Posts Tagged ‘ risk

Sports Accelerator Suite v2.0 (news_id) Remote SQL Injection Vulnerability

Vendor: Athlete Web Services, Inc. / AWS Sports
Product Web Page: http://www.athletewebservices.com

Summary: Content Management System (PHP+MySQL).

Description: The CMS is vulnerable to an SQL Injection attack when input is passed to the “news_id” parameter. The script fails to properly sanitize the input before being returned to the user allowing the attacker to compromise the entire DB system and view sensitive information.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4949.php

Team Johnlong RaidenTunes 2.1.1 Remote Cross-Site Scripting Vulnerability

RaidenTunes 2.1.1 suffers from a Cross-Site Scripting (XSS) vulnerability caused by improper validation of user-supplied input by the music_out.php script thru “p” param. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim’s cookie-based authentication credentials.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4947.php

Vendor: http://forum.raidenftpd.com/showflat.php?Cat=&Board=mp3&Number=51265&page=0&view=collapsed&sb=5&o=0&fpart=

Corel WordPerfect Office X5 and Corel Presentations X5 File Handling Vulnerabilities

- Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

– Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC

Corel Corporation

http://www.corel.com

Version: 15.0.0.357 (Standard Edition)

– Summary: Corel® WordPerfect® Office X5 – Standard Edition is the essential
office suite for word processing, spreadsheets, presentations and email.
Chosen over Microsoft® Office by millions of longtime users, it integrates
the latest productivity software with the best of the Web. Work faster and
collaborate more efficiently with all-new Web services, new Microsoft® Office
SharePoint® support, more PDF tools and even better compatibility with Microsoft
Office. It’s everything you expect in an office suite—for less.

– Desc: Corel WordPerfect and Corel Presentations X5 is prone to a remote buffer overflow vulnerability because
the application fails to perform adequate boundary checks on user supplied input with
.WPD (WordPerfect Document) and .SHW (Presentations Slide Show) file. Attackers may exploit this issue to execute arbitrary
code in the context of the application. Failed attacks will cause denial-of-service
conditions.

– Tested On: Microsoft Windows XP Professional SP3 (English)

– Vulnerability Discovered By: Gjoko ‘LiquidWorm’ Krstic

– liquidworm gmail com

– Zero Science Lab – http://www.zeroscience.mk

– 09.07.2010

– Vendor status:

[09.07.2010] Vulnerability discovered.
[09.07.2010] Initial contact with the vendor.
[12.07.2010] No reply from vendor.
[12.07.2010] Public advisory released.

Details:

Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC
Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Title:

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Summary:

Adobe Reader software is the global standard for electronic document sharing. It is the only PDF
file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search,
digitally sign, verify, print, and collaborate on Adobe PDF files.

Vendor:

Adobe Systems Incorporated

Product Web Page:

http://www.adobe.com/

Version tested:

9.3.2
9.3.1

Description:

Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to
crash while processing the malicious .PDF file. The issue is triggered when the reader tries to
initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes
major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash.
Talking about Blended Threat Vulnerabilities ;).

———————————————————————————–

(bd0.e14): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000
eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
CoolType!CTInit+0x2f827:
08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??

———————————————————————————–

Tested On:

Microsoft Windows XP Professional SP3 (English)
Microsoft Windows XP Professional SP2 (English)
Microsoft Windows 7 Ultimate
GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit
GNU/Linux Fedora 10 (Cambridge) / 2.6.27.41-170.2.117.fc10.i686

Vendor Status:

18.04.2010 – Vendor informed.
18.04.2010 – Vendor replied.
07.05.2010 – Asked vendor for confirmation.
07.05.2010 – Vendor confirms vulnerability.
03.06.2010 – Asked vendor for status.
03.06.2010 – Vendor replied.
24.06.2010 – Vendor reveals patch release date.
29.06.2010 – Coordinated public advisory.

Advisory Details:

Zero Science Lab Advisory ID: ZSL-2010-4943
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4943.php
Adobe Advisory ID: APSB10-15
Advisory: http://www.adobe.com/support/security/bulletins/apsb10-15.html
CVE ID: CVE-2010-2204

Live Demo:

http://www.zeroscience.mk/codes/thricer.pdf

Vulnerability Discovered By:

Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

Повеќе: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4943.php

UK One Media CMS (id) Error Based SQL Injection Vulnerability

Summary: Content Management System (PHP+MySQL)

Vendor: UK One Media – http://www.uk1media.com

Desc: UK One Media CMS suffers from an sql injection vulnerability when parsing query from the id param which results in compromising the entire database structure and executing system commands.

