> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A Microsoft Zero-Day caused a lot of frenetic activity this week, but
> the big "oh darn" moment this week was learning that the wireless
> infrastructure people had deployed in thousands of large organizations
> has hard coded user names and passwords and default community strings
> - -- which make their networks remotely exploitable.
>
> Separately, with Rohit Dhamankar's help, we have launched a very cool
> new "Software Security @RISK" Newsletter that analyzes major current
> vulnerabilities from @RISK and shows the exact programming errors that
> caused the vulnerabilities. The newsletter will be distributed to all
> programmers who register for the secure coding exam
> (www.sans-ssi.org),
> as a continuous learning tool for them. In the mean time,
> we'll send the
> current issues to any programmer or tester or auditor who knows enough
> about secure coding in Java or C to review the current test blueprint
> in one of those languages and help us rate the secure coding rules in
> the blueprint on importance and frequency of use. Email
> spa@xxxxxxxx and
> tell us which language (Java or C) you are capable of reviewing.
>
>
> *****************************
> Widely Deployed Software
> *****************************
>
> (1) CRITICAL: Microsoft DNS Server RPC Interface Buffer
> Overflow (0-day)
> Affected:
> DNS server running on:
> Windows 2000 Server SP4
> Windows 2003 Server SP1/SP2
>
> Description: Microsoft DNS server supports an RPC interface
> that can be
> accessed via high TCP ports (> 1023). The interface can also
> be accessed
> via "\\dnsserver" named pipe on ports 139/tcp and 445/tcp. This
> interface contains a buffer overflow that can be triggered by
> a function
> call with a specially crafted zone name. The overflow can be exploited
> to execute arbitrary code on the DNS server with SYSTEM privileges.
> Compromise of a DNS server may lead to further compromises in an
> enterprise by re-directing people to malicious domains.
> Exploit code for
> this vulnerability has been publicly posted, and the flaw is being
> exploited in the wild. Note that the DNS service running on port 53 is
> not affected by the buffer overflow.
>
> Status: Microsoft has issued certain workarounds that can be employed
> before a patch is released. The suggested workarounds are:
>
> (a) Block requests to the DNS server on TCP ports > 1023, 139 and 445
> from the Internet.
>
> (b) Disable the remote management over RPC feature for the
> affected DNS
> servers. The steps are outlined in the Microsoft advisory.
>
> References:
> Microsoft Advisory
>
> SANS Handler's Diary Discussions
>
>
> Exploit Code
>
>
> ndows/dcerpc/msdns_zonename.rb
> SecurityFocus BID
>
>
> *********************************************************************
>
> (2) CRITICAL: Cisco Wireless LAN Controller and Wireless
> Control System Vulnerabilities
> Affected:
> Wireless LAN Controllers
> - --Cisco 4400/2100 Series Wireless LAN Controllers
> - --Cisco Wireless LAN Controller Module
> Wireless Integrated Switches and Routers
> - --Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
> - --Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
>
> Cisco Wireless Control System versions prior to 4.0.96.0
>
> Description: Cisco Wireless LAN Controller and Wireless Control System
> are the building blocks of an enterprise-scale wireless network
> supporting business critical applications. The Wireless LAN Controller
> uses "private" community string for SNMP read-write operations. An
> attacker can exploit the default SNMP read-write community string to
> take control of the device.
>
> Similarly, the Cisco Wireless Control System (WCS) has a hardcode
> username and password for its FTP server (used for data backup
> purposes). An attacker can use these default credentials to
> potentially
> compromise the server running the Cisco WCS application.
>
> Status: Cisco confirmed, updates available.
>
> References:
> Cisco Security Advisories
>
>
> Product Homepage
>
> ry_Home.html
>
> SecurityFocus BIDs
>
>
>
> **************************************************************
> ***************
>
> (3) HIGH: Microsoft Content Management Server Multiple
> Vulnerabilities (MS07-018)
> Affected:
> Microsoft Content Management Server 2001/2002
>
> Description: Microsoft Content Management Server (MSCMS),
> used to create
> and maintain web sites, contains multiple vulnerabilities:
>
> (1) A specially-crafted HTTP GET request could trigger memory
> corruption
> vulnerability in MSCMS. Successfully exploiting this
> vulnerability could
> allow an attacker to execute arbitrary code with the privileges of the
> MSCMS server process.
