http://packetstormsecurity.org/ 50 Most Recent Packet Storm File Additions en-us http://packetstormsecurity.org/0809-advisories/PLSA-2008-36.txt Pardus Linux Security Advisory - Multiple memory leaks and buffer overflows have been addressed in ffmpeg. Affected packages are mplayer versions below 0.0_20080825-92-11 and ffmpeg versions below 0.4.9_20080825-46-14. http://packetstormsecurity.org/0809-exploits/wpsimple-xss.txt WordPress Simple Tagging Widget suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0809-exploits/googlechrome-pwn.tgz Google Chrome Browser version 0.2.149.27 suffers from a SaveAs-related buffer overflow and another denial of service vulnerability. Exploits for both are included in the tarball. PoC-XPSP2.html demonstrates the overflow by launching calc.exe and PoC-Crash.html demonstrates the crash. http://packetstormsecurity.org/0809-advisories/microworld-insecure.txt Multiple MicroWorld products suffer from insecure directory permissions vulnerabilities that allow for privilege escalation. http://packetstormsecurity.org/0809-exploits/devalcms-xssexec.txt devalcms version 1.4a cross site scripting and remote code execution exploit. http://packetstormsecurity.org/0809-exploits/microtik-poc.txt MicroTik RouterOS versions 3.13 and below SNMP write proof of concept exploit. http://packetstormsecurity.org/papers/call_for/xcon2008-cfp.txt Call For Papers for XCon 2008. This conference will take place from November 18th through the 19th in Beijing, China. http://packetstormsecurity.org/0809-exploits/awstats-exec2.txt Remote code execution exploit with an interactive shell for AWStats Totals versions 1.0 through 1.14. Version 2 of this exploit. It now works with magic quotes on or off. http://packetstormsecurity.org/0809-advisories/SSRT080119.txt HP Security Bulletin - A potential security vulnerability has been identified with HP OpenView Select Identity (HPSI) Connectors running on Windows. The vulnerability could result in a local disclosure of information. http://packetstormsecurity.org/0809-exploits/wordpress-xss.txt Wordpress Forum version 1.7.4 suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0809-exploits/geocar-sql.txt Geocar CMS suffers from a remote SQL injection vulnerability. http://packetstormsecurity.org/0809-advisories/MDVSA-2008-186.txt Mandriva Linux Security Advisory - Multiple integer overflows were reported by the Google Security Team that had been fixed in Python 2.5.2. The Python packages on Corporate 3 have been updated to the latest version 2.3.7, which corrects this issue. http://packetstormsecurity.org/papers/bypass/aslr-bypass.txt Whitepaper discussing an ASLR bypassing methodology on the Linux 2.6.17/20 kernel. http://packetstormsecurity.org/0809-advisories/glsa-200809-04.txt Gentoo Linux Security Advisory GLSA 200809-04 - Sergei Golubchik reported that MySQL imposes no restrictions on the specification of DATA DIRECTORY or INDEX DIRECTORY in SQL CREATE TABLE statements. Versions less than 5.0.60-r1 are affected. http://packetstormsecurity.org/0809-advisories/glsa-200809-03.txt Gentoo Linux Security Advisory GLSA 200809-03 - Dyon Balding of Secunia Research reported an unspecified heap-based buffer overflow in the Shockwave Flash (SWF) frame handling. Versions less than 11.0.0.4028-r1 are affected. http://packetstormsecurity.org/0809-advisories/glsa-200809-02.txt Gentoo Linux Security Advisory GLSA 200809-02 - Dan Kaminsky of IOActive reported that dnsmasq does not randomize UDP source ports when forwarding DNS queries to a recursing DNS server. Carlos Carvalho reported that dnsmasq in the 2.43 version does not properly handle clients sending inform or renewal queries for unknown DHCP leases, leading to a crash. Versions below 2.45 are affected. http://packetstormsecurity.org/0809-advisories/glsa-200809-01.txt Gentoo Linux Security Advisory GLSA 200809-01 - Aaron Grattafiori reported a format string vulnerability in the window_error() function in yelp-window.c. Versions less than 2.22.1-r2 are affected. http://packetstormsecurity.org/0809-exploits/zencart138a-sql.txt Zen Cart versions 1.3.8a and below suffer from a remote SQL injection vulnerability. http://packetstormsecurity.org/0809-advisories/atheros-overflow.txt The wireless drivers in some Wi-Fi access points (such as the ATHEROS-based Linksys WRT350N) do not correctly parse the Atheros vendor specific information element included in association requests allowing for denial of service or possible code execution. http://packetstormsecurity.org/UNIX/mail/clamav-0.94.tar.gz Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. http://packetstormsecurity.org/0809-exploits/qwicsitepro-sqlxss.txt Qwicsite Pro suffers from remote SQL injection and cross site scripting vulnerabilities. http://packetstormsecurity.org/0809-exploits/awstats-exec.txt Remote code execution exploit with an interactive shell for AWStats Totals versions 1.0 through 1.14. http://packetstormsecurity.org/0809-advisories/clamav-chm.txt A fuzzing test against ClamAV versions below 0.94 discovered that they suffer from a chm file parsing vulnerability which can possibly be exploited. http://packetstormsecurity.org/0809-advisories/marvell-null.txt The Netgear WN802T (firmware 1.3.16) with the MARVELL 88W8361P-BEM1 chipset suffers from a NULL SSID association request vulnerability that allows for denial of service and possibly code execution. http://packetstormsecurity.org/0809-advisories/marvell-overflow.txt The Netgear WN802T (firmware 1.3.16) with the MARVELL 88W8361P-BEM1 chipset suffers from an overflow vulnerability when parsing malformed EAPoL-Key packets. http://packetstormsecurity.org/0809-exploits/google-chrome-dos2.txt Google Chrome Browser version 0.2.149.27 denial of service exploit that uses