Tested on Apache 2.x (linux), PHP/5.2.11 and MySQL/4.1.22

More details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4942.php

Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

Vendor: Adobe Systems Inc.

Product Web Page: http://www.adobe.com

Version tested: CS3 10.0

Summary: Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.

Desc: When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Pottential vulnerability use is arbitrary code execution and denial of service.

Tested on Microsoft Windows XP Professional SP3 (English)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

16.09.2009

Vendor status:

[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.

Zero Science Lab Advisory ID: ZSL-2010-4941

More info: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4941.php

Multiple File Handling Vulnerabilities in Photoshop CS4 Extended

Summary
The Adobe® Photoshop® family of products is the ultimate playground for bringing out the best in your digital images, transforming them into anything you can imagine and showcasing them in extraordinary ways.

Description
Adobe Photoshop CS4 Extended suffers from a buffer overflow vulnerability when dealing with .ABR (brushes), .GRD (gradients) and .ASL (styles) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

More info:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4938.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php

Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities

Title: Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities

Vendor: Adobe Systems Incorporated

Product web page: http://www.adobe.com

Summary: Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player.
These people now have access to some of the best the Web has to offer – including
dazzling 3D games and entertainment, interactive product demonstrations, and online
learning applications. Shockwave Player displays Web content that has been created
by Adobe Director.

Desc: Shockwave Player version 11.5.6.606 and earlier from Adobe suffers from a memory consumption /
corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service
scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when
processing .dir files resulting in a crash and overwrite of a few memory registers.

Tested on: Microsoft Windows XP Professional SP3 (English)

Version tested: 11.5.6.606

(f94.ae4): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8
eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll –
DIRAPI!Ordinal14+0x3b16:
68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????

—————————————————————————————————-

EAX FFFFFFFF
ECX 41414141
EDX FFFFFFFF
EBX 00000018
ESP 0012F3B4
EBP 02793578
ESI 0012F3C4
EDI 02793578
EIP 69009F1F IML32.69009F1F

More info:
http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4937.php
http://www.adobe.com/support/security/bulletins/apsb10-12.html

Edrawsoft Security Advisories

EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC

– EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow vulnerability when parsing .edd file format resulting in an application crash and overwritten few memory registers which can aid the attacker toexecute arbitrary code.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4935.php

——————————————–

EDraw Flowchart ActiveX Control 2.3 (EDImage.ocx) Remote DoS Exploit (IE)

– EDraw Flowchart ActiveX Control EDImage.OCX suffers from a denial of service vulnerability when parsing large amount of bytes to the OpenDocument() function, resulting in browser crash and unspecified memory corruption.

Details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4936.php

Olly

List of Source Code Auditing Tools

Name - [ language/s supported ] – web link:

