var-200801-0206
Vulnerability from variot
Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators. WRT54GL is prone to a cross-site request forgery vulnerability. Linksys WRT54G is a wireless router of Cisco, which is a wireless routing device that combines the functions of wireless access point, switch and router. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Word Malformed FIB Arbitrary Free Vulnerability
- Advisory Information
Title: Microsoft Word Malformed FIB Arbitrary Free Vulnerability Advisory ID: CORE-2008-0228 Advisory URL: http://www.coresecurity.com/content/word-arbitrary-free Date published: 2008-12-10 Date of last update: 2008-12-10 Vendors contacted: Microsoft Release mode: Coordinated release
- Vulnerability Information
Class: Arbitrary free Remotely Exploitable: Yes (client-side) Locally Exploitable: No Bugtraq ID: 29633 CVE Name: CVE-2008-4024
- Vulnerability Description
A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed record value. An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the user running the MS Word application.
More specifically, a Word file with a specially crafted 'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions and enable an arbitrary free with controlled values.
- Vulnerable packages
. Microsoft Word 2000 Service Pack 3 . Microsoft Word 2002 Service Pack 3
- Non-vulnerable packages
. Microsoft Word 2003 Service Pack 3 . Microsoft Word 2007
- Vendor Information, Solutions and Workarounds
Microsoft has released patches for this vulnerability. For more information refer to the Microsoft Security Bulletin MS08-072 released on December 9th, 2008, available at http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx
Microsoft recommends that customers apply the update immediately.
- Credits
This vulnerability was discovered and researched by Ricardo Narvaja, from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
- Technical Description / Proof of Concept Code
A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. A Word file with a specially crafted 'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions, and enable an arbitrary free with controlled values. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems with the privileges of the user running the MS Word application.
To construct a PoC file that demonstrates this bug it is sufficient to use Microsoft Word 2007 to generate a Word 97-2003 compatible '.doc' file, and then change the byte at offset 0x4f0, this is the 'lcbPlcfBkfSdt' field value located inside the File Information Block (FIB). By simply changing this byte from 0 to 1, we obtain a file that will make vulnerable Word versions crash when closing the file. This can be improved to make Word crash when opening the file by changing some other values. This fact was detected using automated fuzzing.
In location 0x2b80, there is an arbitrary pointer that can be controlled to choose the address that will be used as parameter of a call to the free function '__MsoPvFree'. If the 'lcbPlcfBkfSdt' value is 0, modifying this pointer has no effect. But if this value is 1, then modifying this arbitrary pointer will cause the free function to close the program.
The execution of '__MsoPvFree' is reached with two controlled values, the pointer that was directly changed in the .doc file and the contents of the memory position that it points to. That is, both of them are controlled, one directly and the other in an indirect manner, we can thus fully control the effect of the free function.
The exploitation of this bug depends on the construction of a file such that different arbitrary blocks are allocated when closing the file before 'free' is called. However this scenario is complex due to the limitations of the '__MsoPvFree' API, including checks that make the exploitation difficult.
The vendor's analysis indicates that the root cause of this vulnerability is the processing of a 'PlfLfo' structure that is read in from the file. It contains an array of 'Lfo' objects. If any of those 'Lfo' objects has a 'clfolvl' value of 0 and a 'plfolvl' (the previous 4 bytes) value that is non-zero, Word will attempt to free memory at 'plfolvl'. This is because 'plfolvl' is supposed to be overwritten with a valid pointer to allocated memory, but if 'clfolvl' is 0 this initialization step is skipped. Later on cleanup code will check if 'plfolvl' has a non-zero value and if so, attempt to free the memory chunk it points to.
A Proof of Concept '.doc' file which makes Word 2000 and Word 2002 crash ('WINWORD.EXE', main thread, module 'MS09') is available at [2]. An illustrated explanation can be downloaded from Core's website (see reference [3]).
