vendor description:
---------------

The SonicWALL Global VPN Client provides mobile users with access to
mission-critical network resources by establishing secure connections to
their office network's IPSec-compliant SonicWALL VPN gateway.

Vulnerabilty overview:
---------------

SonicWALL Global VPN Client suffers from a format string vulnerability
that can be triggered by supplying a specially crafted configuration
file. This vulnerability allows an attacker to execute arbitrary code in
the context of the vulnerable client. For a successful attack, the
attacker would have to entice his victim into importing the special
configuration file.

Vulnerability details:
---------------

Format string errors occur when the client parses the "name" attribute
of the "Connection" tag and the content of the "Hostname" Tags in the
configuration file.

Examples:

%s%s%s%s

The bugs has been verified in version 3.1.556 and beta 4.0.0.810. With
version 3.1.556 the client has to initiate a connection to trigger the
vulnerability, whereas with version 4.0.0.810, the bug can be exploited
by simply double-clicking the configuration file. This can be attributed
to the 4.0 version trying to write the imported configuration to an
extra debug log.

Proof-of-concept:
---------------

In 4.0.0.810, the bug can be beautifully demonstrated by supplying a
crafted config file and then viewing the debug logfile. A configuration
like this...

AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x
BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x.%x.%x.%x.%x.%x

...yields the following logfile:

----------------------< Connection name
>-----------------------------------
OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.46413139.
203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.65685427.
6e6f6320.7463656e.206e6f69.41414122.41414141.25414141" has been
enabled.' ''
----------------------</Connection name
>-----------------------------------
----------------------e>--------------------------------------------
BBBBBBBBBB656d616e.41414120.41414141.25414141.78252e78.2e78252e.252e7825.
78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.
74207825.6e61206f.20504920.72646461.2e737365.42272027.42424242.42424242'
----------------------</HostName>---------------------------------------

This vulnerability allows reading / writing to arbitrary memory
addresses within the process memory space. Exploitation is trivial under
these circumstances.

vendor status:
---------------
vendor notified: 2007-08-16
vendor response: 2007-08-29
patch available: 2007-11-26

The issue has been fixed in SonicWall VPN client 4.0.0.830.

Ubuntu Security Notice USN-551-1 December 04, 2007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==============================

=============================
Ubuntu Security Notice USN-551-1 December 04, 2007
openldap vulnerabilities
CVE-2007-5707, CVE-2007-5708
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
slapd 2.2.26-5ubuntu2.4

Ubuntu 6.10:
slapd 2.2.26-5ubuntu3.2

Ubuntu 7.04:
slapd 2.3.30-2ubuntu0.1

Ubuntu 7.10:
slapd 2.3.35-1ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Thomas Sesselmann discovered that the OpenLDAP slapd server
did not properly handle certain modify requests. A remote
attacker could send malicious modify requests to the server
and cause a denial of service. (CVE-2007-5707)

Toby Blake discovered that slapd did not properly terminate
an array while running as a proxy-caching server. A remote
attacker may be able to send crafted search requests to the
server and cause a denial of service. This issue only affects
Ubuntu 7.04 and 7.10. (CVE-2007-5708)

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.4.diff.gz
Size/MD5: 511262 b54753c0e681803599125b18bef714ff

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.4.dsc
Size/MD5: 1020 519f96ba1375478163e3c40e881ae2d7

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.4_amd64.deb
Size/MD5: 130406 8d3bf04e5529528c0ac26530b2070f78

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.4_amd64.deb
Size/MD5: 165830 e66f9e954c0ea05b4e2611ccd9fbcce6

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.4_amd64.deb
Size/MD5: 961236 e5a89ad1cf97801efd27c52191703752

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.4_i386.deb
Size/MD5: 118302 c57c5729bc9cf5ada18ebc3bef77d8da

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.4_i386.deb
Size/MD5: 145954 caf31365b85db0e03a5f9884dda48fc7

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.4_i386.deb
Size/MD5: 872794 8e5380a50fef5a25ac83c309f9a09a7d