.TEST – [ C#, VB.NET, MC++ ] – http://www.parasoft.com/jsp/products.jsp
ASTRÉE
– [ C ] – http://www.astree.ens.fr
Bandera – [ Java ] – http://bandera.projects.cis.ksu.edu/
BLAST – [ C ] – http://mtc.epfl.ch/software-tools/blast/
BOON
– [ C ] – http://www.cs.berkeley.edu/~daw/boon/
C Code Analyzer (CCA)
– [ C ] – http://www.drugphish.ch/~jonny/cca.html
C++test – [ C++ ] – http://www.parasoft.com/jsp/products.jsp
CCMetrics – [ C#, VB.NET ] – http://www.serviceframework.com/jwss/utility,ccmetrics,utility.aspx
Checkstyle
– [ Java ] – http://checkstyle.sourceforge.net/
CodeCenter
– [ C ] – http://www.ics.com/products/centerline/codecenter/features.html
CodeScan
– [ .ASP, PHP ] – http://www.codescan.com/
CodeSecure – [ PHP, Java ] – http://www.armorize.com/corpweb/en/products/codesecure
CodeSonar
– [ C, C++ ] – http://www.grammatech.com/products/codesonar/overview.html
CQual – [ C ] – http://www.cs.umd.edu/~jfoster/cqual
Csur – [ C ] – http://www.lsv.ens-cachan.fr/csur/
Dehydra – [ C++ ] – http://wiki.mozilla.org/Dehydra_GCC
DevInspect
– [ C#, Visual Basic, JavaScript, VB Script] – http://www.spidynamics.com/products/devinspect/
DevPartner SecurityChecker
– [ C#, Visual Basic ] – http://www.compuware.com/products/devpartner/securitychecker.htm
DoubleCheck – [ C, C++ ] – http://www.ghs.com/products/doublecheck.html
FindBugs
– [ Java ] – http://findbugs.sourceforge.net/
FlawFinder – [ C, C++ ] – http://www.dwheeler.com/flawfinder/
Fluid
– [ Java ] – http://www.fluid.cs.cmu.edu/
Frama-C
– [ C ] – http://frama-c.cea.fr/
ftnchek
– [ FORTRAN ] – http://www.dsm.fordham.edu/~ftnchek/
FxCop
– [ .NET ] – http://code.msdn.microsoft.com/codeanalysis
g95-xml
– [ FORTRAN ] – http://g95-xml.sourceforge.net/
ITS4
– [ C, C++ ] – http://www.cigital.com/its4/
Jlint
– [ Java ] – http://artho.com/jlint/
JsLint
– [ JavaScript ] – http://www.jslint.com/
Jtest
– [ Java ] – http://www.parasoft.com/jsp/products.jsp
KlocWork / K7
– [ C, C++, Java ] – http://www.klocwork.com/products/k7_security.asp
LAPSE
– [ Java ] – http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project
MOPS
– [ C ] – http://www.cs.berkeley.edu/~daw/mops/
MSSCASI
– [ ASP ] – http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en
MZTools
– [ VB6, VBA ] – http://www.mztools.com/index.aspx/
Oink
– [ C++ ] – http://www.cubewano.org/oink
Ounce
– [ C, C++, Java, JSP, ASP.NET, VB.NET, C# ] – http://www.ouncelabs.com/accurate-complete-results.html
Perl-Critic
– [ Perl ] – http://search.cpan.org/dist/Perl-Critic/
PLSQLScanner 2008
– [ PLSQL ] – http://www.red-database-security.com/software/plsqlscanner.html
PHP-Sat
– [ PHP ] – http://www.program-transformation.org/PHP/PhpSat
Pixy
– [ PHP ] –
http://pixybox.seclab.tuwien.ac.at/pixy/index.php
PMD
– [ Java ] – http://pmd.sourceforge.net/
PolySpace
– [ Ada, C, C++ ] – http://www.polyspace.com/products.htm
PREfix & PREfast
– [ C, C++ ] – http://support.microsoft.com/vst
Prevent
– [ C, C++ ] – http://www.coverity.com/html/coverity-software-quality-products.html
PyChecker
– [ Python ] – http://pychecker.sourceforge.net/
pylint
– [ Python ] – http://www.logilab.org/project/pylint
QA-C, QA-C++, QA-J
– [ C, C++, Java, FORTRAN ] – http://www.programmingresearch.com/PRODUCTS.html
QualityChecker
– [ Visual Basic 6 ] – http://d.cr.free.fr/
RATS
– [ C, C++, Perl, PHP, Python ] – http://www.fortify.com/security-resources/rats.jsp
RSM
– [ C, C++, C#, Java ] – http://msquaredtechnologies.com/m2rsm/
Smatch
– [ C ] – http://smatch.sourceforge.net/
SCA
– [ ASP.NET, C, C++, C#, Java, JSP, PL/SQL, T-SQL, VB.NET, XML ] – http://www.fortifysoftware.com/products/sca/
Skavenger
– [ PHP ] – http://code.google.com/p/skavenger/
smarty-lint
– [ PHP ] – http://code.google.com/p/smarty-lint/
soot – [ Java ] – http://www.sable.mcgill.ca/soot/
Source Monitor
– [ C#, VB.NET ] – http://www.campwoodsw.com/sm20.html
SPARK
– [ Ada ] – http://www.praxis-his.com/sparkada/spark.asp
Spike PHP Security Audit Tool
– [ PHP ] – http://developer.spikesource.com/projects/phpsecaudit/
Splint
– [ C ] – http://www.splint.org/
SWAAT
– [ PHP, ASP.NET, JSP, Java ] – http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
UNO
– [ C ] – http://spinroot.com/uno/
vil
– [ C#, VB.NET ] – http://www.1bot.com/
Viva64
– [ C++ ] – http://www.viva64.com/
xg++
– [ C ] – http://www.stanford.edu/~engler/mc-osdi.pdf
YTKScan Java
– [ Java ] – http://www.cam.org/~droujav/y2k/Y2KScan.html