From jericho at attrition.org Mon Jun 3 18:23:19 2013 From: jericho at attrition.org (security curmudgeon) Date: Mon, 3 Jun 2013 18:23:19 -0500 (CDT) Subject: [VIM] ZDI-13-104 Advisory CVE number may be incorrect? In-Reply-To: <51A7A080.4030502@hp.com> References: <96CC6D276D1CC043905F0666B28DA2CB2AAD47C9A5@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> <51A7A080.4030502@hp.com> Message-ID: On Thu, 30 May 2013, ZDI Disclosures wrote: : Hello, : : Thank you for the information below. We are aware. Microsoft had erroneously : assigned the CVE to both cases. We now have the correct CVE and will be : updating our portal within the next few days. Until you update your advisory, can you share the correct CVE with us please? http://www.zerodayinitiative.com/advisories/ZDI-13-104/ CVE ID CVE-2013-1305 thanks From jericho at attrition.org Tue Jun 4 22:40:52 2013 From: jericho at attrition.org (security curmudgeon) Date: Tue, 4 Jun 2013 22:40:52 -0500 (CDT) Subject: [VIM] BID 60322 - bad date? Message-ID: Novell ZENworks Configuration Management CVE-2013-1095 Cross-Site Scripting Vulnerability 2013-06-28 http://www.securityfocus.com/bid/60322 http://www.securityfocus.com/bid/60322 Published: Jun 28 2013 12:00AM Updated: Jun 28 2013 12:00AM ^ seems like this is a bit in the future, by 24 days (normally i'd contact BID directly, but they ignored many emails regarding a 2012 entry with a 2013 future date. only way to get their intention is via public mail lists it seems.) From jericho at attrition.org Sat Jun 8 12:37:28 2013 From: jericho at attrition.org (security curmudgeon) Date: Sat, 8 Jun 2013 12:37:28 -0500 (CDT) Subject: [VIM] ZDI-13-084 confirm CVE? Message-ID: http://www.zerodayinitiative.com/advisories/ZDI-13-084/ CVE-2013-3140 (RESERVED) https://technet.microsoft.com/en-us/security/bulletin/ms13-037 ^ Based on the MS13-037 association, imagine this is a duplicate assignment. 3140 doesn't appear to be a typo and 1340 is still out of range of the 2013-13xx associations with that advisory. Thanks From Narayan_Agarwalla at symantec.com Wed Jun 12 01:47:51 2013 From: Narayan_Agarwalla at symantec.com (Narayan Agarwalla) Date: Tue, 11 Jun 2013 23:47:51 -0700 Subject: [VIM] ZDI-13-113 Advisory CVE number may be incorrect? Message-ID: <96CC6D276D1CC043905F0666B28DA2CB2AADBFAC66@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Hi ZDI team The advisory referenced by this URI http://www.zerodayinitiative.com/advisories/ZDI-13-113/ points to CVE-2103-1018. Looks like there is some error in CVE mentioned and it should be CVE-2013-1018. Could you please check it and correct the record. Thanks! Narayan Agarwalla Supervisor, DeepSight Security Technology and Response Mobile: +91-8939922488 [cid:image001.jpg at 01CE6766.DA97CE30] [cid:image002.gif at 01CE6766.DA97CE30] -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 11028 bytes Desc: not available URL: From gtheall at tenable.com Wed Jun 12 20:08:32 2013 From: gtheall at tenable.com (George Theall) Date: Thu, 13 Jun 2013 01:08:32 +0000 Subject: [VIM] Sami FTP Server RETR Command Remote Denial of Service Vulnerability Message-ID: <22076CCD-AB17-4413-AA64-CBD6CB44B1B0@tenable.com> Narayan / Venkat / Rob : isn't the DoS in Sami FTP Server covered by BID 60513 just a rehash of one of those that securfrog reported back in 2008 (CVE-2008-5105 / BID 27817 / OSVDB 50303 / http://archives.neohapsis.com/archives/bugtraq/2008-02/0231.html)? George -- theall at tenable.com From patrick at aushack.com Thu Jun 13 01:04:18 2013 From: patrick at aushack.com (Patrick Webster) Date: Thu, 13 Jun 2013 16:04:18 +1000 Subject: [VIM] Sami FTP