javascript. http://packetstormsecurity.org/0809-exploits/google-download1.txt Google Chrome Browser version 0.2.149.27 automatic file download exploit that uses a meta tag to automatically repeat downloading. http://packetstormsecurity.org/0809-exploits/google-chrome-dos1.txt Google Chrome Browser version 0.2.149.27 denial of service exploit that uses javascript. http://packetstormsecurity.org/0809-advisories/USN-640-1.txt Ubuntu Security Notice 640-1 - Andreas Solberg discovered that libxml2 did not handle recursive entities safely. If an application linked against libxml2 were made to process a specially crafted XML document, a remote attacker could exhaust the system's CPU resources, leading to a denial of service. http://packetstormsecurity.org/0809-exploits/xrms-sqlxss.txt XRMS suffers from multiple cross site scripting and SQL injection vulnerabilities. http://packetstormsecurity.org/0809-advisories/FreeBSD-SA-08-09.icmp6.txt FreeBSD Security Advisory - In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic. http://packetstormsecurity.org/0809-advisories/FreeBSD-SA-08-08.nmount.txt FreeBSD Security Advisory - Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel. http://packetstormsecurity.org/0809-advisories/FreeBSD-SA-08-07.amd64.txt FreeBSD Security Advisory - If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges. http://packetstormsecurity.org/0809-advisories/MDVSA-2008-185.txt Mandriva Linux Security Advisory - A cross-site request forgery vulnerability was discovered in Django that, if exploited, could be used to perform unrequested deletion or modification of data. Updated versions of Django will now discard posts from users whose sessions have expired, so data will need to be re-entered in these cases. The versions of Django shipping with Mandriva Linux have been updated to the latest patched versions that include the fix for this issue. In addition, they provide other bug fixes. http://packetstormsecurity.org/0809-advisories/MDVSA-2008-184.txt Mandriva Linux Security Advisory - Drew Yaro of the Apple Product Security Team reported multiple uses of uninitialized values in libtiff's LZW compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked to libtiff to crash or potentially execute arbitrary code. The updated packages have been patched to prevent this issue. http://packetstormsecurity.org/0809-advisories/cisco-sa-20080903-asa.txt Cisco Security Advisory - Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. http://packetstormsecurity.org/0809-advisories/cisco-sr-20080903-csacs.txt Cisco Security Advisory - A specially crafted Remote Authentication Dial In User Service (RADIUS) Extensible Authentication Protocol (EAP) Message Attribute packet sent to the Cisco Secure Access Control Server (ACS) can crash the CSRadius and CSAuth processes of Cisco Secure ACS. Because this affects CSAuth all authentication requests via RADIUS or TACACS+ will be affected during exploitation of this vulnerability. http://packetstormsecurity.org/0809-advisories/cisco-acs.txt Cisco Secure ACS does not correctly parse the length of EAP-Response packets which allows remote attackers to cause a denial of service and possibly execute arbitrary code. A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable). This bug may be triggered if the length field of an EAP-Response packet has a certain big value, greater than the real packet length. http://packetstormsecurity.org/UNIX/IDS/distack-1.1.0-dev.tar.gz Distack is a framework for local and distributed attack detection and traffic analysis. It can run on live interfaces or traces files, as well as in simulation environments. Therefore it provides easy ways to develop attack detection mechanisms and evaluate them on a large-scale in simulated networks. http://packetstormsecurity.org/0809-exploits/livinglocal-sql.txt Living Local Website suffers from a SQL injection vulnerability in listtest.php. http://packetstormsecurity.org/0809-exploits/moodle-exec.txt Moodle versions 1.8.4 and below remote code execution exploit. http://packetstormsecurity.org/0809-exploits/uploader6-xss.txt Uploader version 6.1 suffers from a cross site scripting vulnerability. http://packetstormsecurity.org/0809-advisories/secunia-iprintboundary.txt Secunia Research has discovered a vulnerability in Novell iPrint Client, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the IppCreateServerRef() function in nipplib.dll. This can be exploited to cause a heap-based buffer overflow by passing an overly long, specially crafted string as argument to either GetPrinterURLList() , GetPrinterURLList2() , or GetFileList2() as provided by the Novell iPrint ActiveX control (ienipp.ocx). Successful exploitation may allow execution of arbitrary code. http://packetstormsecurity.org/0809-exploits/google-download.txt Google Chrome Browser version 0.2.149.27 automatic file download exploit. http://packetstormsecurity.org/0809-exploits/google_chrome.tgz Google Chrome Browser version 0.2.149.27 suffers from a denial of service crash vulnerability when mishandling a malicious link. Proof of concept code included. http://packetstormsecurity.org/UNIX/IDS/samhain-2.4.6.tar.gz Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris. http://packetstormsecurity.org/0809-exploits/spice-sql.txt Spice Classifieds suffers from a remote SQL injection vulnerability in index.php. http://packetstormsecurity.org/0809-exploits/translucid-upload.txt TransLucid version 1.75 suffers from a remote arbitrary file upload vulnerability. http://packetstormsecurity.org/0809-exploits/aspwebalbum-sqlxssupload.txt aspWebAlbum version 3.2 suffers from cross site scripting, SQL injection, and upload vulnerabilities. http://packetstormsecurity.org/shellcode/alphanumeric-shellcode.txt 67 byte Win32 PEB Kernel32.dll ImageBase Finger Alphanumeric shellcode.