SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Multiple vulnerabilities in Perforce Server 2007.3/143793


Arrow  SecurityAlert : 3735
Arrow  CVE : CVE-2008-1302
Arrow  CVE : CVE-2008-1303
Arrow  CVE :
Arrow  CVE : CVE-2008-1338
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Given : Yes
Arrow  Credit : Luigi Auriemma
Arrow  Published : 12.03.2008

Arrow  Affected Software : Perforce Server 2007.3/143793



Arrow  Advisory Text :  

#######################################################################

Luigi Auriemma

Application: Perforce Server
http://www.perforce.com
Versions: <= 2007.3/143793
Platforms: Windows, Unix, Linux and Mac
Bugs: NULL pointers, invalid memory access and endless loop
Exploitation: remote
Date: 05 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

From vendor's website:
"Perforce SCM (Software Configuration Management) versions and manages
source code and digital assets for enterprises large and small."

#######################################################################

=======
2) Bugs
=======

The Perforce server is affected by multiple vulnerabilities which
allow any unauthenticated attacker to crash the server or consuming all
its resources.

The first type of vulnerabilities includes the NULL pointers generated
by the absence of some parameters in the client's request and the lack
of checks on the pointers returned by the functions which get these
values from the packets.

The commands affected by these NULL pointer vulnerabilities are the
following: dm-FaultFile, dm-LazyCheck, dm-ResolvedFile, dm-OpenFile,
crypto and possibly others.

A secondary type of vulnerabilities is exploitable through the
server-DiffFile and server-ReleaseFile commands, in this case the
problem is caused by the 32 bit number provided by the client which is
used as amount of elements in the initialization of an array.

Another problem is then exploitable again with a malformed
server-DiffFile command and allows to force the server in an endless
loop which will cause its termination after having consumed all the
memory and the resources of the system.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/perforces.zip

#######################################################################

======
4) Fix
======

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...

Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication

PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

Copyright © SecurityReason.com. All Rights Reserved.