===========
Description
===========
Wade Alcorn and John Heasman of NGSSoftware have discovered a stack
overflow vulnerability in Castle Rock Computing SNMPc Network Manager.
SNMPc Network Manger is a distributed network management system that
allows monitoring of the network infrastructure. It employs a
distributed polling agent architecture which uses SNMP TRAPs to provide
a solution capable of monitoring networks with up to ten thousand
devices. An SNMP TRAP initiated by a network element is sent to the
SNMPc Network Manager to allow monitoring of the infrastructure.

=================
Technical Details
=================
The vulnerability can be exploited when an overly long community string
is sent in the SNMP TRAP packet. The packets format will be valid ASN.1,
including the length of the community string. An attacker can craft a
single UDP packet that can lead to the execution of arbitrary code in
the context of LocalSystem.

===============
Fix Information
===============
NGSSoftware wish to note that Castle Rock Computing were extremely
pro-active in addressing this issue.

The latest version (SNMPc 7.1.1) can be downloaded from the Castle Rock
Computing website: http://www.castlerock.com/.

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

========
TimeLine
========
Discovered:  1 August 2006
Released:  1 August 2006
Approved:  1 August 2006
Reported:  1 August 2006
Fixed: 25 October 2007
Published: 29 October 2007

===========
Description
===========
There is a heap overflow in the Realplayer code that parses ID3 tags in
MP3 files.

Impact: attackers could execute code of their choice on susceptible
systems if a user were induced to open a malicious MP3 file.

=================
Technical Details
=================
The problem stems from the parsing of a Lyrics3 v2.00 tag.  The size of
the tag is calculated by reading 5 ASCII characters and calling
pncrt.atoi.  A buffer is then allocated on the heap of size tag length +
1.  Since atoi parses a signed integer, supplying -1, results in a zero
length allocation into which data is copied.

This can be exploited to overwrite a function pointer leading to the
execution of arbitrary attacker-supplied code in the context of the user
under which RealPlayer is running.

===============
Fix Information
===============
This issue has now been resolved.  Steps detailing how to update RealPlayer may be obtained
from:

http://service.real.com/realplayer/security/10252007_player/en/

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

========
TimeLine
========
Discovered:  1 October 2006
Released:  2 October 2006
Approved:  7 October 2006
Reported:  1 November 2006
Fixed: 18 July 2007
Published: 29 October 2007

===========
Description
===========
The Java browser plugin shipped with versions of the JRE and JDK
listed above, contains a vulnerability that allows an
untrusted applet to violate the network access restrictions placed on it
by the Java sandbox in order to connect to the local host.  This permits a
malicious website to host an applet that is capable of port scanning the
local system and exploiting vulnerable network services (e.g. unpatched
vulnerabilities in MSRPC etc.)

=================
Technical Details
=================
The Java browser plugin allows applets to be loaded from a remote location
most typically over HTTP/HTTPs but also over a number of other supported
protocols including an undocumented protocol scheme “verbatim”.  Untrusted
applets are subject to network access restrictions documented at
http://java.sun.com/sfaq/:

“Applets are not allowed to open network connections to any computer,
except for the host that provided the .class files. This is either the
host where the html page came from, or the host specified in the codebase
parameter in the applet tag, with codebase taking precendence.”

By specifying a codebase URI prefixed by “verbatim:” it is possible to
load an applet from a remote location but have the browser plugin believe
it has been loaded from the local host.  This allows an untrusted applet
to connect to and attempt to exploit network services running on the local
host.  It should be noted that unlike binary sockets in Flash 9, an applet
can connect to any port, not just those greater than 1024.

At the time of reporting this issue, NGS provided Sun with a demonstration
applet that exploited MS06-040 (”Vulnerability in Server Service could
allow remote code execution”) on a vulnerable XP SP1 system.

===============
Fix Information
===============
This issue is addressed in the following releases (for Windows, Solaris,
and Linux):

JDK and JRE 6 Update 2 or later
JDK and JRE 5.0 Update 12 or later
SDK and JRE 1.4.2_15 or later

Further information is available at
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102995-1

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

========
TimeLine
========
Discovered: 20 September 2006
Released: 20 September 2006
Approved: 20 September 2006
Reported:  1 November 2006
Fixed: 15 August 2007
Published: 29 October 2007

===========
Description
===========
It is possible to cause the Java Virtual Machine to overwrite an arbitrary
memory location with an arbitrary value (repeatedly and in a stable manner)
when parsing a malformed TrueType font.