>
> (2) A cross-site scripting vulnerability exists in the way
> MSCMS handles
> HTML redirection requests. An attacker could leverage this
> vulnerability
> to execute arbitrary scripts on other users' systems with the same
> privileges as other scripts downloaded from the Internet. Further
> technical details for this vulnerability are unavailable.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the responding council sites. They reported that no action was
> necessary.
>
> References:
> Microsoft Security Bulletin
>
> SecurityFocus BIDs
>
>
>
> **************************************************************
> ***********
>
> (4) HIGH: Microsoft Agent Memory Corruption (MS07-020)
> Affected:
> Microsoft Windows 2000/XP
> Microsoft Windows Server 2003
> Note: Users of Internet Explorer 7 are reportedly not vulnerable.
>
> Description: Microsoft Agent is a Microsoft technology used to provide
> animated characters for user interaction. Microsoft Agent contains a
> memory corruption vulnerability. A specially-crafted URL could trigger
> this memory corruption vulnerability, and allow an attacker to execute
> arbitrary code with the privileges of the current user. A
> malicious web
> page that embedded such a URL could exploit this
> vulnerability when the
> user views the page. Clicking on the link itself is not necessary.
>
> Status: Microsoft confirmed, updates available.
>
> Council Site Actions: All reporting council sites are
> responding to this
> issue. They plan to deploy the patches during their next regularly
> scheduled maintenance window.
>
> References:
> Microsoft Security Bulletin
>
> Secunia Security Advisory
>
> Microsoft Agent Home Page
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
>
> (5) HIGH: Kaspersky AntiVirus Multiple Vulnerabilities
> Affected:
> Kaspersky AntiVirus version 6.0
> Kaspersky Internet Security 6.0
> Kaspersky File Server version 6.0
>
> Description: Kaspersky AntiVirus product contains the following
> vulnerabilities:
>
> (a) The ActiveX controls AXKLPROD60Lib.KAV60Info and
> AXKLSYSINFOLib.SysInfo installed by the anti-virus product can be
> exploited to download/delete arbitrary files to/from a user's system,
> when the user visits a malicious webpage.
>
> (b) The anti-virus engine contains a heap-based buffer
> overflow that can
> be triggered by specially crafted ARJ archives. The flaw can be
> exploited to execute arbitrary code on a system running a vulnerable
> version of the anti-virus engine. Note that no user interaction is
> required to exploit this flaw. The e-mail gateways are most severely
> affected by this vulnerability.
>
> Status: Kaspersky confirmed, updates available.
>
> References:
> Kaspersky Advisories
>
>
> Zero Day Initiative Advisories
>
> SecurityFocus BID
>
>
>
>
> **************************************************************
> ***********
>
> (6) MODERATE: Microsoft Windows Universal Plug and Play
> Memory Corruption (MS07-019)
> Affected:
> Microsoft Windows XP
>
> Description: Universal Plug and Play (UPnP) is a collection of open
> technologies, including HTTP and XML, used to advertise and discover
> network services and configuration. The implementation in Microsoft
> Windows XP contains a memory corruption vulnerability. By sending a
> specially-crafted HTTP request to a vulnerable system, an
> attacker could
> trigger this vulnerability. Successfully exploiting this vulnerability
> could lead to arbitrary code execution with the privileges of
> "LocalSystem". Note that the vulnerable service is not enabled by
> default. Under most network configurations, the attacker would need to
> be in the same sub network as the victim. A working exploit
> is known to
> exist, and is available to members of Immunity's partner program.
>
> Status: Microsoft confirmed, updates available. Users are advised to
> block UDP port 1900 and TCP port 2869 at the network perimeter.
>
> Council Site Actions: All reporting council sites are responding to
> this issue. They plan to deploy the patches during their next
> regularly
> scheduled maintenance window.
>
> References:
> Microsoft Security Bulletin
>
> iDefense Security Advisory
> .
