[NT]Landesk QIP Server Service Heal Packet Buffer OverflowVulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Oct 2008 18:19:42 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Landesk QIP Server Service Heal Packet Buffer OverflowVulnerability
------------------------------------------------------------------------
SUMMARY
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of LANDesk Management Suite. Authentication is
not required to exploit this vulnerability.
DETAILS
The specific flaw exists within the QIP Server Service (qipsrvr.exe) which
listens by default on TCP port 12175. The process makes a vulnerable call
to MultiByteToWideChar using values obtained from packet data. A malicious
'heal' request can allow an attacker to control both the pointer to the
StringToMap and the StringSize arguments. The destination buffer is either
allocated on the stack or heap depending on the specified sizes. In both
cases it can be overflown leading to arbitrary code execution under the
context of the SYSTEM user.
Vendor Response:
LANDesk has issued an update to correct this vulnerability. More details
can be found at:
<http://community.landesk.com/support/docs/DOC-3276>
http://community.landesk.com/support/docs/DOC-3276
Disclosure Timeline:
2008-09-03 - Vulnerability reported to vendor
2008-09-15 - Coordinated public release of advisory
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2468>
CVE-2008-2468
ADDITIONAL INFORMATION
The information has been provided by <mailto:dvlabs@xxxxxxxxxxxxxxxx>
TippingPoint DVLabs.
The original article can be found at:
<http://dvlabs.tippingpoint.com/advisory/TPTI-08-06>
http://dvlabs.tippingpoint.com/advisory/TPTI-08-06
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX]Wordpress user_login Column SQL Truncation Vulnerability
- Next by Date: [NT]Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS
- Previous by thread: [UNIX]Wordpress user_login Column SQL Truncation Vulnerability
- Next by thread: [NT]Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS
- Index(es):
Relevant Pages
|
