Showing posts with label bugs. Show all posts
Showing posts with label bugs. Show all posts

Monday, March 05, 2007

MOPB reports old hole in new version of PHP

Report of 04.03.2007 18:25

The initiators of the Month of PHP Bugs (MOPB) have published vulnerabilities in the Zend engine, PHP4, and the current developer version of the script language. Software updates have already been provided for a few of these7 flaws.










Advertisement







One of the flaws reported concerns PHP version 4.4.3 up to the current version 4.4.6. The phpinfo() function provides information about the PHP environment, including the content of variables transmitted during the request. A vulnerability to cross-site scripting (XXS) occurs when these variables are not correctly filtered. The developers already attempted to remedy the flaw in PHP 4.4.1, but they apparently missed something by incompletely backporting the correct functions from PHP5 into PHP4, leaving PHP4 still vulnerable to XSS.

In the developer version (CVS) of PHP, the developers opened up a new hole when they tried to improve insecure function calls, such as by replacing strncpy or sprintf with strlcpy or spprintf. They then made a mistake in the WDDX functions, which are used to share data between web applications. The use of strlcpy instead of strlcat can cause a buffer overflow in the processing of specially prepared WDDX packets.

As a "bonus", two security holes are marked in the Zend platform. Thanks to insecure file rights, attackers can escalate their privileges up to the root level, for instance, when they penetrate the server through a hole in PHP. In addition, another vulnerability allows php.ini to be modified so that attackers can again escalate their rights. The flaws are found in version 2.2.3 of the Zend platform and previous. Updating to version 3 solves the problem.

Also see:

Monday, February 05, 2007

MS Office Zero-Day Under Attack

"Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."

Microsoft late Friday warned users to be on the lookout for Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address.

In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk.

Confirmed vulnerable: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Microsoft Office 2004 v. X for Mac.

The vulnerability cannot be exploited on Office 2007 or on Works 2004, 2005, or 2006.

This is the fourth known zero-day attack against the ever-present Microsoft Office suite since early December 2006. The three previous attacks, all aimed directly at specific targets, used rigged Microsoft Word .doc files.

Anti-virus vendor McAfee has issued an alert explaining the attack characteristics, which require than a specially crafted .xls file is opened:

* Unpack the XOR-encrypted shellcode in memory

* Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash.

* Create a new fiile in %Temp% op10.exe using API calls - GetTempPathA, and CreateFileA

* Seeks the opened file handle of the XLS file in memory using API call GetFileSize to match a specific filesize.

* Extract the payload from the XLS file and write it into %Temp% op10.exe

* Execute %Temp% op10.exe