Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

WLB

WLB Database

Send to WLB

About WLB

RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Corporate

Contact

About us

Services

SecurePHP

Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Details : SecurityAlert

  Topic : Multiple vulnerabilities
  SecurityAlert : 2708
  CVE : CVE-2007-2606
  CVE : CVE-2007-2605
  CVE : CVE-2007-2604
  CVE : CVE-2007-2603
  CVE : CVE-2007-2602
  SecurityRisk : Medium  alert  (About)
  Remote Exploit : Yes
  Local Exploit : Yes
  Exploit Given : No
  Credit : Michal Bucko
  Published : 17.05.2007

  Affected Software : Ipswitch WhatsUp v11
Firebird 2.1
Audio CD Ripper
FlexLabel ActiveX Control
Brujula Toolbar



  Advisory Text :  

###################################################################

Multiple vulnerabilities

Michal Bucko (sapheal)
HACKPL Security Labs

####################################################################

The document below was mainly written to support MoAxB, however,
some of the vulnerabilities are in no way connected with ActiveX.
The document covers five vulnerabilities, three of them concern
ActiveX
controls.

The list:
[1] Ipswitch WhatsUp v11 MIBEXTRA.EXE Memory Corruption Conditions
[2] Firebird 2.1 Multiple Memory Corruption Conditions
[3] Audio CD Ripper OCX Init Function Denial of Service Vulnerability
[4] FlexLabel ActiveX Control Denial of Service
[5] Brujula Toolbar BRUJULA4.NET.DLL Denial of Service

[1] Ipswitch WhatsUp v11 MIBEXTRA.EXE Memory Corruption Conditions
##################################################################

I. BACKGROUND

WhatsUp Gold v11 - award winning network monitoring software - delivers
on its two promises of blending network monitoring and comprehensive
windows-based application with ease of use, allowing IT managers to
turn
network data into actionable business information like trending
analysis
and IT resource planning guidance.

II. DESCRIPTION

MIBEXTRA.EXE is one of the WhatsUp's components. It extract WUG data
from
MIB files. The component itself is prone to buffer overflow. An overly
long argument passed as a filename would result in application
crashing.
Arbitrary code execution is possible. The debugger's output is
depicted
below:

EAX 00000000
ECX 41414141
..
EIP 41414141

[2] Firebird 2.1 Multiple Memory Corruption Conditions
######################################################

I. BACKGROUND

Firebird is a RDBMS offering many ANSI SQL features that runs on Linux,
Windows and several Unix platforms. Features excellent concurrency,
high
performance and a powerful language for stored procedures and
triggers.

II. DESCRIPTION

I haven't gone through the code thoroughly as I bumped into various
typical
buffer overrun vulnerabilities. I got off to a flying start when I took
a
look at configConfigFile.cpp - a typical buffer overflow
vulnerability,
no bounds checking. Going through with (quite a) fine tooth, I found
the
similar (more complex than the one found before?) in
msgscheck_msgs.epp.

[3] Audio CD Ripper OCX Init Function Denial of Service Vulnerability
#####################################################################

I. BACKGROUND

Audio CD Ripper OCX 1.0 is an ActiveX control for developers. This
control
can rip CDA tracks from audio CD to MP3, WMA, WAV, OGG and APE. This
ActiveX
can also deal with the ID3 tags (for destination files), runs on a low

level
mode (based on ASPI), supports many CDs drives, can get general
information
about the CD drives, the Audio CD and the CDA Tracks on it. Supports
many
events, error handling, runs fast and easy to the use.

II. DESCRIPTION

Function Init() in AudioCDRipperOCX.ocx improperly used results in
denial
of service due to null dereference. The vulnerability doesn't allow
remote
arbitrary code execution.

[4] FlexLabel ActiveX Control Denial of Service
#####################################################################

I. BACKGROUND

FlexLabel is an enhanced label control...way enhanced! You have complete

control
over everything including font, alignment, mouse-over effect, and angle
of
text,
plus the best functionality is that it will automatically create a
hyperlink based
off of simple property settings. You can control whether a mouse click

will link
to email, a website, an FTP site, or user customizable link.

II. DESCRIPTION

FlexLabel ActiveX control fails to work properly when badly initialized.

The
vulnerability does not allow code execution. The simple demonstration
would
be:

--//code snippet//--

<object classid='clsid:584B432E-E0BD-4A78-BD77-665591DA84BB' id='target'
/>
<script language='vbscript'>

arg="A"

target.Caption = arg

</script>

--//end of code snippet//--

[5] Brujula Toolbar BRUJULA4.NET.DLL Denial of Service
#####################################################################

I. BACKGROUND
Brujula.net toolbar is one of toolbars available

II. DESCRIPTION

Access violation due to null dereference leads to denial of service
conditions.
Function GetPropertyById(char*, char*) in SoftomateLib
(ISoftomateObj),in
BRUJULA4.NET.DLL, improperly handle the given arguments. Below, we can
see
debugger's output:

100283B5 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]

ECX = 000001A8
DS:[000001AC]=???

[!] DISCLAIMER

This document and all the information it contains are provided "as
is",
for educational purposes only, without warranty of any kind,
whether
express or implied.

The authors reserve the right not to be responsible for the
topicality,
correctness, completeness or quality of the information provided
in
this document. Liability claims regarding damage caused by the use
of
any information provided, including any kind of information which
is
incomplete or incorrect, will therefore be rejected.



  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

*BSD libc (strfmon) Multiple vulnerabilities

high- 2008-03-25

Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems.

Apache rss

» Apache-SSL memory
   disclosure

» Apache mod_negotiation
   Xss and Http Response
   Splitting

» Apache (mod_status)
   Refresh Header - Open
   Redirector (XSS)

» Apache (mod_proxy_ftp)
   Undefined Charset UTF-7
   XSS Vulnerability

PHP rss

» PHP 5.2.6 chdir(),ftok()
   (standard ext) safe_mode
   bypass

» PHP 5.2.6 posix_access()
   (posix ext) safe_mode
   bypass

» PHP 5.2.5 and prior :
   *printf() functions
   Integer Overflow

» PHP 5.2.5 cURL safe_mode
   bypass

Copyright © SecurityReason. All Rights Reserved.