SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Juniper Installer Service 4.72.11421.0 Stack Buffer Overflow Vulnerability


Arrow  SecurityAlert : 7022
Arrow  CVE : CVE-2009-4643
Arrow  CWE : CWE-119
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : Yes
Arrow  Credit : idefesnse
Arrow  Published : 17.02.2010

Arrow  Affected Software : juniper:odyssey_access_client:4.72.11421.0



Arrow  Advisory Content :  


Juniper Installer Service Stack Buffer Overflow Vulnerability
I. BACKGROUND

Juniper Installer Service is a client side component, which allows users
with limited privileges to maintain client side components necessary for
use with Juniper IVE OS network appliances. For more information see the
vendor's website at the following link.

http://kb.juniper.net/KB9084
II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Juniper Networks
Inc.'s Juniper Installer Service, as included in several Juniper client
side applications, could allow an attacker to execute arbitrary code with
SYSTEM privileges.

The Juniper Installer Service utilizes a named pipe for component
installation management commands. Specifically, the commands
DSSETUPSERVICE_CMD_INSTALLFILE, DSSETUPSERVICE_CMD_UNINSTALL,
DSSETUPSERVICE_CMD_PING, and DSSETUPSERVICE_CMD_REGISTER are recognized by
the Installer Service. The DSSETUPSERVICE_CMD_UNINSTALL command handles
user supplied data incorrectly, which leads to a stack-based buffer
overflow.
III. ANALYSIS

Exploitation of this vulnerability allows an attacker to execute arbitrary
code on the targeted machine with SYSTEM privileges. An attacker would need
to have access to the named pipe
(\\Device\\LanmanRedirector\\%SERVERNAME%\\pipe\\NeoterisSetupService)
created by the Juniper Installer Service. The attacker would need to craft
a malformed DSSETUP_CMD_UNINSTALL command, which contains an overly large
string to trigger the buffer overflow. The service automatically restarts
when the service crashes. This gives an attacker many chances to attempt to
exploit this issue.
IV. DETECTION

The Juniper Installer Service (dsInstallerService.dll) as included with
Juniper's Odyssey Access Client version 4.72.11421.0 was tested and found
to be vulnerable. Previous versions may also be vulnerable. It is important
to note that Juniper supports several products, which include the Juniper
Installer Service. These products may also be vulnerable to this issue.
V. WORKAROUND

iDefense recommends disabling the Juniper Unified Network Service. This
workaround may impact component management on the client side.
VI. VENDOR RESPONSE

Hewlett-Packard Development Co. LP (HP) has released a patch which
addresses this issue. Information about vendor updates can be found by
clicking on the URLs shown. This information is only available to Juniper
customers with a valid login.

https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlert
Number=PSN-2009-10-540&viewMode=view
VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE

10/28/2008 - Initial Contact
10/29/2008 - PoC Sent
12/03/2009 - Public disclosure
IX. CREDIT

This vulnerability was reported to iDefense by Ruben Santamarta.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in any
other medium other than electronically, please e-mail customer service for
permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are
no warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.


Arrow  References :

https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2009-10-540&viewMode=view
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=850




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.