[NT] Motorola Timbuktu Multiple Buffer Overflow Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Motorola Timbuktu Multiple Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Motorola Inc.'s <http://netopia.com/software/products/tb2/> Timbuktu Pro
is a remote control software which allows remote access to a computer's
desktop. It is available for Mac OS X and Windows systems and provides
integration with Skype and SSH.

Remote exploitation of multiple buffer overflow vulnerabilities within
Motorola Inc.'s Timbuktu allows attackers to crash the service or
potentially execute arbitrary code with SYSTEM privileges.

DETAILS

Vulnerable Systems:
* Motorola Inc.'s Timbuktu Pro for Windows version 8.6.3.1367.
* (Older versions are suspected to be vulnerable).

The first issue exists within the handling of malformed application level
protocol requests. Certain requests lead to an arbitrary length overflow
of a buffer located on the heap.

The second vulnerability exists within the processing of log in requests.
By specifying an overly long user name, it is possible to cause heap
corruption.

The third vulnerability specifically exists within the "Scanner"
functionally. By running a malicious socket server on TCP port 407, an
attacker is able to cause a buffer overflow with a malformed "HELLO"
response packet.
Exploitation of these vulnerabilities allows attackers to crash the
Timbuktu Pro server or potentially execute arbitrary code with SYSTEM
privileges.

In all cases, no authentication credentials are required to access the
vulnerable code. In order to exploit the first two vulnerabilities, the
attacker needs only the ability to initiate a session with the Timbuktu
service. This service typically runs on TCP or UDP port 407.

The third vulnerability requires access to the local network since the
problem lies in the handling of a response from a scanned server.
Additionally, an attacker would need to persuade a user to attempt to
connect to the malicious server.

Workaround:
Employing firewalls to limit access to the affected service's open ports
(TCP and UDP port 407) can help prevent potential exposure to these
vulnerabilities.

Vendor Status:
Motorola Inc. has addressed these vulnerabilities by releasing version
8.6.5 of Timbuktu Pro for Windows. For more information, consult the
release notes at the following URL.

<ftp://ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf> ftp://ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4221>
CVE-2007-4221

Disclosure Timeline:
* 07/18/2007 - Initial vendor notification
* 07/19/2007 - Initial vendor response
* 08/27/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities ... An attacker can ...
    (Securiteam)
  • [NT] ProjectForum Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ProjectForum provides "a ... Two vulnerabilities have ... out dangerous characters that could enable an attacker to insert their own ...
    (Securiteam)
  • [UNIX] e107 Multiple Vulnerabilities (Path Disclosures, File Inclusions and SQL Injections)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... In order to be able to exploit some of these vulnerabilities, ... it gives valuable information to an attacker. ... * In the user settings script, an attacker who is logged on issues a POST ...
    (Securiteam)
  • [NT] ADA Image Server (ImgSvr) Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ADA Image Server is "an ... traversal vulnerabilities, and DoS vulnerabilities. ... attacker sends a GET request followed by 2,112 characters. ...
    (Securiteam)
  • [UNIX] IBM DB2 Universal Database Multiple Vulnerabilities
    ... IBM DB2 Universal Database Multiple Vulnerabilities ... the length of attacker supplied data. ... Exploitation allows local attackers to gain root privileges. ...
    (Securiteam)