Impact: By coercing a user to view a malicious web page, an attacker could
instantiate an applet that executes arbitrary native code inside the
browser.

=================
Technical Details
=================
From http://en.wikipedia.org/wiki/TrueType:

“TrueType systems include a virtual machine that executes programs inside
the font, processing the “hints” of the glyphs. These distort the control
points which define the outline, with the intention that the rasterizer
produces fewer undesirable features on the glyph. Each glyph’s hinting
program takes account of the size (in pixels) that the glyph is being
displayed at, as well as other less important factors of the display
environment.

Although incapable of receiving input and producing output as normally
understood in programming, the TrueType hinting language does offer the
other prerequisites of programming languages: conditional branching (IF
statements), looping an arbitrary number of times (FOR- and WHILE-type
statements), variables (although these are simply numbered slots in an
area of memory reserved by the font), and encapsulation of code into
functions. Special instructions called “delta hints” are the lowest level
control, moving a control point at just one pixel size.”

There are two instructions for writing values to the Control Value Table
(CVT) which holds global variables that can be used by multiple glyphs.
One of these functions does not perform sufficient validation on the
supplied index.  This allows a font to write a scaled value relative to
the base of the dynamically allocated CVT.  The scaling factor is based on
the requested size of the font - setting this to 32 results in a factor of
1.

In order to write to an arbitrary location the base of the CVT must first
be determined.  The instruction to read from the CVT was also found not to
validate its index, so this can be used to read memory relative to the CVT
base.  At an offset of -0×38 DWORDs there is a pointer to the end of the
CVT; this can be used to determine the CVT base. The end result is that an
arbitrary value can be written to an arbitrary value repeatedly.  An
attacker can make use of the VM instructions to implement “pre-exploit”
logic that determines the browser, operating system and architecture
before deploying a chosen payload.  This facilitates creation of a
cross-browser, cross-operating system, cross-architecture exploit.

===============
Fix Information
===============
This issue is addressed in the following releases (for Solaris, Linux, and
Windows):

JDK and JRE 5.0 Update 10 or later
SDK and JRE 1.4.2_15 or later

Further information is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103024-1

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/

+44(0)208 401 0070

Name: Oracle audit issue with XMLDB ftp service
Systems Affected: Oracle Oracle 9ir2, 10g Release 1
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th March 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007E

Description
***********
The Oracle XML DB ftp service contains problems with auditing logins.

Details
*******
When a user attempts to log in via the XDB ftp service the audit trail shows
an incorrect entry for USERID. This can present two subtle problems.
Firstly, if  a user logs in as “SYSTEM” the USERID column only shows “SYSTE”
- only 5 characters. The second problem is that if the same user then
attempts to log in a  user “FOO”, “FOOTE” is logged in the USERID column -
the “TE” coming from the “TE” of “SYSTE[M]” - the previous login. This only
happens on the same  connected TCP circuit; as such all audit entries have
the same SESSIONID.

Fix Information
***************
Oracle was alerted to this flaw on the 9th of March 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your  servers is vulnerable to this flaw. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix.  Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States;  NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

Name: Oracle TNS Listener DoS and/or remote memory inspection
Systems Affected: Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 22nd June 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007C

Description
***********
The TNS Listener can be crashed by an attacker causing a Denial of Service;
alternatively the attacker can use the same flaw to expose memory contents
remotely. This may reveal sensitive information.

Details
*******
There is a bug in GIOP service that can allow an attacker to crash the TNS
Listener and/or dump memory. A DWORD in the connect GIOP packet is trusted
as the  size of the data in the packet. By setting this to a large value
(e.g. 0×1FFFF) causes the listener to allocate this much memory then attempt
to copy this  much data to it - which eventually leads to a read access
violation because the source data is less than this number and the process
lands in uninitialized  memory. If the attacker uses a smaller number, e.g.
0xFFFF they can dump this many bytes from memory. This may reveal sensitive
information such as the TNS  Listener password.

Fix Information
***************
Oracle was alerted to this flaw on the 22nd of June 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers is vulnerable to this flaw. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix.  Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States;  NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

Name: Multiple SQL Injection Flaws in Oracle CTX_DOC package
Systems Affected: Oracle 10g release 1 and 2
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 6 June 2005
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007A

Description
***********
The Intermedia application in Oracle 10g release 1 and 2 is vulnerable to
SQL injection.