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.4_powerpc.deb
Size/MD5: 132560 bcef53015f0225ad7e216d94f23d1190

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.4_powerpc.deb
Size/MD5: 157010 2132bdab3beff83ae731103602cdc38d

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.4_powerpc.deb
Size/MD5: 959310 629b33d57e8087fbb8f5be51203f6dee

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.4_sparc.deb
Size/MD5: 120616 13c31cc42532a60ceb499fc044356dc8

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.4_sparc.deb
Size/MD5: 148044 3bf8d5ec833a67b9660bb7a448ae0c89

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.4_sparc.deb
Size/MD5: 903250 43b642eccf4fdb4b2ae81d9f4e65236d

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu3.2.diff.gz
Size/MD5: 512406 0a7387e1542e833d4fcf3dd458571805

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu3.2.dsc
Size/MD5: 1020 2926a0c36b89ebb9dc498005f4a8c93a

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.2_amd64.deb
Size/MD5: 130568 2c0d6fd715c4049d464acc6da91db771

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.2_amd64.deb
Size/MD5: 166602 43b9daf9f2938ee91818e08ef88e3897

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.2_amd64.deb
Size/MD5: 958238 76f32588bf19a293993f59281a1b19db

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.2_i386.deb
Size/MD5: 121234 8ef74f1ac973fd76c383c82d5ed1fcc8

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.2_i386.deb
Size/MD5: 152394 20c8c28e5c8f62db165592a847728600

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.2_i386.deb
Size/MD5: 900626 2fd37c48cbee64886b75665f3c4b22b7

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.2_powerpc.deb
Size/MD5: 133566 9f8ff85e0bcc546a35174d5f8e4c32d4

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.2_powerpc.deb
Size/MD5: 158770 7051d8aa41997d86ad9bdd1f0cbd09fd

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.2_powerpc.deb
Size/MD5: 966444 a0a61d9af0fd64251f75cf6062e85834

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.2_sparc.deb
Size/MD5: 121492 9e05e58bb98a5ddd53656fd82a23d45b

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.2_sparc.deb
Size/MD5: 149232 8f73c53ad74062f446aac3c31ef953ff

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.2_sparc.deb
Size/MD5: 909242 2a9d3a22330886f4bf727ea1d19187e0

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.1.diff.gz
Size/MD5: 139726 79fb0171f368ca4312d48d4c695edb53

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.1.dsc
Size/MD5: 1295 fc1bc630868634c3937dea90fe7f9c4e

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
Size/MD5: 2971126 c40bcc23fa65908b8d7a86a4a6061251

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.1_amd64.deb
Size/MD5: 187572 cb6072c694a417d01d3da06c94977a4e

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.1_amd64.deb
Size/MD5: 292212 5afbe83546e56db28b59906d7820d92d

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.1_amd64.deb
Size/MD5: 1227928 e2e2e821b94b2940bd599ad513922d7f

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.1_i386.deb
Size/MD5: 155982 05d6d346c35f7e6f3e3b3f13916cc7cb

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.1_i386.deb
Size/MD5: 267352 c0309cfc9c84f183df478d51c040400b

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.1_i386.deb
Size/MD5: 1154660 fa9fd13816f4181219749a39ec891413

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.1_powerpc.deb
Size/MD5: 203570 ee80e1eeb0e3affccecc9974bbc3e91d

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.1_powerpc.deb
Size/MD5: 294320 67698b61c8e2aa0b914b02483449813c

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.1_powerpc.deb
Size/MD5: 1280328 a559f7311835769efd965854e324036e

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.1_sparc.deb
Size/MD5: 164312 51a13892bf9013a12b2f356282281421

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.1_sparc.deb
Size/MD5: 264178 6fccf9f07791c6cf5ed41c52cdaac2cb

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.1_sparc.deb
Size/MD5: 1169780 f5d2064a6f5a560151865d87d963e3db

Updated packages for Ubuntu 7.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.1.diff.gz
Size/MD5: 153304 035a13818eebaca172ef7fb2e1b73f83

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.1.dsc
Size/MD5: 1305 89bc62db8536ab8292fc3afabbce98b5

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35.orig.tar.gz
Size/MD5: 2947629 5096146b7a7eb6ce3b0a97549347b5be

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.1_amd64.deb
Size/MD5: 189744 dce285ce9164fe57f56d99a53935205a

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.1_amd64.deb
Size/MD5: 346882 1e33bf330b7551e2035ba32f576ed8c7

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.1_amd64.deb
Size/MD5: 1295526 f16e6d501bb115b4c5b24ac7af676043

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.1_i386.deb
Size/MD5: 155172 b1229c692b2b0e90842f2a3963710d44

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.1_i386.deb
Size/MD5: 314500 ea70a6f6d29f2458401cd0de1a99772f

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.1_i386.deb
Size/MD5: 1215670 083901dcaadcb356d8d743facbe76410

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.1_powerpc.deb
Size/MD5: 204936 8144ae85dd773e4126bfb13dda6f383f

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.1_powerpc.deb
Size/MD5: 345608 449f262dee94fc35f907e3da735b2ff0

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.1_powerpc.deb
Size/MD5: 1344728 bec28b0dfb90095961a484ec2f3cc96e

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.1_sparc.deb
Size/MD5: 166128 e14bbb2254d7a577b3f04453b8743ac5

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.1_sparc.deb
Size/MD5: 306682 95a1008f5696a6d9cb6f9e7e521c7ab8

http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.1_sparc.deb
Size/MD5: 1228072 8ffd29411e996e6a5853f29621d092d3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHVMZ2W0JvuRdL8BoRAo44AJ4lKdQaZEkOT/rJCCH87ZHB/sPK9ACghXsW
uzbIzU1FCeG9gaq4dD0g+kQ=
=QjYS
-----END PGP SIGNATURE-----

A user can gain admin level in snitz 2000 by SQL Injection

########################## WwW.BugReport.ir #########################

#

# AmnPardaz Security Research & Penetration Testing Group

#

# Title: A user can gain admin level in snitz 2000 by SQL Injection

# vendor: http://forum.snitz.com/

# Googling: "Powered by Snitz" > 2,440,000 victims

# Last bug report in 2007-02-16 with 4692 visitors

# Exploit: Available

# Fix Available: Update to last version.

######################## Bug Description ###########################

A user can gain admin level in the forum and can access to the forum.

It is because of a SQL Injection in "Active.asp"

After login to your VICTIM forum, execute below script

~~~~~~~~~~~~Start HTML Exploit~~~~~~~~~

~~~~~~~~~~~~End HTML Exploit~~~~~~~~~

##############################

#######################################

# Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com

# Country: Iran

# Contact: admin@bugreport.ir

# Credit: Soroush Dalili found this bug.

#####################################################################

Monday, December 3, 2007

SQL Injection Vulnerability in Beehive Forum

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Symantec Vulnerability Research

http://www.symantec.com/research

Security Advisory

Advisory ID: SYMSA-2007-014

Advisory Title: SQL Injection Vulnerability in Beehive Forum

Software

Author: Nick Bennett

Robert Brown / robert_brown@symantec.com

Release Date: 28-11-2007

Application: Beehive Forum 0.7.1 (earlier versions also

vulnerable)

Platform: All supported

Severity: Remotely exploitable / Information Disclosure

Vendor status: Updated Application Versions Available

CVE Number: CVE-2007-6014

Reference: http://www.securityfocus.com/bid/26492

Overview:

Beehive Forum is an open source web based forum application

written in PHP. A vulnerability exists in the Beehive Forum

software that could allow a remote user to execute SQL injection

attacks. These attacks could compromise sensitive data including

usernames and passwords for the Beehive application. Arbitrary

data from other applications hosted on the same server could also

be compromised, depending on the configuration of MySQL.

Details:

This vulnerability exists because of a failure in the application

to properly sanitize user input for the variable "t_dedupe". This

variable is accepted as input in the page "post.php". The value of

this variable is then included in an SQL statement which is

executed with the PHP function "@mysql_query". This function is

specifically designed to mitigate the effects of an SQL injection

attack by not allowing multiple SQL statements in one call.