- Report Timeline
. 2008-03-13: Core notifies the vendor of the vulnerability and sends the advisory draft. The advisory's publication is preliminary set to April 14th, 2008. 2008-03-13: Vendor acknowledges notification. 2008-03-31: Core requests information concerning Microsoft's plans to fix the vulnerability (no reply received). 2008-04-16: Core requests again information concerning Microsoft's schedule to produce a fix. The advisory publication is rescheduled for May 12th, 2008. 2008-04-25: Vendor informs that they are wrapping up the investigation and threat model analysis and that fixes will not be included in the Word Security Bulletin of May. Vendor estimates that it will take a few months to produce and test a fix for the vulnerability. Vendor promises an update on May 23th. 2008-04-25: Core sends additional information with low level details of the vulnerability. 2008-04-28: Core requests the vendor details about the schedule for the vulnerability fix in order to coordinate the publication of the advisory (no reply received). 2008-05-28: Core requests again details about the vulnerability fix schedule (no reply received). 2008-06-02: Core requests again details about the vulnerability fix schedule, root cause of the problem and confirmation of vulnerable versions. Core reschedules the publication of the advisory for June 11th, 2008 as "user release" (no reply received). 2008-06-13: In another attempt to coordinate the publication of the advisory with the release of a fixed version, Core reschedules publication for the second Wednesday of July, under "user release" mode. The latest advisory version is sent to the vendor. 2008-06-17: Vendor apologies for having mistakenly marked this issue as "no action until 6/23". Vendor informs that they are working on a fix plan and promises more information to be sent on Monday June 23rd. 2008-06-27: Core requests the vendor the expected details on the vulnerability fix schedule. 2008-07-03: Vendor thanks Core for holding on the publication of this vulnerability, and informs that the issue described in advisory CORE-2008-0228 is marked to be addressed in October 2008. It also informs that they don't have reports of the vulnerability being exploited in the wild. 2008-07-08: Vendor informs that they have binaries available to pre-test the potential fixes. 2008-07-08: Core asks for the patches to pre-test and informs the vendor that publication date of the advisory will be revisited. 2008-07-23: Core sends the vendor an updated version of the advisory and PoC files. 2008-08-26: Core requests the vendor a more precise date for the release of fixes in October. 2008-08-29: Vendor informs that they are tentatively targeting October 14th, and that patches will be sent to Core for inspection the following week. 2008-08-29: Core acknowledges reception of the previous mail. 2008-09-30: Vendor informs that the planned release of the fix for this vulnerability has slipped out to December 11th. Vendor supplies Core a draft of their own security bulletin and a copy of the Office 2000 update fixing the bug. 2008-10-01: Core confirms the vendor that after private discussions the advisory will be published in December 9th (second Tuesday of the month). 2008-10-01: Vendor confirms that the release date of fixes is December 9th and supplies Core with a copy of their own security bulletin and a copy of the Office XP update fixing the bug. 2008-10-20: Core confirms that it intends to publish the advisory CORE-2008-0228 on December 9th as previously established. 2008-11-11: Vendor confirms it is still on track to publish this fix for December 9th. 2008-11-11: Core informs the vendor that the patch was tested and works on Office XP (i.e. the crash avoided) and confirms that it intends to publish advisory CORE-2008-0228 on December 9th as previously established by both parties. 2008-12-04: Core sends the final draft of the advisory to the vendor. 2008-12-09: Microsoft Security Bulletin MS08-072 is released. 2008-12-10: Advisory CORE-2008-0228 is published.
- References
[1] Word 97-2007 Binary File Format (*.doc) Specification http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf [2] Microsoft Word Arbitrary Free Vulnerability PoC http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc [3] Microsoft Word Arbitrary Free Vulnerability Explained http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.
- About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkk/32wACgkQyNibggitWa1twACfR4nlubY9KyYIN7ubBUnXlnm6 QgEAnRl3fbRhADlci+pJwDQGjrtj2bxs =hR/7 -----END PGP SIGNATURE----- .
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched.
Download and test it today: https://psi.secunia.com/
Read more about this new version: https://psi.secunia.com/?page=changelog
TITLE: Linksys WRT54GL Cross-Site Request Forgery
SECUNIA ADVISORY ID: SA28364
VERIFY ADVISORY: http://secunia.com/advisories/28364/
CRITICAL: Less critical
IMPACT: Cross Site Scripting
WHERE:
From remote
OPERATING SYSTEM: Linksys WRT54GL 4.x http://secunia.com/product/17134/
DESCRIPTION: Tomaz Bratusa has reported a vulnerability in Linksys WRT54GL, which can be exploited by malicious people to conduct cross-site request forgery attacks. This can be exploited to e.g. disable the firewall by enticing a logged-in administrator to visit a malicious site.