> php?id=509
> Wikipedia Entry on Universal Plug and Play
>
> SecurityFocus BID
>
>
> **************************************************************
>
> Part II - Comprehensive List of Newly Discovered Vulnerabilities from
> Qualys (www.qualys.com)
>
>
> 07.16.1 CVE: CVE-2007-1748
> Platform: Windows
> Title: Microsoft Windows Domain Name Server Service Remote Procedure
> Call Interface
> Description: Microsoft Windows Domain Name Server (DNS) service is an
> Internet directory service that translates domain names into IP
> addresses. The application is exposed to an unspecified issue in its
> Remote Procedure Call (RPC) interface which is typically bound to TCP
> ports between 1024 and 5000. Windows Server 2000 Service Pack 4, and
> Windows Server 2003 Service Packs 1 and 2 are affected.
> Ref:
> ______________________________________________________________________
>
>
> 07.16.3 CVE: CVE-2007-1209
> Platform: Windows
> Title: Microsoft Windows CSRSS CSRFinalizeContext Local Privilege
> Escalation
> Description: Microsoft Windows CSRSS (client/server run-time
> subsystem) is the user mode portion of the Win32 subsystem. CSRSS is a
> required service for Windows and is always running. CSRSS is exposed
> to a local privilege escalation issue because it fails to adequately
> marshal system resources when handling connections during process
> startups and stops. Microsoft Windows Vista is affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.4 CVE: CVE-2007-1206
> Platform: Windows
> Title: Microsoft Windows IVT Kernel Local Privilege Escalation
> Description: Microsoft Windows is exposed to a local privilege
> escalation issue because the Windows kernel allows incorrect
> permissions to be used when mapping memory segments. Please refer to
> the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 07.16.5 CVE: CVE-2007-1204
> Platform: Windows
> Title: Microsoft Windows UPnP Remote Code Execution
> Description: UPnP is a set of network protocols to extend
> plug-and-play functionality to intelligent network devices in homes
> and businesses. This allows intelligent network devices to
> automatically connect to each other without requiring user
> configuration. Microsoft Windows is exposed to a remote code execution
> vulnerability because it fails to handle certain HTTP requests.
> Ref:
> .
> php?id=509
> ______________________________________________________________________
>
> 07.16.6 CVE: Not Available
> Platform: Windows
> Title: Microsoft Windows Help File Unspecified Heap Overflow
> Description: The "winhlp32.exe" executable is the Microsoft Windows
> Help File viewer. The application is exposed to a heap overflow issue
> because it fails to perform boundary checks before copying
> user-supplied data into insufficiently sized memory buffers.
> Ref:
> ______________________________________________________________________
>
>
> 07.16.9 CVE: Not Available
> Platform: Microsoft Office
> Title: Microsoft Word 2007 WWLib.DLL Unspecified Document File Buffer
> Overflow
> Description: Microsoft Word is exposed to a buffer overflow issue
> because the application fails to properly bounds check user-supplied
> data before copying it to an insufficiently sized memory buffer.
> Ref:
> ______________________________________________________________________
>
> 07.16.10 CVE: CVE-2007-1205
> Platform: Other Microsoft Products
> Title: Microsoft Agent URI Processing Remote Code Execution
> Description: Microsoft Agent is a set of software services for
> developers to enhance the user interface of web-based applications.
> The application is exposed to a remote code execution issue when the
> Microsoft Agent component processes URIs.
> Ref:
> ______________________________________________________________________
>
> 07.16.11 CVE: CVE-2007-0938
> Platform: Other Microsoft Products
> Title: Microsoft Content Management Server Remote Code Execution
> Description: Microsoft Content Management Server (MCMS) is an
> application that allows users to create, publish and manage web
> content remotely. It operates in conjunction with Internet Information
> Server and SQL Server. The application is exposed to an arbitrary code
> execution issue because the software fails to properly
> validate user-supplied input.
> Ref:
> ______________________________________________________________________
>
> 07.16.15 CVE: CVE-2006-6696
> Platform: Third Party Windows Apps
> Title: Microsoft Windows CSRSS MSGBox Remote Code Execution
> Description: Microsoft Windows CSRSS (client/server run-time
> subsystem) MsgBox is the user mode portion of the Win32 subsystem.
> CSRSS is a required service for Windows and is always running. MsgBox
> is exposed to a remote code execution issue because it fails to
> adequately handle certain error messages.
> Ref:
> ______________________________________________________________________
>
>
> 07.16.18 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Microsoft Windows Explorer ANI File Denial of Service
> Description: Windows Explorer is exposed to a denial of service issue.
