| Time |
Event |
| 2:17p |
TOR Virtual Network Tunneling Tool 0.2.4.19 http://packetstormsecurity.com/files/124546/tor-0.2.4.19.tar.gz Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs). |
| 2:42p |
|
| 2:42p |
Mandriva Linux Security Advisory 2013-299 http://packetstormsecurity.com/files/124550/MDVSA-2013-299.txt Mandriva Linux Security Advisory 2013-299 - The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake. Buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba 3.x before 3.6.22, 4.0.x before 4.0.13, and 4.1.x before 4.1.3 allows remote AD domain controllers to execute arbitrary code via an invalid fragment length in a DCE-RPC packet. The updated packages has been upgraded to the 3.6.22 version which resolves various upstream bugs and is not vulnerable to these issues. |
| 2:43p |
Mandriva Linux Security Advisory 2013-300 http://packetstormsecurity.com/files/124552/MDVSA-2013-300.txt Mandriva Linux Security Advisory 2013-300 - Buffer overflow in the unpacksms16 function in apps/app_sms.c in Asterisk Open Source 1.8.x before 1.8.24.1, 10.x before 10.12.4, and 11.x before 11.6.1; Asterisk with Digiumphones 10.x-digiumphones before 10.12.4-digiumphones; and Certified Asterisk 1.8.x before 1.8.15-cert4 and 11.x before 11.2-cert3 allows remote attackers to cause a denial of service via a 16-bit SMS message. The updated packages has been upgraded to the 11.7.0 version which resolves various upstream bugs and is not vulnerable to this issue. |
| 2:43p |
Mandriva Linux Security Advisory 2013-301 http://packetstormsecurity.com/files/124553/MDVSA-2013-301.txt Mandriva Linux Security Advisory 2013-301 - Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozillas root store, was loaded into a man-in-the-middle traffic management device. This certificate was issued by Agence nationale de la scurit des systmes d'information , an agency of the French government and a certificate authority in Mozilla's root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control. The issue was not specific to Firefox but there was evidence that one of the certificates was used for MITM traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking trust in the intermediate used by the sub-CA to issue the certificate for the MITM device. The NSS packages has been upgraded to the 3.15.3.1 version which is unaffected by this security flaw. Additionally the rootcerts packages has been upgraded with the latest certdata.txt file as of 2013/12/04 from mozilla. |
| 2:43p |
Debian Security Advisory 2826-1 http://packetstormsecurity.com/files/124551/dsa-2826-1.txt Debian Linux Security Advisory 2826-1 - Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon. Incorrectly specified regular expressions used to detect brute force attacks in authentication logs could be exploited by a malicious user to forge crafted login names in order to make denyhosts ban arbitrary IP addresses. |
| 3:25p |
|
| 3:30p |
Firefox 15.0.1 Code Execution http://packetstormsecurity.com/files/124564/firefox_proto_crmfrequest.rb.txt On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overriden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin. |
| 3:33p |
HP SiteScope issueSiebelCmd Remote Code Execution http://packetstormsecurity.com/files/124565/hp_sitescope_issuesiebelcmd.rb.txt This Metasploit module exploits a code execution flaw in HP SiteScope. The vulnerability exists in the APISiteScopeImpl web service, specifically in the issueSiebelCmd method, which allows the user to execute arbitrary commands without authentication. This Metasploit module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2, Windows 2008 and CentOS 6.5. |
| 3:35p |
Zimbra Collaboration Server LFI http://packetstormsecurity.com/files/124566/zimbra_lfi.rb.txt This Metasploit module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen credentials allow the attacker to make requests to the service/admin/soap API. This can then be used to create an authentication token for the admin web interface. This access can be used to achieve remote code execution. This Metasploit module has been tested on Zimbra Collaboration Server 8.0.2 with Ubuntu Server 12.04. |
| 3:35p |
OpenSIS 'modname' PHP Code Execution http://packetstormsecurity.com/files/124567/opensis_modname_exec.rb.txt This Metasploit module exploits a PHP code execution vulnerability in OpenSIS versions 4.5 to 5.2 which allows any authenticated user to execute arbitrary PHP code under the context of the web-server user. The 'ajax.php' file calls 'eval()' with user controlled data from the 'modname' parameter. |
| 3:35p |
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution http://packetstormsecurity.com/files/124568/synology_dsm_sliceupload_exec_noauth.rb.txt This Metasploit module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable. |
| 3:37p |
Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal http://packetstormsecurity.com/files/124569/cfme_manageiq_evm_upload_exec.rb.txt This Metasploit module exploits a path traversal vulnerability in the "linuxpkgs" action of "agent" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier). It uploads a fake controller to the controllers directory of the Rails application with the encoded payload as an action and sends a request to this action to execute the payload. Optionally, it can also upload a routing file containing a route to the action. (Which is not necessary, since the application already contains a general default route.) |
| 3:42p |
VMware Security Advisory 2013-0016 http://packetstormsecurity.com/files/124570/VMSA-2013-0016.txt VMware Security Advisory 2013-0016 - VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege “Add Existing Disk" to obtain read and write access to arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain read and write access to arbitrary files. Modifying certain files may allow for code execution after a host reboot. |
| 3:48p |
Practical Malleability Attack Against CBC Encrypted LUKS Partition http://packetstormsecurity.com/files/124571/CBC-attack.txt The most popular full disk encryption solution for Linux is LUKS (Linux Unified Key Setup), which provides an easy to use encryption layer for block devices. By default, newly generated LUKS devices are set up with 256-bit AES in CBC mode. Since there is no integrity protection/checksum, it is obviously possible to destroy parts of plaintext files by changing the corresponding ciphertext blocks. Nevertheless many users expect the encryption to make sure that an attacker can only change the plaintext to an unpredictable random value. The CBC mode used by default in LUKS however allows some more targeted manipulation of the plaintext file given that the attacker knows the original plaintext. This article demonstrates how this can be used to inject a full remote code execution backdoor into an encrypted installation of Ubuntu 12.04 created by the alternate installer (the default installer of Ubuntu 12.04 doesn't allow setting up full disk encryption). |