However, it is still possible to manipluate the SQL statement

through the "t_dedupe" variable to obtain arbitrary data from

the database.

Vendor Response:

There is a security vulnerability in Beehive Forum that could

allow for user logon and password MD5 hash disclosure.

This vulnerability has been fixed in the latest release of the

product, Beehive Forum 0.8. It is recommend all users immediately

obtain the newest version of Beehive Forum to protect against

this threat.

Project Beehive Forum is available for download from the project

website at http://www.beehiveforum.net/

If there are any further questions about this statement, please

contact a member of the development team.

Recommendation:

It is recommend all users immediately obtain the newest version of

Beehive Forum to protect against this threat. Project Beehive

Forum is available for download from the project website at

http://www.beehiveforum.net/.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned

the following names to these issues. These are candidates for

inclusion in the CVE list (http://cve.mitre.org), which standardizes

names for security problems.

CVE-2007-6014

- ----------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:

research@symantec.com

For details on Symantec's Vulnerability Reporting Policy:

http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive:

http://www.symantec.com/research/

Symantec Vulnerability Research GPG Key:

http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

- ----------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:

secure@symantec.com

For general information on Symantec's Product Vulnerability

reporting and response:

http://www.symantec.com/security/

Symantec Product Advisory Archive:

http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:

http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

- ------------------------------

------------------------------------

Copyright (c) 2007 by Symantec Corp.

Permission to redistribute this alert electronically is granted

as long as it is not edited in any way unless authorized by

Symantec Consulting Services. Reprinting the whole or part of

this alert in any medium other than electronically requires

permission from research@symantec.com.

Disclaimer

The information in the advisory is believed to be accurate at the

time of publishing based on currently available information. Use

of the information constitutes acceptance for use in an AS IS

condition. There are no warranties with regard to this information.

Neither the author nor the publisher accepts any liability for any

direct, indirect, or consequential loss or damage arising from use

of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are

registered trademarks of Symantec Corp. and/or affiliated companies

in the United States and other countries. All other registered and

unregistered trademarks represented in this document are the sole

property of their respective companies/owners.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHVFXyuk7IIFI45IARAhJqAKCGc/4L5tb0bq1s1jrp6mwEFJBBRgCcDA+F

V7igvapHPpck2rZdZRlgB0Q=

=JzzL

-----END PGP SIGNATURE-----

McAfee SecurityCenter Privacy Service HTML Execution Vulnerability

[HSC] McAfee SecurityCenter Privacy Service HTML Execution Vulnerability

McAfee provides a proactive PC and Internet security service that helps you avoid

online attacks and protects what you value from hackers, identity thieves and other

online criminals.

A HTML execution vulnerability may allow an attacker to execute HTML scripts on

the system under the context of the user. These scripts can perform any action that the

user would. The flaw lies in the processing of filtering that is saved after exiting.

Hackers Center Security Group (http://www.hackerscenter.com)

Credit: DoZ

Risk: Medium

Class: Input Validation Error

Local: Yes

Vendor: http://us.mcafee.com/

Product: McAfee SecurityCenter

Version: McAfee Privacy Service 8.1.0.136

Exploit: An exploit is not required.

An attacker may attack this issue to execute code in the context of the affected software, and distribute this code across Privacy Service infrastructure. Also making a patch that works

with this hole will allow attackers to use this hole as platform for other attacks.

Examples:

1.

After turning your software into a web browser, you can inject

this website http://www.crashie.com/ and it will crash McAfee Privacy Service.

One can also use an Internet Explorer exploit to crash the McAfee Application.

2.

Paste your slogan to see if software is vul to this attack.

Hello!

Proof of Concept:

http://www.hackerscenter.com/public/images/1.jpg

http://www.hackerscenter.com/public/images/2.jpg

http://www.hackerscenter.com/public/images/3.jpg

Only becoming a Ethical Hacker, you can stop Black Hat Hackers. Learn with out

having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive

security pack you will ever find on the net!

Ubuntu Security Notice USN-550-1

===========================================================

Zero Day