> The problem occurs when the application is used to open a folder
> containing a malicious ANI file. Windows Explorer on Microsoft Windows
> XP SP2 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.20 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Winamp IN_Mod.DLL Plug-in Remote Code Execution
> Description: Winamp is a multimedia player. The Winamp IN_MOD.DLL
> plug-in is exposed to a remote code execution issue because it fails
> to adequately handle malformed files. Winamp version 5.33 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.21 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Winamp LibSNDFile.DLL Component Remote Code Execution
> Description: Winamp is a multimedia player. Winamp is exposed to a
> remote code execution issue resulting from an off by zero memory
> corruption error. Winamp version 5.33 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.22 CVE: CVE-2007-1112
> Platform: Third Party Windows Apps
> Title: Kaspersky AntiVirus Prod60 ActiveX Control Arbitrary File
> Exfiltration
> Description: Kaspersky AntiVirus is an antivirus application for
> desktop and small business computers. The application is exposed to an
> arbitrary file exfiltration issue because it contains a file upload
> ActiveX control that can be misused by a malicious site. Kaspersky
> Anti-Virus 6.0 and Kaspersky Internet Security 6.0 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.23 CVE: CVE-2007-0445
> Platform: Third Party Windows Apps
> Title: Kaspersky Antivirus Engine ARJ Archive Remote Heap Overflow
> Description: The Kaspersky Antivirus Engine is the core antivirus
> software used in Kaspersky computer security tools for Microsoft
> Windows. The application is exposed to remote heap overflow issue
> because the application fails to perform sufficient boundary checks on
> user-supplied data before copying it into an insufficiently sized
> buffer. Kaspersky Anti-Virus version 6.0 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.26 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel Fib_Semantics.C Out Of Bounds Access
> Description: The Linux kernel is exposed to an out of bounds access
> issue. This issue occurs because the semantics for IPv4 Forwarding
> Information Base fail to adequately bounds check user-supplied data
> before accessing an array. The Linux versions prior to 2.6.21-rc6 are
> affected.
> Ref:
>
> ______________________________________________________________________
>
> 07.16.27 CVE: Not Available
> Platform: Linux
> Title: Opera Web Browser Running Adobe Flash Player Unspecified
> Description: Opera Web Browser is exposed to an unspecified
> vulnerability when running Adobe Flash Player. Opera Web Browser
> versions prior to 9.20 are affected. Adobe Flash Player versions prior
> to 9.0.28.0 are affected. Please refer to the advisory for further
> details.
> Ref:
> ______________________________________________________________________
>
> 07.16.28 CVE: CVE-2006-7179
> Platform: Linux
> Title: MADWifi Channel Switch Announcement Information Elements
> Denial of Service
> Description: MADWifi (Multiband Atheros Driver for WiFi) is a device
> driver for Wireless LAN chipsets. The application is exposed
> to a denial
> of service issue because it fails to properly handle certain network
> packets. MADWifi versions prior to 0.9.3 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.29 CVE: CVE-2006-7180
> Platform: Linux
> Title: MADWifi IEEE80211_Output.C Unencrypted Data Packet Multiple
> Vulnerabilities
> Description: MADWiFi (Multiband Atheros Driver for WiFi) is a Linux
> kernel device driver application for wireless LAN chipsets. The
> application is exposed to multiple issues because the
> "ieee80211_output.c" source file sends unencrypted packets prior to
> successful WPA authentication. MADWifi versions prior to 0.9.3 are
> affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.30 CVE: CVE-2006-7178
> Platform: Linux
> Title: MADWifi Auth Frame IBSS Remote Denial of Service
> Description: MADWifi (Multiband Atheros Driver for WiFi) is a Linux
> kernel device driver for Wireless LAN chipsets. The application is
> exposed to a remote denial of service issue because the application
> fails to properly handle certain AUTH frames from an IBSS
> node. MADWifi
> versions prior to 0.9.3 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.31 CVE: CVE-2006-7177
> Platform: Linux
> Title: MADWifi Ad-Hoc Mode Denial of Service
> Description: MADWifi (Multiband Atheros Driver for WiFi) is a device
> driver for Wireless LAN chipsets. The application is exposed to a
> denial of service issue when running in "Ad-Hoc" mode because the
> application/service fails to properly handle certain network
> packets/traffic. MADWifi versions prior to 0.9.3 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.32 CVE: Not Available
> Platform: Linux
> Title: Quagga BGPD UPDATE Message Remote Denial of Service
> Description: Quagga is a suite of routing applications written for
> the FreeBSD, Linux, Solaris and NetBSD operating systems. The
> application is exposed to a remote denial of service issue because it
> fails to handle a malformed multi protocol message. Quagga versions
> 0.99.6, 0.98.6 and prior (0.99 branch and 0.98 branch) are affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.34 CVE: CVE-2007-1841
> Platform: Linux
> Title: IPSec-Tools Remote Denial of Service
> Description: IPSec-Tools is a port of KAME's IPsec utilities to the
> Linux-2.6 IPsec implementation. The application is exposed to a remote
> denial of service issue because the application fails to properly
> handle certain network packets. IPSec-Tools versions prior to 0.6.7
> are affected.