Details
*******
The Intermedia application, owned by CTXSYS, contains a package called
CTX_DOC. This package contains multiple SQL injection flaws. The following
procedures on this package provide vectors for SQL injection attacks:

THEMES
GIST
TOKENS
FILTER
HIGHLIGHT
MARKUP

These can be exploited by a database user; further they can be exploited via
Oracle Application Server by an attacker without a user ID and password
across the Internet.

Fix Information
***************
Oracle was alerted to these flaws on the 6th of June 2005. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers are vulnerable to these flaws. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

Name: Oracle RDBMS Data packet DoS
Systems Affected: Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 23rd June 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007D

Description
***********
The Oracle RDBMS on receiving an invalid TNS data packet will use 100% of
the CPU’s time introducing a Denial of Service condition.

Details
*******
Once a client connects to the database process and performs protocol
negoation (TNS packet type 1) and data type represenations (packet type 2)
it may then  send packets of type 6 - Data packets. If the server gets a
packet with the 2nd bit of the Data flags is set then the server runs at
100% CPU:

“\x00\x1D” // Packet Size
“\x00\x00″ // Packet Checksum
“\x06″ // Packet Type [DATA]
“\x00″ // Flags
“\x00\x00″ // Header Checksum
“\x00\x02″ // Data flags
“\x03\x3B” // TTI Version function
..
..

The snippet of a packet above sets the Data flags to 0×0002 on a version
request. This DoS condition can be triggered prior to authentication. This
can be exploited by an unauthenticated attacker.

Fix Information
***************
Oracle was alerted to this flaw on the 23rd of June 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your  servers is vulnerable to this flaw. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix.  Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States;  NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

Name: SQL Injection Flaw in Oracle Workspace Manager
Systems Affected: Oracle 10g release 1 and 2, Oracle 9i
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 22nd August 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007B

Description
***********
The Workspace Manager in Oracle 10g release 1 and 2 and Oracle 9i is
vulnerable to SQL injection.

Details
*******

The Workspace Manager, owned by SYS, contains a package called LT. This
package is owned and defined by the SYS user and can be executed by PUBLIC.
LT contains a procedure called FINDRICSET which calls the FINDRICSET package
in the LTRIC package. This is vulnerable to SQL injection and can be abused
by an attacker to gain SYS privileges.

Fix Information
***************
Oracle was alerted to this flaw on the 22nd of August 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers are vulnerable to this flaw. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

========
TimeLine
========
Discovered: 18 May 2007
Released: 22 May 2007
Approved: 11 June 2007
Reported: 23 May 2007
Fixed: 15 August 2007
Published: 16 August 2007

===========
Description
===========
Impact: locally logged-on users of affected hosts can cause arbitrary
binaries to be executed in the context of Local System. This effectively
compromises the host.

=================
Technical Details
=================
Cisco’s VPN client for Windows installs a Windows service, the “Cisco
Systems, Inc. VPN Service” or CVPND, whose associated binary is
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe. By default, the
CVPND service runs as Local System.

SERVICE_NAME: CVPND
TYPE               : 110  WIN32_OWN_PROCESS (interactive)
START_TYPE         : 2   AUTO_START
ERROR_CONTROL      : 0   IGNORE
BINARY_PATH_NAME   : “C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe”
LOAD_ORDER_GROUP   :
TAG                : 0
DISPLAY_NAME       : Cisco Systems, Inc. VPN Service
DEPENDENCIES       : TCPIP
SERVICE_START_NAME : LocalSystem

Interactive Users (i.e. those who have logged on locally) are granted
Modify permissions to cvpnd.exe (and its parent directory), denoted by
NT AUTHORITY\INTERACTIVE:C in the cacls output below.

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
NT AUTHORITY\INTERACTIVE:C
BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

This allows normal users who have logged on to a susceptible host to
move cvpnd.exe to another location, and substitute another binary for
cvpnd.exe. When the CVPND service restarts (e.g. on reboot), the
replaced cvpnd.exe will run in the context of Local System. This
effectively escalates users’ privileges, thereby compromising the host.

===============
Fix Information
===============
Upgrade to a fixed version of the Cisco VPN client: see Cisco’s advisory
at the URL below for more details.

http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml

Alternatively, as a workaround, revoke access rights for NT
AUTHORITY\INTERACTIVE from cvpnd.exe, e.g.:

C:\Program Files\Cisco Systems\VPN Client>cacls cvpnd.exe /E /R “NT
AUTHORITY\INTERACTIVE”

–
NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070