headers
Advisories | 5 Nov 2005 02:30
Favicon

[EEYEB-20050627B] Macromedia Flash Player Improper Memory Access Vulnerability

Macromedia Flash Player Improper Memory Access Vulnerability

Release Date:
November 4, 2005

Date Reported:
June 27, 2005

Severity:
High 

Vendor:
Macromedia

Systems Affected:
Macromedia Flash 6 (on all Windows platforms) 
Macromedia Flash 7 (on all Windows platforms)

Overview:
eEye Digital Security has discovered a vulnerability in Macromedia Flash
Player versions 6 and 7 that will allow an attacker to run arbitrary
code in the context of the logged in user.  An array boundary condition
may be violated by a malicious SWF file in order to redirect execution
into attacker-supplied data.

Technical Details:
The vulnerable code exists in Flash.ocx, which embodies the code
responsible for playing back SWF files.  One function maintains a large,
256-element table of function pointers on the stack, and uses a frame
type identifier read from the SWF file as an index into the array,
(Continue reading)

Permalink | Reply | 0 comments |
headers
NGSSoftware Insight Security Research | 8 Nov 2005 17:54

Oracle October 2005 CPU Problems

Examining the Oracle October 2005 Critical Patch Update in depth, 
NGSResearchers discovered a number of problems which have all since been 
reported to Oracle. As well as new vulnerabilities and problems with the 
patches for old vulnerabilities, the October 2005 CPU fails to install the 
patched Oracle Text (CTXSYS) components on Oracle 8.1.7.4 on all operating 
systems. This is due to a problem with the install sql script: rather than 
executing

SELECT DBMS_REGISTRY.SCRIPT('CONTEXT',' <at> ctxcpu.sql')....

the install script executes

SELECT DBMS_REGISTRY.SCRIPT('CTX',' <at> ctxcpu.sql')....

So, even if you have Oracle Text installed the patch installer will not 
install the updated PL/SQL packages. The fall out from this means that your 
servers may still be vulnerable to the Oracle Text flaws; these allow a low 
privileged user to gain DBA privileges. Further, if the RDBMS is part of a 
web application that uses Oracle Portal (OAS, IAS, Oracle HTTP Server) then 
an attacker may exploit this from the Internet without a userID and 
password.

To check if you are still vulnerable execute the following query

select owner,package_name,object_name from all_arguments where owner = 
'CTXSYS' and package_name = 'DRILOAD' and object_name = 'VALIDATE_STMT';

If no row is returned then you are not vulnerable but if a row is returned 
then you are vulnerable. In this case you should manually apply the 
ctxcpu.sql script.
(Continue reading)

Permalink | Reply | 0 comments |
headers
NGSSoftware Insight Security Research | 8 Nov 2005 17:57

Oracle DBMS_ASSERT and the October 2005 CPU

Whilst there are problems with the Oracle October 2005 Critical Patch 
Update, it's not all bad news....

There is a great deal of evidence in this patch that Oracle are beginning to 
treat security properly. They've introduced a new package PL/SQL package 
DBMS_ASSERT into the RDBMS. Whilst DBMS_ASSERT was first released as part of 
the new10g Release 2 it has been packported. Oracle use this package to 
sanitize user input to help prevent SQL injection. As this package has not 
been documented NGSResearch have done so aqs we feel that third-party Oracle 
app developers could benefit by using the package. This, and other papers, 
can be found at http://www.ngssoftware.com/papers.htm .