Server RETR Command Remote Denial of Service Vulnerability In-Reply-To: <22076CCD-AB17-4413-AA64-CBD6CB44B1B0@tenable.com> References: <22076CCD-AB17-4413-AA64-CBD6CB44B1B0@tenable.com> Message-ID: >From writing the Metasploit module awhile back (http://www.metasploit.com/modules/exploit/windows/ftp/sami_ftpd_user), I would have to say this is correct. The daemon itself was okay however there was an unsafe sprintf when viewing the logging console, and this appears to be the exact same issue (on an even earlier release!). -Patrick On Thu, Jun 13, 2013 at 11:08 AM, George Theall wrote: > Narayan / Venkat / Rob : isn't the DoS in Sami FTP Server covered by BID 60513 just a rehash of one of those that securfrog reported back in 2008 (CVE-2008-5105 / BID 27817 / OSVDB 50303 / http://archives.neohapsis.com/archives/bugtraq/2008-02/0231.html)? > > George > -- > theall at tenable.com > From gtheall at tenable.com Wed Jun 19 15:02:32 2013 From: gtheall at tenable.com (George Theall) Date: Wed, 19 Jun 2013 20:02:32 +0000 Subject: [VIM] ABB DataManager Multiple 'cwui.oc' ActiveX Controls 'ExportStyle()' Insecure Method Vulnerability Message-ID: <48337E1C-5493-4203-9E7F-ED613EBEB8BF@tenable.com> Narayan / Venkat / Rob : what's the difference between BID 60673, which was created today, and BID 60493, from a week ago? Both reference ZDI-13-120 and involve the ExportStyle() method of various CWUI ActiveX controls included with DataManager. George -- theall at tenable.com From jericho at attrition.org Wed Jun 19 17:50:56 2013 From: jericho at attrition.org (security curmudgeon) Date: Wed, 19 Jun 2013 17:50:56 -0500 (CDT) Subject: [VIM] Mobile Devices and Exploit Vector Absurdity Message-ID: I have just posted to the OSVDB blog about terminology and exploitation characteristics regarding mobile devices. Steve encouraged I post to VIM so we could pedantically debate the finer points of the issue. =) http://blog.osvdb.org/2013/06/19/mobile-devices-and-exploit-vector-absurdity/ From coley at mitre.org Mon Jun 24 11:24:47 2013 From: coley at mitre.org (Christey, Steven M.) Date: Mon, 24 Jun 2013 16:24:47 +0000 Subject: [VIM] CVE-2013-4635 SndToJewish / SdnToJewish function name Message-ID: Apparently a lot of sources are saying the affected function name in CVE-2013-4635 is "SndToJewish". This may stem from an apparent typo in the original PHP disclosures. CVE believes that the correct spelling is "SdnToJewish" which can be seen in the jewish.c source code, e.g.: http://git.php.net/?p=php-src.git;a=blob;f=ext/calendar/jewish.c;h=fcc0e5c0b878ebdd41dfeaecf148b755cd5e6f2d;hb=fcc0e5c0b878ebdd41dfeaecf148b755cd5e6f2d If you search for "sdn" in http://www.php.net/ChangeLog-5.php, you will see other functions with a similar "Sdn" prefix. Here, and elsewhere on the Web, SDN is an acronym for "serial day number," which would make sense because the functions are related to date calculations. - Steve From amanion at cert.org Thu Jun 27 16:50:15 2013 From: amanion at cert.org (Art Manion) Date: Thu, 27 Jun 2013 17:50:15 -0400 Subject: [VIM] CVE-2013-1571 Javadoc Message-ID: <51CCB397.1020804@cert.org> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571 "Oracle has not commented on claims from another vendor that this issue is related to frame injection in HTML that is generated by Javadoc." http://www.kb.cert.org/vuls/id/225657 We're pretty confident that the problem is frame injection in html generated by Javadoc. Previous javascript included a check for ":" that broke obvious XSS attacks (possibly CVE-2007-3503), but it allowed ?//www.example.com (scheme-relative URI or network-path reference). - Art