An authentication bypass vulnerability exists in Oracle’s Application Testing Suite. The vulnerability is due to insufficient input validation while processing HTTP requests. A remote attacker can exploit this vulnerability by sending crafted request to the vulnerable server.
Monthly Archives: September 2016
Bugtraq: [slackware-security] php (SSA:2016-267-01)
[slackware-security] php (SSA:2016-267-01)
Bugtraq: OS-S Security Advisory 2016-19: Epson WorkForce multi-function printers do not use signed firmware images and allow unauthorized malicious firmware-updates (CVSS 10)
OS-S Security Advisory 2016-19: Epson WorkForce multi-function printers do not use signed firmware images and allow unauthorized malicious firmware-updates (CVSS 10)
Bugtraq: [security bulletin] HPSBGN03648 rev.1 – HPE LoadRunner and Performance Center, Remote Denial of Service (DoS)
[security bulletin] HPSBGN03648 rev.1 – HPE LoadRunner and Performance Center, Remote Denial of Service (DoS)
RHEA-2016:1935-1: rhev-hypervisor bug fix and enhancement update for RHEV 3.6.9
Red Hat Enterprise Linux: An updated rhev-hypervisor package is now available.
Linux Kernel 4.6.3 Netfilter Privilege Escalation
This Metasploit module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) 2. libc6-dev-i386 (ubuntu), glibc-devel.i686
Android Stagefright MP4 tx3g Integer Overflow
This Metasploit module exploits a integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit’s Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element’s videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element’s duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically. NOTE: the mediaserver process on many Android devices (Nexus, for example) is constrained by SELinux and thus cannot use the execve system call. To avoid this problem, the original exploit uses a kernel exploit payload that disables SELinux and spawns a shell as root. Work is underway to make the framework more amenable to these types of situations. Until that work is complete, this exploit will only yield a shell on devices without SELinux or with SELinux in permissive mode.
DSA-3680 bind9 – security update
Two vulnerabilities were reported in BIND, a DNS server.
DSA-3679 jackrabbit – security update
Lukas Reschke discovered that Apache Jackrabbit, an implementation of
the Content Repository for Java Technology API, did not correctly
check the Content-Type header on HTTP POST requests, enabling
Cross-Site Request Forgery (CSRF) attacks by malicious web sites.
Vuln: ImageMagick Multiple Heap Overflow Vulnerabilities
ImageMagick Multiple Heap Overflow Vulnerabilities