Cheers,
The NGSResearch Team
Permalink | Reply | 0 comments |
headers
Advisories | 10 Nov 2005 22:41
Favicon

[EEYEB-20050510] - RealPlayer Data Packet Stack Overflow

RealPlayer Data Packet Stack Overflow

Release Date:
November 10, 2005

Date Reported:
May 28, 2005

Severity:
High (Remote Code Execution)

Vendor:
RealNetworks

Systems Affected:
Windows:
RealPlayer 10.5 (6.0.12.1040-1235)
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise

Mac:
RealPlayer 10

Linux:
RealPlayer 10 (10.0.0 - 5)
Helix Player (10.0.0 - 5)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Advisories | 10 Nov 2005 22:44
Favicon

[EEYEB-20050701] - RealPlayer Zipped Skin File Buffer Overflow II

RealPlayer Zipped Skin File Buffer Overflow II

Release Date:
November 10, 2005

Date Reported:
June 26, 2005

Severity:
High (Code Execution)

Vendor:
RealNetworks

Systems Affected:
Windows:
RealPlayer 10.5 (6.0.12.1040-1235)
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8

Overview:
eEye Digital Security has discovered a vulnerability in RealPlayer that
allows a remote attacker to reliably overwrite the heap with arbitrary
data and execute arbitrary code in the context of the user under which
the player is running.

Technical Details:
A RealPlayer skin file (.rjs extension) can be downloaded and applied
(Continue reading)

Permalink | Reply | 0 comments |
headers
NGSSoftware Insight Security Research | 11 Nov 2005 17:44

High Risk Flaw in RealPlayer

John Heasman of NGSSoftware has discovered a high risk vulnerability in 
RealPlayer.
Versions affected include:

RealPlayer 10.5 (6.0.12.1040-1235)
RealPlayer 10

(Note: RealOne Player v1 & v2, RealPlayer 8 and RealPlayer Enterprise have 
also been updated to resolve issues reported by other security researchers)

The flaw permits execution of arbitrary code via a malformed image contained 
within a skin file. The update can be downloaded from

http://service.real.com/help/faq/security/051110_player/EN/

NGSSoftware are going to withhold details of this flaw for three months. 
Full details will be published on the 11th of January 2006. This three month 
window will allow users of RealPlayer the time needed to apply the patch 
before the details are released to the general public. This reflects 
NGSSoftware's approach to responsible disclosure.

NGSSoftware Insight Security Research
http://www.nextgenss.com/
+44(0)208 401 0070
Permalink | Reply | 0 comments |
headers
David Litchfield | 15 Nov 2005 14:12

Three years and ten months without a patch

Whilst looking over old Oracle bugs I discovered that a _fully_ _patched_
8.1.7.4 Oracle server is still vulnerable to the old extproc flaw
[http://www.ngssoftware.com/advisories/oraplsextproc.txt]; this flaw, when
exploited, allows a remote attacker without a userID and password to take
control of the server. Why, you may ask, has a supported product gone for so
long without a patch for a serious problem that was made public 3 years and
10 months ago and reported to Oracle over 4 years ago? The answer, according
to Alert 57
[http://www.oracle.com/technology/deploy/security/pdf/2003alert57.pdf], is
that Oracle outright decided not to fix it. They claim "architectural
constraints" are the problem even though they managed to overcome these same
constraints on newer versions of Oracle. 

Users of 8.1.7.4 would do well to heed the advice offered in Alert 57 if
they've not already done so.

Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/

More commentary on this available here
http://www.databasesecurity.com/oracle-commentary.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Litchfield | 15 Nov 2005 14:12

Three years and ten months without a patch

Whilst looking over old Oracle bugs I discovered that a _fully_ _patched_
8.1.7.4 Oracle server is still vulnerable to the old extproc flaw
[http://www.ngssoftware.com/advisories/oraplsextproc.txt]; this flaw, when
exploited, allows a remote attacker without a userID and password to take
control of the server. Why, you may ask, has a supported product gone for so
long without a patch for a serious problem that was made public 3 years and
10 months ago and reported to Oracle over 4 years ago? The answer, according
to Alert 57
[http://www.oracle.com/technology/deploy/security/pdf/2003alert57.pdf], is
that Oracle outright decided not to fix it. They claim "architectural
constraints" are the problem even though they managed to overcome these same
constraints on newer versions of Oracle. 

Users of 8.1.7.4 would do well to heed the advice offered in Alert 57 if
they've not already done so.

Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/

More commentary on this available here
http://www.databasesecurity.com/oracle-commentary.htm
Permalink | Reply | 0 comments |

Gmane