> Ref:
>
> 06123739.GA1546%40zen.inc
> ______________________________________________________________________
>
> 07.16.35 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel DCCP Proto.C Buffer Overflow
> Description: The Linux kernel is exposed to a buffer overflow issue
> because it fails to adequately bounds check user-supplied data before
> copying it to an insufficiently sized buffer. This issue affects the
> "do_dccp_getsockopt()" function in the "netdccpproto.c" source file.
> The Linux kernel versions prior to 2.6.20.5 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.36 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel AppleTalk ATalk_Sum_SKB Function Denial of Service
> Description: The Linux kernel is exposed to a denial of service issue.
> This issue presents itself when malformed AppleTalk frames are
> processed. Linux kernel versions prior 2.6.20.5 are affected.
> Ref:
> ______________________________________________________________________
>
>
> 07.16.40 CVE: Not Available
> Platform: Solaris
> Title: Sun Solaris IP Implementation Remote Denial of Service
> Description: Sun Solaris is exposed to a remote denial of service
> issue because the application fails to handle exceptional conditions.
> Solaris 8 and Solaris 9 are affected.
> Ref:
>
> 6-1&searchclause=
> ______________________________________________________________________
>
> 07.16.52 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Filter_Var FILTER_VALIDATE_EMAIL Newline Injection
> Description: PHP has a "filter_var()" function that is designed to
> sanitize user-supplied input for various purposes. The application is
> exposed to an email newline injection issue because it fails to
> properly sanitize user-supplied input. PHP 5.2.1 and PHP 5.2 are
> affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.53 CVE: CVE-2007-1001
> Platform: Cross Platform
> Title: PHP GD Extension WBMP File Integer Overflow Vulnerabilities
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> PHP's GD extension is exposed to two integer overflow issues because
> it fails to ensure that integer values aren't overrun. PHP versions
> 5.2.1 and earlier are affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.54 CVE: Not Available
> Platform: Cross Platform
> Title: Firebug Rep.JS Script Code Injection
> Description: Firebug is a Firefox extension that is used for
> debugging, editing and monitoring CSS, JavaScript and HTML. Firebug is
> exposed to a script code injection issue. The issue exists because the
> "rep.js" script fails to adequately escape user-supplied data. Firebug
> versions prior to 1.04 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.16.114 CVE: Not Available
> Platform: Network Device
> Title: Cisco Wireless Lan Controller Multiple Remote Vulnerabilities
> Description: The Cisco Wireless LAN Controller (WLC) manages Cisco
> Aironet access points using the Lightweight Access Point Protocol
> (LWAPP). The application is exposed to multiple remote issues. Please
> refer to the advisory for further details.
> Ref:
>
> ml#workarounds
> ______________________________________________________________________
>
> 07.16.115 CVE: Not Available
> Platform: Network Device
> Title: Cisco Wireless Control System Multiple Vulnerabilities
> Description: Cisco Wireless Control System (WCS) is used with Cisco
> wireless appliances to provide system configuration, location
> tracking, security monitoring and wireless LAN management. Cisco
> Wireless Control System versions prior to 4.0.96.0 are affected.
> Please refer to the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held by a
> party other than Qualys (as indicated herein) and permission to use
> such material must be requested from the copyright owner.
>
