Re: [Full-disclosure] CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow

From: Jared DeMott <demottja@xxxxxxx>
Date: Fri, 08 Jun 2007 13:04:06 -0400

Dennis Rand wrote:

CSIS Security Group has discovered a remote exploitable arbitrary
overwrite, in the Blue Coat
K9 Web Protection local Web configuration manager on 127.0.0.1 and port
2372.

Justin Seitz of VDA Labs (www.vdalabs.com) already found this bug.
Here's the CVE: CVE-2007-1783.

They had so many bugs, they're rolling this issue and more into the
next release.

We have a working PoC, and believe it could be transformed into remote
via embedded link. For example:
<SCRIPT SRC="http://127.0.0.1:2372/<buffer here>
<http://127.0.0.1:2372/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>"></SCRIPT>

Blessings,
Jared
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow
  - From: Dennis Rand

References:
- [Full-disclosure] CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow
  - From: Dennis Rand

Prev by Date: [Full-disclosure] EEYE: Yahoo Webcam ActiveX Controls Multiple Buffer Overflows
Next by Date: [Full-disclosure] [OpenPKG-SA-2007.021] OpenPKG Security Advisory (wordpress)
Previous by thread: Re: [Full-disclosure] CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow
Next by thread: Re: [Full-disclosure] CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow
Index(es):
- Date
- Thread

Relevant Pages

fat32 corruption
... The bug was written against 4.6 but it does not ... slot 31 INTC routed to irq 23 ... <Parallel port bus> on ppc0 ... can't assign resources ...
(freebsd-questions)
Re: Address book grabbing, and Printer out of Paper
... > more frequent AV runs for possible detection. ... > that plug into the parallel port. ... > - How can I detect/resolve this address book grabber bug that seems to ... > Ken Burgess ...
(microsoft.public.security)
[Full-disclosure] Solaris Socket Hijack - solsockjack.c
... Hijack Bug ... Solaris has a bug in the use of SO_REUSEADDR in that the Kernel favours any ... a work around could be setting the port numbers that are valuable to ... usage(int argc, char **argv) ...
(Full-Disclosure)
[UNIX] Solaris Socket Hijack Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By binding a socket with an already binded port number of specific IP ... attackers can hijack an already binded sockets in Solaris. ... A bug with Solaris Kernel flag of SO_REUSEADDR cause the Kernel to accept ...
(Securiteam)
[NEWS] LG Electronics LG3100p Router Multiple Security Issues (DoS)
... Release 1.50 is vulnerable only to first and third bug. ... When configured without access lists protecting port 23, ... First is exploitable without any access to user account on the router. ... The vendor representative was informed about the vulnerabilities on ...
(Securiteam)