Информационная безопасность
[RU] switch to English


Многочисленные проблемы с IPv6 в Microsoft Vista
дополнено с 29 марта 2007 г.
Опубликовано:4 апреля 2007 г.
Источник:
SecurityVulns ID:7502
Тип:удаленная
Уровень опасности:
6/10
Описание:Многочисленные атаки подмены и DoS-атаки.
Затронутые продукты:MICROSOFT : Windows Vista
CVE:CVE-2007-1535 (Microsoft Windows Vista establishes a Teredo address without user action upon connection to the Internet, contrary to documentation that Teredo is inactive without user action, which increases the attack surface and allows remote attackers to communicate via Teredo.)
 CVE-2007-1534 (DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 for 2 minutes after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port during the time window.)
 CVE-2007-1533 (The Teredo implementation in Microsoft Windows Vista uses the same nonce for communication with different UDP ports within a solicitation session, which makes it easier for remote attackers to spoof the nonce through brute force attacks.)
 CVE-2007-1532 (The neighbor discovery implementation in Microsoft Windows Vista allows remote attackers to conduct a redirect attack by (1) responding to queries by sending spoofed Neighbor Advertisements or (2) blindly sending Neighbor Advertisements.)
 CVE-2007-1531 (Microsoft Windows XP and Vista overwrites ARP table entries included in gratuitous ARP, which allows remote attackers to cause a denial of service (loss of network access) by sending a gratuitous ARP for the address of the Vista host.)
 CVE-2007-1530 (The LLTD Mapper in Microsoft Windows Vista does not properly gather responses to EMIT packets, which allows remote attackers to cause a denial of service (mapping failure) by omitting an ACK response, which triggers an XML syntax error.)
 CVE-2007-1529 (The LLTD Responder in Microsoft Windows Vista does not send the Mapper a response to a DISCOVERY packet if another host has sent a spoofed response first, which allows remote attackers to spoof arbitrary hosts via a network-based race condition, aka the "Total Spoof" attack.)
 CVE-2007-1528 (The LLTD Mapper in Microsoft Windows Vista allows remote attackers to spoof hosts, and nonexistent bridge relationships, into the network topology map by using a MAC address that differs from the MAC address provided in the Real Source field of the LLTD BASE header of a HELLO packet, aka the "Spoof on Bridge" attack.)
 CVE-2007-1527 (The LLTD Mapper in Microsoft Windows Vista does not verify that an IP address in a TLV type 0x07 field in a HELLO packet corresponds to a valid IP address for the local network, which allows remote attackers to trick users into communicating with an external host by sending a HELLO packet with the MW characteristic and a spoofed TLV type 0x07 field, aka the "Spoof and Management URL IP Redirect" attack.)
Оригинальный текстdocumentJim Hoagland, Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation (04.04.2007)
Файлы:New report on Windows Vista network attack surface

Проблемы с анимированными курсорами в Microsoft Windows
дополнено с 30 марта 2007 г.
Опубликовано:4 апреля 2007 г.
Источник:
SecurityVulns ID:7508
Тип:клиент
Уровень опасности:
10/10
Описание:переполнение буфера стековой памяти используется для скрытой установки вредоносного кода.
Затронутые продукты:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
CVE:CVE-2007-1867 (Buffer overflow in IrfanView 3.99 allows remote attackers to execute arbitrary code via a crafted animated cursor (ANI) file.)
 CVE-2007-1765 (Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.)
 CVE-2007-0038 (Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.)
Оригинальный текстdocumentCERT, US-CERT Technical Cyber Security Alert TA07-093A -- Microsoft Update for Windows Animated Cursor Vulnerability (04.04.2007)
 documentjamikazu_(at)_gmail.com, Windows XP/Vista (.ANI) Remote Exploit (bypass eeye patch) (03.04.2007)
 documentGadi Evron, More information on ZERT patch for ANI 0day (03.04.2007)
 documentCERT, US-CERT Technical Cyber Security Alert TA07-089A -- Microsoft Windows ANI header stack buffer overflow (31.03.2007)
 documentMICROSOFT, Microsoft Security Advisory (935423) Vulnerability in Windows Animated Cursor Handling (30.03.2007)
 documentEEYE, [Full-disclosure] ANI Zeroday, Third Party Patch (30.03.2007)
 documentAlexander Sotirov, 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) (30.03.2007)
Файлы:Exploits Windows .ANI LoadAniIcon Stack Overflow
 Exploits Windows .ANI LoadAniIcon Stack Overflow
 Windows ANI LoadAniIcon() Chunk Size Stack Overflow (SMTP)
 Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP)
 Windows Animated Cursor Handling Exploit (0day) (Version3)
 Microsoft ANI Buffer Overflow Exploit Web Download Code Execution Exploit
 Microsoft Security Advisory (935423) Vulnerability in Windows Animated Cursor Handling
 Microsoft Windows multiple GDI vulnerabilities

DoS против Windows через WMF-файлы
Опубликовано:4 апреля 2007 г.
Источник:
SecurityVulns ID:7528
Тип:клиент
Уровень опасности:
5/10
Описание:Обращение по неинициализированному указателю в ядре системы.
Затронутые продукты:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
CVE:CVE-2007-1211 (Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to cause a denial of service (possibly persistent restart) via a crafted Windows Metafile (WMF) image that causes an invalid dereference of an offset in a kernel structure, a related issue to CVE-2005-4560.)
Оригинальный текстdocumentIDEFENSE, iDefense Security Advisory 04.03.07: Microsoft Windows WMF Triggerable Kernel Design Error DoS Vulnerability (04.04.2007)
Файлы:Microsoft Windows multiple GDI vulnerabilities

Многочисленные уязвимости в графическом интерфейсе Windows
Опубликовано:4 апреля 2007 г.
Источник:
SecurityVulns ID:7529
Тип:клиент
Уровень опасности:
9/10
Затронутые продукты:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
CVE:CVE-2007-1215 (Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via certain "color-related parameters" in crafted images.)
 CVE-2007-1213 (The TrueType Fonts rasterizer in Microsoft Windows 2000 SP4 allows local users to gain privileges via crafted TrueType fonts, which result in an uninitialized function pointer.)
 CVE-2007-1212 (Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via a crafted Enhanced Metafile (EMF) image format file.)
 CVE-2007-1211 (Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to cause a denial of service (possibly persistent restart) via a crafted Windows Metafile (WMF) image that causes an invalid dereference of an offset in a kernel structure, a related issue to CVE-2005-4560.)
 CVE-2007-0038 (Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.)
 CVE-2006-5758 (The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memory section that is mapped with read-only permissions, but can be remapped by other processes as read-write, which allows local users to cause a denial of service (memory corruption and crash) and gain privileges by modifying the kernel structures.)
 CVE-2006-5586 (The Graphics Rendering Engine in Microsoft Windows 2000 SP4 and XP SP2 allows local users to gain privileges via "invalid application window sizes" in layered application windows, aka the "GDI Invalid Window Size Elevation of Privilege Vulnerability.")
Оригинальный текстdocumentMICROSOFT, Microsoft Security Bulletin MS07-017 Vulnerabilities in GDI Could Allow Remote Code Execution (925902) (04.04.2007)
Файлы:Microsoft Windows animated cursors buffer overflow
 Windows kernel GDI structures privilege escalation
 Microsoft Windows DoS with WMF files
 Microsoft Security Bulletin MS07-017 Vulnerabilities in GDI Could Allow Remote Code Execution (925902)

Переполнение буфера в ActiveX Yahoo! Messenger (buffer overflow)
Опубликовано:4 апреля 2007 г.
Источник:
SecurityVulns ID:7530
Тип:клиент
Уровень опасности:
6/10
Описание:Переполнение буфера в элементе Yahoo.AudioConf.
Затронутые продукты:YAHOO : Yahoo Messenger 8.1
CVE:CVE-2007-1680 (Stack-based buffer overflow in the createAndJoinConference function in the AudioConf ActiveX control (yacscom.dll) in Yahoo! Messenger before 20070313 allows remote attackers to execute arbitrary code via long (1) socksHostname and (2) hostname properties.)
Оригинальный текстdocumentZDI, ZDI-07-012: Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow (04.04.2007)

Многочисленные уязвимости в сервере X11 X.Org
Опубликовано:4 апреля 2007 г.
Источник:
SecurityVulns ID:7531
Тип:локальная
Уровень опасности:
7/10
Описание:Многочисленные целочисленные переполнения и повреждения памяти.
Затронутые продукты:TIGHTVNC : tightvnc 1.2
 FREETYPE : freetype 2.2
 XORG : X11 7.1
CVE:CVE-2007-2437 (The X render (Xrender) extension in X.org X Window System 7.0, 7.1, and 7.2, with Xserver 1.3.0 and earlier, allows remote authenticated users to cause a denial of service (daemon crash) via crafted values to the (1) XRenderCompositeTrapezoids and (2) XRenderAddTraps functions, which trigger a divide-by-zero error.)
 CVE-2007-1352 (Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.)
 CVE-2007-1351 (Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.)
 CVE-2007-1003 (Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.)
Оригинальный текстdocumentIDEFENSE, [Full-disclosure] iDefense Security Advisory 04.03.07: Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability (04.04.2007)
 documentIDEFENSE, [Full-disclosure] iDefense Security Advisory 04.03.07: Multiple Vendor X Server fonts.dir File Parsing Integer Overflow Vulnerability (04.04.2007)
 documentIDEFENSE, [Full-disclosure] iDefense Security Advisory 04.03.07: Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability (04.04.2007)

Многочисленные уязвимости в MIT Kerberos (multiple bugs)
дополнено с 4 апреля 2007 г.
Опубликовано:11 апреля 2007 г.
Источник:
SecurityVulns ID:7527
Тип:удаленная
Уровень опасности:
9/10
Описание:Демон telnet позволяет доступ без пароля с любым именем пользователя. Переполнение буфера в krb5_klog_syslog(). Двойное освобождение памяти.
Затронутые продукты:MIT : krb5 1.6
CVE:CVE-2007-1216 (Double-free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding".)
 CVE-2007-0957 (Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.)
 CVE-2007-0956 (The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.)
Оригинальный текстdocumentc0ntexb_(at)_gmail.com, Kerberos Version 1.5.1 Kadmind Remote Root Buffer Overflow Vulnerability (11.04.2007)
 documentMIT, MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957] (04.04.2007)
 documentMIT, MITKRB5-SA-2007-003: double-free vulnerability in kadmind (via GSS-API library) [CVE-2007-1216] (04.04.2007)
 documentMIT, MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956] (04.04.2007)
 documentIDEFENSE, iDefense Security Advisory 04.03.07: Multiple Vendor Kerberos kadmind Buffer Overflow Vulnerability (04.04.2007)
 documentCERT, US-CERT Technical Cyber Security Alert TA07-093B -- MIT Kerberos Vulnerabilities (04.04.2007)
Файлы:Exploits Kerberos 1.5.1 Kadmind Remote Root Buffer Overflow Vulnerability

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород