October 26, 2014

Critical Vulnerability is TYPO3-Core; Remote Code Execution

(LiveHacking.Com) – The TYPO3 development team has issued a warning about a critical vulnerability in the TYPO3 content management system.

According to TYPO3 security bulletins, a crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation. The security issue is due to insufficient validation of the AbstractController.php file’s BACK_PATH parameter that leads to remote code execution.

With reference to the TYPO3 security advisory, a vulnerable system will meet all the the following conditions:

  1. TYPO3 version 4.5.0 up to 4.5.8, 4.6.0 or 4.6.1 (+ development releases of 4.7 branch).
  2. The following PHP configuration variables set to “on”: register_globals (“off” by default, advised to be “off” in TYPO3SecurityGuide), allow_url_include (“off” by default) and allow_url_fopen (“on” by default)

The following solutions have been advised by the TYPO3 security advisory:

  1. Update to the TYPO3 version 4.5.9 or 4.6.2 that fixes the problem described.
  2. Set at least one of following PHP configuration variables to “off”: register_globals, allow_url_include and allow_url_fopen.
  3. Apply the securitypatch.
  4. Set up a mod_security rule: SecRule ARGS:BACK_PATH “^(https?|ftp)” “deny”.

Please view the TYPO3 security advisory for more information.

Critical Vulnerability in CA Gateway Security 8.1 and CA Total Defense r12

(LiveHacking.Com) — CA Technology is warning its customers for a critical vulnerability in its Gateway Security 8.1 and CA Total Defense r12. The vulnerability can allow a remote attacker to execute arbitrary code.Critical Vulnerability in CA Gateway Security 8.1 and CA Total Defense r12

According to the CA portal, the vulnerability, CVE-2011-2667, occurs due to insufficient bounds checking that can result in a memory overwrite on the heap. By sending a malformed request, an attacker can overwrite a sensitive portion of heap memory, which can potentially result in server compromise.

The “Heap Memory” or “Heap Memory Pool” is an internal memory pool created at start-up that tasks use to dynamically allocate memory as needed. This memory pool is used by tasks that requires a lot of memory from the stack in the stack-based memory allocation system.

CA Technology has released an update to patch the vulnerability. Alternatively, update to Gateway Security 9.0 is available from the CA support site.

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

Microsoft warns of a new security hole in Windows which can be exploited to inject and execute arbitrary code.

According to the recent post at Microsoft Security Advisory, Microsoft is investigating new public reports of a vulnerability in the Windows Graphics Rendering Engine. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

All versions of Windows except Windows 7 and Server 2008 R2 are vulnerable.

Unpatched hole in ImgBurn disk burning application

According to security specialist Secunia, a highly critical vulnerability in ImgBurn, a lightweight disk burning application, can be used to remotely compromise a user’s system. The security issue in the freeware program is reportedly caused by the application loading libraries (dwmapi.dll) in an “insecure manner”, which can then lead to the execution of arbitrary code.

Read the full story here.

Source:[TheHSecurity]

Geinimi: New Android Data Stealing Trojan

Geinimi, a new Android data stealing Trojan affecting Android cell phones in China.

According to Lookout blog reports, this Trojan can compromise a significant amount of personal data on a user’s phne and send it to remote servers. Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.

“Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions. Though the intent of this Trojan isn’t entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet.”, stated in the report.

In addition to the personal data such as address book, the Trojan can also read out the cell phone’s position data, device ID (IMEI), SIM card number (IMSI), and a list of the installed apps.

More information is available here.

Source:[blog.mylookout.com]

Critical Vulnerability in Internet Explorer

VUPEN, an IT security research company has reported a critical vulnerability in Internet Explorer that has been known for about two weeks.

security news at livehacking.com

With reference to VUPEN security advisory, a vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the “mshtml.dll” library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various “@import” rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.

VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3. Microsoft has yet to respond and it is not know if or when a patch will be released.

Download Metasploit Framework exploit Code for this vulnerability here.

Multiple Vulnerabilities in ClamAV

Arkadiusz Miskiewicsz from ClamAV has reported about multiple vulnerabilities in ClamAV anti-virus.
These issues could be exploited by an attacker to cause denial-of-service conditions or potentially execute arbitrary code in the context of the application. All the versions prior to ClamAV 0.96.5 are vulnerable.

References:

Security Updates for IE and Stuxnet Holes

Microsoft has released 17 security updates to close 40 security holes.

With reference to Microsoft Security Bulletins, this security update resolves four privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Further, This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory and script during certain processes. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2458511.

More information is available here.

Source:[Microsoft Security Bulletin MS10-090]

Debian and Red Hat close Exim hole

Four days after a security hole was discovered in the free Exim mail server, the developers of Debian and Red Hat have released corrected versions for their Linux distributions. While the Exim version provided by Red Hat blocks root access, Debian’s new Exim contains fixes for a memory flaw that allows code to be executed with Exim user rights.

Read the full story here.

Source:[TheHSecurity]

Possible Remote Root Vulnerability in Exim Internet Mailer

According to a post by Sergey Kononenko at Exim developer mailing list, there is a possibility of remote root attack against Exim Internet Mailer in Debian package.

The possible vulnerability was in Exim from Debian Lenny (exim4-daemon-light 4.69-9) but other versions might be vulnerable. An attacker could exploit this vulnerability to gain control of a mail server.

More information is available here.

Source:[http://lists.exim.org]