The vulnerability is reported in firmware version 4.30.9. Other versions may also be affected.
SOLUTION: The vendor is currently working on a fix.
Do not browse untrusted websites or follow untrusted links while logged on to the application.
PROVIDED AND/OR DISCOVERED BY: Tomaz Bratusa, Team Intell
ORIGINAL ADVISORY: TISA-2008-01 (via Bugtraq): http://archives.neohapsis.com/archives/bugtraq/2008-01/0063.html
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "wrt54gl",
"scope": "eq",
"trust": 1.9,
"vendor": "linksys",
"version": "4.30.9"
},
{
"_id": null,
"model": "wrt54gl",
"scope": "eq",
"trust": 0.8,
"vendor": "cisco linksys",
"version": "4.30.9"
}
],
"sources": [
{
"db": "BID",
"id": "85181"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:linksys:wrt54gl",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
}
]
},
"credits": {
"_id": null,
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "85181"
}
],
"trust": 0.3
},
"cve": "CVE-2008-0228",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2008-0228",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-30353",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2008-0228",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2008-0228",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200801-156",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-30353",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2008-0228",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"description": {
"_id": null,
"data": "Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators. WRT54GL is prone to a cross-site request forgery vulnerability. Linksys WRT54G is a wireless router of Cisco, which is a wireless routing device that combines the functions of wireless access point, switch and router. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\n Microsoft Word Malformed FIB Arbitrary Free Vulnerability\n\n\n\n1. *Advisory Information*\n\nTitle: Microsoft Word Malformed FIB Arbitrary Free Vulnerability\nAdvisory ID: CORE-2008-0228\nAdvisory URL: http://www.coresecurity.com/content/word-arbitrary-free\nDate published: 2008-12-10\nDate of last update: 2008-12-10\nVendors contacted: Microsoft\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Arbitrary free\nRemotely Exploitable: Yes (client-side)\nLocally Exploitable: No\nBugtraq ID: 29633\nCVE Name: CVE-2008-4024\n\n\n3. *Vulnerability Description*\n\nA vulnerability has been found in the way that Microsoft Word handles\nspecially crafted Word files. The vulnerability could allow remote code\nexecution if a user opens a specially crafted Word file that includes a\nmalformed record value. An attacker who successfully exploited this\nvulnerability could execute arbitrary code with the privileges of the\nuser running the MS Word application. \n\nMore specifically, a Word file with a specially crafted \u0027lcbPlcfBkfSdt\u0027\nfield value (offset \u00270x4f0\u0027) inside the File Information Block (FIB) can\ncorrupt the heap structure on vulnerable Word versions and enable an\narbitrary free with controlled values. \n\n\n4. *Vulnerable packages*\n\n . Microsoft Word 2000 Service Pack 3\n . Microsoft Word 2002 Service Pack 3\n\n\n5. *Non-vulnerable packages*\n\n . Microsoft Word 2003 Service Pack 3\n . Microsoft Word 2007\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nMicrosoft has released patches for this vulnerability. For more\ninformation refer to the Microsoft Security Bulletin MS08-072 released\non December 9th, 2008, available at\nhttp://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx\n\nMicrosoft recommends that customers apply the update immediately. \n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Ricardo Narvaja,\nfrom CORE IMPACT\u0027s Exploit Writing Team (EWT), Core Security Technologies. \n\n\n8. *Technical Description / Proof of Concept Code*\n\nA vulnerability has been found in the way that Microsoft Word handles\nspecially crafted Word files. A Word file with a specially crafted\n\u0027lcbPlcfBkfSdt\u0027 field value (offset \u00270x4f0\u0027) inside the File Information\nBlock (FIB) can corrupt the heap structure on vulnerable Word versions,\nand enable an arbitrary free with controlled values. If successfully\nexploited, this vulnerability could allow an attacker to execute\narbitrary code on vulnerable systems with the privileges of the user\nrunning the MS Word application. \n\nTo construct a PoC file that demonstrates this bug it is sufficient to\nuse Microsoft Word 2007 to generate a Word 97-2003 compatible \u0027.doc\u0027\nfile, and then change the byte at offset 0x4f0, this is the\n\u0027lcbPlcfBkfSdt\u0027 field value located inside the File Information Block\n(FIB). By simply changing this byte from 0 to 1, we obtain a file that\nwill make vulnerable Word versions crash when closing the file. This can\nbe improved to make Word crash when opening the file by changing some\nother values. This fact was detected using automated fuzzing. \n\nIn location 0x2b80, there is an arbitrary pointer that can be controlled\nto choose the address that will be used as parameter of a call to the\nfree function \u0027__MsoPvFree\u0027. If the \u0027lcbPlcfBkfSdt\u0027 value is 0,\nmodifying this pointer has no effect. But if this value is 1, then\nmodifying this arbitrary pointer will cause the free function to close\nthe program. \n\nThe execution of \u0027__MsoPvFree\u0027 is reached with two controlled values,\nthe pointer that was directly changed in the .doc file and the contents\nof the memory position that it points to. That is, both of them are\ncontrolled, one directly and the other in an indirect manner, we can\nthus fully control the effect of the free function. \n\nThe exploitation of this bug depends on the construction of a file such\nthat different arbitrary blocks are allocated when closing the file\nbefore \u0027free\u0027 is called. However this scenario is complex due to the\nlimitations of the \u0027__MsoPvFree\u0027 API, including checks that make the\nexploitation difficult. \n\nThe vendor\u0027s analysis indicates that the root cause of this\nvulnerability is the processing of a \u0027PlfLfo\u0027 structure that is read in\nfrom the file. It contains an array of \u0027Lfo\u0027 objects. If any of those\n\u0027Lfo\u0027 objects has a \u0027clfolvl\u0027 value of 0 and a \u0027plfolvl\u0027 (the previous 4\nbytes) value that is non-zero, Word will attempt to free memory at\n\u0027plfolvl\u0027. This is because \u0027plfolvl\u0027 is supposed to be overwritten with\na valid pointer to allocated memory, but if \u0027clfolvl\u0027 is 0 this\ninitialization step is skipped. Later on cleanup code will check if\n\u0027plfolvl\u0027 has a non-zero value and if so, attempt to free the memory\nchunk it points to. \n\nA Proof of Concept \u0027.doc\u0027 file which makes Word 2000 and Word 2002 crash\n(\u0027WINWORD.EXE\u0027, main thread, module \u0027MS09\u0027) is available at [2]. An\nillustrated explanation can be downloaded from Core\u0027s website (see\nreference [3]). \n\n\n9. *Report Timeline*\n\n. 2008-03-13: Core notifies the vendor of the vulnerability and sends\nthe advisory draft. The advisory\u0027s publication is preliminary set to\nApril 14th, 2008. 2008-03-13: Vendor acknowledges notification. 2008-03-31: Core requests information concerning Microsoft\u0027s plans to\nfix the vulnerability (no reply received). 2008-04-16: Core requests again information concerning Microsoft\u0027s\nschedule to produce a fix. The advisory publication is rescheduled for\nMay 12th, 2008. 2008-04-25: Vendor informs that they are wrapping up the investigation\nand threat model analysis and that fixes will not be included in the\nWord Security Bulletin of May. Vendor estimates that it will take a few\nmonths to produce and test a fix for the vulnerability. Vendor promises\nan update on May 23th. 2008-04-25: Core sends additional information with low level details\nof the vulnerability. 2008-04-28: Core requests the vendor details about the schedule for\nthe vulnerability fix in order to coordinate the publication of the\nadvisory (no reply received). 2008-05-28: Core requests again details about the vulnerability fix\nschedule (no reply received). 2008-06-02: Core requests again details about the vulnerability fix\nschedule, root cause of the problem and confirmation of vulnerable\nversions. Core reschedules the publication of the advisory for June\n11th, 2008 as \"user release\" (no reply received). 2008-06-13: In another attempt to coordinate the publication of the\nadvisory with the release of a fixed version, Core reschedules\npublication for the second Wednesday of July, under \"user release\" mode. \nThe latest advisory version is sent to the vendor. 2008-06-17: Vendor apologies for having mistakenly marked this issue\nas \"no action until 6/23\". Vendor informs that they are working on a fix\nplan and promises more information to be sent on Monday June 23rd. 2008-06-27: Core requests the vendor the expected details on the\nvulnerability fix schedule. 2008-07-03: Vendor thanks Core for holding on the publication of this\nvulnerability, and informs that the issue described in advisory\nCORE-2008-0228 is marked to be addressed in October 2008. It also\ninforms that they don\u0027t have reports of the vulnerability being\nexploited in the wild. 2008-07-08: Vendor informs that they have binaries available to\npre-test the potential fixes. 2008-07-08: Core asks for the patches to pre-test and informs the\nvendor that publication date of the advisory will be revisited. 2008-07-23: Core sends the vendor an updated version of the advisory\nand PoC files. 2008-08-26: Core requests the vendor a more precise date for the\nrelease of fixes in October. 2008-08-29: Vendor informs that they are tentatively targeting October\n14th, and that patches will be sent to Core for inspection the following\nweek. 2008-08-29: Core acknowledges reception of the previous mail. 2008-09-30: Vendor informs that the planned release of the fix for\nthis vulnerability has slipped out to December 11th. Vendor supplies\nCore a draft of their own security bulletin and a copy of the Office\n2000 update fixing the bug. 2008-10-01: Core confirms the vendor that after private discussions\nthe advisory will be published in December 9th (second Tuesday of the\nmonth). 2008-10-01: Vendor confirms that the release date of fixes is December\n9th and supplies Core with a copy of their own security bulletin and a\ncopy of the Office XP update fixing the bug. 2008-10-20: Core confirms that it intends to publish the advisory\nCORE-2008-0228 on December 9th as previously established. 2008-11-11: Vendor confirms it is still on track to publish this fix\nfor December 9th. 2008-11-11: Core informs the vendor that the patch was tested and\nworks on Office XP (i.e. the crash avoided) and confirms that it intends\nto publish advisory CORE-2008-0228 on December 9th as previously\nestablished by both parties. 2008-12-04: Core sends the final draft of the advisory to the vendor. 2008-12-09: Microsoft Security Bulletin MS08-072 is released. 2008-12-10: Advisory CORE-2008-0228 is published. \n\n\n10. *References*\n\n[1] Word 97-2007 Binary File Format (*.doc) Specification\nhttp://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf\n[2] Microsoft Word Arbitrary Free Vulnerability PoC\nhttp://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc\n[3] Microsoft Word Arbitrary Free Vulnerability Explained\nhttp://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2008 Core Security\nTechnologies and (c) 2008 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.8 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niEYEARECAAYFAkk/32wACgkQyNibggitWa1twACfR4nlubY9KyYIN7ubBUnXlnm6\nQgEAnRl3fbRhADlci+pJwDQGjrtj2bxs\n=hR/7\n-----END PGP SIGNATURE-----\n. \n\n----------------------------------------------------------------------\n\nA new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI\nhas been released. The new version includes many new and advanced\nfeatures, which makes it even easier to stay patched. \n\nDownload and test it today:\nhttps://psi.secunia.com/\n\nRead more about this new version:\nhttps://psi.secunia.com/?page=changelog\n\n----------------------------------------------------------------------\n\nTITLE:\nLinksys WRT54GL Cross-Site Request Forgery\n\nSECUNIA ADVISORY ID:\nSA28364\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/28364/\n\nCRITICAL:\nLess critical\n\nIMPACT:\nCross Site Scripting\n\nWHERE:\n\u003eFrom remote\n\nOPERATING SYSTEM:\nLinksys WRT54GL 4.x\nhttp://secunia.com/product/17134/\n\nDESCRIPTION:\nTomaz Bratusa has reported a vulnerability in Linksys WRT54GL, which\ncan be exploited by malicious people to conduct cross-site request\nforgery attacks. This can be exploited to e.g. \ndisable the firewall by enticing a logged-in administrator to visit a\nmalicious site. \n\nThe vulnerability is reported in firmware version 4.30.9. Other\nversions may also be affected. \n\nSOLUTION:\nThe vendor is currently working on a fix. \n\nDo not browse untrusted websites or follow untrusted links while\nlogged on to the application. \n\nPROVIDED AND/OR DISCOVERED BY:\nTomaz Bratusa, Team Intell\n\nORIGINAL ADVISORY:\nTISA-2008-01 (via Bugtraq):\nhttp://archives.neohapsis.com/archives/bugtraq/2008-01/0063.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "BID",
"id": "85181"
},
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "PACKETSTORM",
"id": "72847"
},
{
"db": "PACKETSTORM",
"id": "62461"
}
],
"trust": 2.25
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-30353",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2008-0228",
"trust": 3.0
},
{
"db": "SREASON",
"id": "3534",
"trust": 2.1
},
{
"db": "SECUNIA",
"id": "28364",
"trust": 1.9
},
{
"db": "XF",
"id": "39502",
"trust": 0.9
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156",
"trust": 0.7
},
{
"db": "BUGTRAQ",
"id": "20080107 LINKSYS WRT54 GL - SESSION RIDING (CSRF)",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20080115 RE: LINKSYS WRT54 GL - SESSION RIDING (CSRF)",
"trust": 0.6
},
{
"db": "BID",
"id": "85181",
"trust": 0.5
},
{
"db": "PACKETSTORM",
"id": "72847",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-30353",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2008-0228",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "62461",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "BID",
"id": "85181"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "PACKETSTORM",
"id": "72847"
},
{
"db": "PACKETSTORM",
"id": "62461"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"id": "VAR-200801-0206",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:48:44.391000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Linksys",
"trust": 0.8,
"url": "http://home.cisco.com/en-apac/home"
},
{
"title": "reverse-engineering-toolkit",
"trust": 0.1,
"url": "https://github.com/geeksniper/reverse-engineering-toolkit "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-352",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.1,
"url": "http://securityreason.com/securityalert/3534"
},
{
"trust": 1.8,
"url": "http://secunia.com/advisories/28364"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/archive/1/485853/100/0/threaded"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/archive/1/486362/100/0/threaded"
},
{
"trust": 1.2,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39502"
},
{
"trust": 0.9,
"url": "http://xforce.iss.net/xforce/xfdb/39502"
},
{
"trust": 0.9,
"url": "http://www.securityfocus.com/archive/1/archive/1/485853/100/0/threaded"
},
{
"trust": 0.9,
"url": "http://www.securityfocus.com/archive/1/archive/1/486362/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0228"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-0228"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/352.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.securityfocus.com/bid/85181"
},
{
"trust": 0.1,
"url": "https://github.com/geeksniper/reverse-engineering-toolkit"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-0228"
},
{
"trust": 0.1,
"url": "http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://enigmail.mozdev.org"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core-2008-0228-word-advisory-poc.doc"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://download.microsoft.com/download/0/b/e/0be8bdd7-e5e8-422a-abfd-4342ed7ad886/word97-2007binaryfileformat(doc)specification.pdf"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core-2008-0228-word.pdf"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs/"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/content/word-arbitrary-free"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-01/0063.html"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/?page=changelog"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/28364/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/17134/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "BID",
"id": "85181"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "PACKETSTORM",
"id": "72847"
},
{
"db": "PACKETSTORM",
"id": "62461"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-30353",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2008-0228",
"ident": null
},
{
"db": "BID",
"id": "85181",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "72847",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "62461",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2008-0228",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2008-01-10T00:00:00",
"db": "VULHUB",
"id": "VHN-30353",
"ident": null
},
{
"date": "2008-01-10T00:00:00",
"db": "VULMON",
"id": "CVE-2008-0228",
"ident": null
},
{
"date": "2008-01-10T00:00:00",
"db": "BID",
"id": "85181",
"ident": null
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-003932",
"ident": null
},
{
"date": "2008-12-10T18:55:02",
"db": "PACKETSTORM",
"id": "72847",
"ident": null
},
{
"date": "2008-01-10T08:17:01",
"db": "PACKETSTORM",
"id": "62461",
"ident": null
},
{
"date": "2008-01-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200801-156",
"ident": null
},
{
"date": "2008-01-10T23:46:00",
"db": "NVD",
"id": "CVE-2008-0228",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2018-10-15T00:00:00",
"db": "VULHUB",
"id": "VHN-30353",
"ident": null
},
{
"date": "2018-10-15T00:00:00",
"db": "VULMON",
"id": "CVE-2008-0228",
"ident": null
},
{
"date": "2008-01-10T00:00:00",
"db": "BID",
"id": "85181",
"ident": null
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-003932",
"ident": null
},
{
"date": "2008-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200801-156",
"ident": null
},
{
"date": "2024-11-21T00:41:27.217000",
"db": "NVD",
"id": "CVE-2008-0228",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "72847"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
}
],
"trust": 0.7
},
"title": {
"_id": null,
"data": "Linksys WRT54GL Wireless-G Broadband Router Vulnerable to cross-site request forgery",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.