Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Vulnerabilities in L-Soft's LISTSERV and Microsoft's Visual Studio - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerabilities in L-Soft's LISTSERV and Microsoft's Visual Studio
NGSSoftware announced a number of vulnerabilities in L-Soft's LISTSERV list management system. The vulnerabilities have not been published, but as NGSSoftware worked with L-Soft, they are already fixed in the latest release of LISTSERV, 14.5.

It is strongly recommended that you upgrade to the latest version if you use LISTSERV, as the most critical vulnerability announced allows a remote unauthenticated attacker execution of arbitrary code on the system running LISTSERV.

The latest version of LISTSERV can be downloaded from http://www.lsoft.com/download/listserv.asp and http://www.lsoft.com/download/listservlite.asp (for LISTSERV Lite).

NGSSoftware said that they will publish full details about the flaw in June 2006.



Source code for the buffer overflow vulnerability recently reported in Microsoft's Visual Studio has been released. Visual Studio does not properly validate contents of database project (.dbp) and solution (.sln) files. The result of improper handling is a buffer overflow which can be exploited through the "DataProject" field in a .dbp file.
As the .dbp files are actually text files, it is very simple to craft an exploit.

There is no patch at the moment but, as always, standard rules apply, be very careful what you open.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Brussels September 2019

Bojan

381 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!