New MS SQL Server vulnerability

Published: 2008-12-15
Last Updated: 2008-12-16 01:21:55 UTC
by Toby Kohlenberg (Version: 2)
2 comment(s)

A slightly belated entry to make sure everyone is aware that last week we saw a new vulnerability announced for MS SQL Server 2000, 2005 & 2005 Express Edition by Bernhard Mueller from SEC Consult. Here is the original announcement: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

The above link does include a simple test script (not a full PoC) for the vulnerability.

There is a mitigation available - you can remove the vulnerable stored procedure - Correction below for SQL Server 2005. Microsoft hasn't provided a patch yet and hasn't provided a timeframe for delivery either.

Update: We've had a report that this works against 64bit as well as 32bit versions of SQL Server 2005 (no reports on SQL Server 2000 yet)

Also, thanks for the comments from Brian and Hacktheplanet pointing out that in SQL Server 2005 you can't remove a Stored Procedure, all you can do is deny execute permission to the public role: http://msdn.microsoft.com/en-us/library/ms164755(SQL.90).aspx

 

Keywords: MS SQL Server
2 comment(s)

W32.Delezium/Impair.A virus being seen

Published: 2008-12-15
Last Updated: 2008-12-15 20:40:10 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

We've gotten reports that the W32.Delezium (from Symantec)/Impair.A (from Sophos) virus is floating around and being a general pain in the neck. The detection from Symantec (as "W32.Delezium/inf") only catches infected files, not the virus itself.

The Symantec report is more detailed than the Sophos report, there are some contradictions between the two on how the virus is spreading. The virus is a standard file infector but will also insert a registry entry to enable it to run every startup.

From the Symantec report-

"Next, the virus searches all local, removable and network drives for files with the following extensions, which it subsequently deletes:

  • .3dx
  • .3gp
  • .app
  • .as
  • .asp
  • .aspx
  • .avi
  • .cad
  • .css
  • .doc
  • .fla
  • .frm
  • .gif
  • .jar
  • .java
  • .jpg
  • .jsp
  • .mdb
  • .mp3
  • .mpg
  • .pdf
  • .ppt
  • .psd
  • .rar
  • .sis
  • .vb
  • .wmv
  • .xls
  • .zip

The virus then searches all removable drives for .exe files, which it then infects."

Keywords:
0 comment(s)

Apple Releases OSX 10.5.6/Security update 2008-008

Published: 2008-12-15
Last Updated: 2008-12-15 18:25:13 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Apple's released an update for OSX, you can now download 10.5.6 through the Software Update app.

It patches a large number of vulns, here are just the CVEs:

  • CVE-2008-4236 - Apple Type Services malicious PDF font DoS
  • CVE-2008-4217 - BOM CPIO archive code execution
  • CVE-2008-3623 - CoreGraphics heap overflow via malicious image
  • CVE-2008-3170 - CoreServices/Safari user credential disclosure
  • CVE-2008-4234 - CoreTypes failure of Download Validation (no warning when you launch downloaded content)
  • CVE-2008-4818 - Flash Player plug-in issues (as per previous entries earlier in the summer)
  • CVE-2008-4819 - Flash Player plug-in issues
  • CVE-2008-4820 - Flash Player plug-in issues
  • CVE-2008-4821 - Flash Player plug-in issues
  • CVE-2008-4822 - Flash Player plug-in issues
  • CVE-2008-4823 - Flash Player plug-in issues
  • CVE-2008-4824 - Flash Player plug-in issues
  • CVE-2008-4218 - Kernel integer overflow allowing local priv escalation
  • CVE-2008-4219 - Kernel - system crash when you use dynamic libraries on an NFS share
  • CVE-2008-4220 - Libsystem integer overflow in the inet_net_pton API (gives code execution)
  • CVE-2008-4221 - Libsystem "memory corruption" via the strptime API (gives code execution)
  • CVE-2008-1391 - Libsystem - a whole pile of integer overflows in  the strfmon API (gives code execution)
  • CVE-2008-4237 - Managed Client doesn't apply managed screen saver settings correctly
  • CVE-2008-4222 - network_cmds - DoS via custom TCP packet when Internet Sharing is enabled
  • CVE-2008-4223 - Podcast Producer auth bypass allows a remote attacker access to the admin functions
  • CVE-2008-4224 - UDF - a specially built ISO file can cause a system crash.

You can get the update via Software Update or from: http://www.apple.com/support/downloads/

The hashes are as follows:

For Mac OS X v10.5.5
The download file is named: "MacOSXUpd10.5.6.dmg"
Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded

For Mac OS X v10.5 - v10.5.4
The download file is named: "MacOSXUpdCombo10.5.6.dmg"
Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4

For Mac OS X Server v10.5.5
The download file is named: "MacOSXServerUpd10.5.6.dmg"
Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac

For Mac OS X Server v10.5 - v10.5.4
The download file is named: "MacOSXServerUpdCombo10.5.6.dmg"
Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7

For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-008Intel.dmg"
Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea

For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-008PPC.dmg"
Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-008Univ.dmg"
Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-008PPC.dmg"
Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c

We'll be updating as we have any additional information about the update

Keywords:
0 comment(s)

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
6 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
6 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives