[gull-annonces] Resume SecurityFocus Newsletter #290

[Marc SCHAEFER]

Thomson TCW690 Cable Modem Multiple Vulnerabilities
BugTraq ID: 12595
Remote: Yes
Date Published: Feb 19 2005
Relevant URL: http://www.securityfocus.com/bid/12595
Summary:
Thomson TCW690 cable modem is reported prone to multiple remote
vulnerabilities.  These issues may allow an attacker to cause a denial
of service condition and/or gain unauthorized access to the device.

The following specific issues were identified:

The device is reported prone to a partial denial of service condition
that results from a boundary condition error.  Reportedly, a
successful attack can cause the device to fail to process requests for
a limited period of time.  This issue may be related to BID 9091
(Thomson Cable Modem Remote Denial Of Service Vulnerability).

Another vulnerability affecting the modem can allow attackers to gain
unauthorized access to the device.  It is reported that the device
does not properly verify users' authentication credentials when
handling an HTTP POST request.

Thomson TCW690 with firmware version ST42.03.0a is reported vulnerable
to these issues.  It is possible that other versions are affected as
well.

[ firmware ]

Red Hat Enterprise Linux Kernel Multiple Vulnerabilities
BugTraq ID: 12599
Remote: No
Date Published: Feb 19 2005
Relevant URL: http://www.securityfocus.com/bid/12599
Summary:
Red Hat Enterprise Linux kernel is reported prone to multiple
vulnerabilities.  These issues may allow local attackers to carry out
denial of service attacks and gain elevated privileges.

The following specific issues were identified:

The Red Hat Enterprise Linux kernel is reported prone to two local
denial of service vulnerabilities.

Another issue affecting the Red Hat Enterprise Linux 4 kernel 4GB/4GB
split patch can allow local attackers to read and write to arbitrary
kernel memory.

These issues are reported to affect the Red Hat Enterprise Linux 4
kernel.

Due to lack of details, further information is not available at the
moment. This BID will be updated when more information becomes
available.

PuTTY/PSFTP/PSCP Multiple Remote Integer Overflow Vulnerabil...
BugTraq ID: 12601
Remote: Yes
Date Published: Feb 21 2005
Relevant URL: http://www.securityfocus.com/bid/12601
Summary:
PuTTY, PSFTP and PSCP are reported prone to multiple integer overflow
vulnerabilities. The following individual issues are reported:

The first reported vulnerability, an integer overflow, exists in the
'fxp_readdir_recv()' function of the 'sftp.c' source file.

A remote malicious server may trigger this vulnerability in order to
execute arbitrary code in the context of the user that is running the
affected client. It should be noted that this vulnerability exists in
a code path that is executed after host key verification occurs, this
may hinder exploitation.

The second issue, another integer overflow, is reported to exist in
the 'sftp_pkt_getstring()' of the 'sftp.c' source file.

A remote malicious server may trigger this vulnerability in order to
crash the affected client or to potentially execute arbitrary code. It
should be noted that this vulnerability exists in a code path that is
executed after host key verification occurs, this may also hinder
exploitation.

These vulnerabilities are reported to exist in versions of PSFTP and
PSCP prior to version 0.57.

UIM LibUIM Environment Variables Privilege Escalation Weakne...
BugTraq ID: 12604
Remote: No
Date Published: Feb 21 2005
Relevant URL: http://www.securityfocus.com/bid/12604
Summary:
Uim is reported prone to an privilege escalation weakness. It is
reported that the Uim library will always trust user-supplied
environment variables, and that this may be exploited in circumstances
where the Uim library is linked to a setuid/setgid application.

An attacker that has local interactive to a system that has a
vulnerable application installed may potentially exploit this weakness
to escalate privileges.

Gigafast EE400-R Router Multiple Remote Vulnerabilities
BugTraq ID: 12612
Remote: Yes
Date Published: Feb 21 2005
Relevant URL: http://www.securityfocus.com/bid/12612
Summary:
Multiple vulnerabilities are reported to affect the Gigafast EE400-R
router. The following individual vulnerabilities are reported:

An information disclosure vulnerability is reported to affect the
router. It is reported that an authentication interface exists on the
appliance, but a direct request for a backup configuration file is
permitted without requiring authentication.

Information that is harvested by exploiting this vulnerability may be
used to aid in further attacks that are launched against the target
appliance.

A remote denial of service vulnerability is reported to affect the
Gigafast router. It is reported that when the certain functionality is
enabled the affected router, the router will crash when a malformed
DNS query is handled.

A remote attacker may exploit this vulnerability to deny network
services for legitimate users.

[ firmware ]

cURL / libcURL NTLM Authentication Buffer Overflow Vulnerabi...
BugTraq ID: 12615
Remote: Yes
Date Published: Feb 22 2005
Relevant URL: http://www.securityfocus.com/bid/12615
Summary:
It has been reported that cURL and libcURL are vulnerable to a
remotely exploitable stack-based buffer overflow vulnerability.  The
cURL and libcURL NTML response processing code fails to ensure that a
buffer overflow cannot occur when response data is decoded.

The overflow occurs in the stack region, and remote code execution is
possible if the saved instruction pointer is overwritten with a
pointer to embedded instructions.

cURL / libcURL Kerberos Authentication Buffer Overflow Vulne...
BugTraq ID: 12616
Remote: Yes
Date Published: Feb 22 2005
Relevant URL: http://www.securityfocus.com/bid/12616
Summary:
It has been reported that cURL and libcURL are vulnerable to a
remotely exploitable stack-based buffer overflow vulnerability.  The
cURL and libcURL Kerberos authentication code fails to ensure that a
buffer overflow cannot occur when server response data is decoded.

The overflow occurs in the stack region, and remote code execution is
possible if the saved instruction pointer is overwritten with a
pointer to embedded instructions.

Apache Software Foundation Batik Squiggle Browser Access Val...
BugTraq ID: 12619
Remote: No
Date Published: Feb 22 2005
Relevant URL: http://www.securityfocus.com/bid/12619
Summary:
An access validation error affects Apache Software Foundation Batik
Squiggle Browser.  This issue is due to a failure of the affected
application to properly regulate access to sensitive system resources.

An attacker may leverage this issue to gain unauthorized access to
potentially sensitive system resources such as the files system.
Other attacks may also be possible.

fallback-reboot Remote Denial of Service Vulnerability
BugTraq ID: 12624
Remote: Yes
Date Published: Feb 22 2005
Relevant URL: http://www.securityfocus.com/bid/12624
Summary:
fallback-reboot is reported prone to a remote denial of service
vulnerability.

A remote attacker may exploit this issue to cause the daemon to crash
leading to a denial of service condition.  This vulnerability does not
affect the underlying host computer.

fallback-reboot 0.96 and prior versions are affected by this issue.

Mono Unicode Character Conversion Multiple Cross-Site Script...
BugTraq ID: 12626
Remote: Yes
Date Published: Feb 22 2005
Relevant URL: http://www.securityfocus.com/bid/12626
Summary:
It is reported that Mono is prone to various cross-site scripting
attacks. These issues result from insufficient sanitization of
user-supplied data and arise when Mono converts Unicode characters
ranging from U+ff00-U+ff60 to ASCII.

Mono 1.0.5 is reported vulnerable, however, other versions may be
affected as well.

This issue is related to BID 12574 (Microsoft ASP.NET Unicode
Character Conversion Multiple Cross-Site Scripting Vulnerabilities).

ProZilla Initial Server Response Remote Client-Side Format S...
BugTraq ID: 12635
Remote: Yes
Date Published: Feb 23 2005
Relevant URL: http://www.securityfocus.com/bid/12635
Summary:
A remote client-side format string vulnerability is reported to exist
in ProZilla. This issue is due to a failure of the application to
properly implement a formatted string function. The format string
vulnerability manifests when the affected application is handling
initial server responses that contain format string specifiers.

An attacker may leverage this issue to execute arbitrary code on an
affected computer with the privileges of an unsuspecting user that
activated the vulnerable application.

Prozilla versions up to an including version 1.3.7.3 are reported
prone to this vulnerability.

TWiki Multiple Unspecified Remote Input Validation Vulnerabi...
BugTraq ID: 12637
Remote: Yes
Date Published: Feb 23 2005
Relevant URL: http://www.securityfocus.com/bid/12637
Summary:
Multiple unspecified input validation vulnerabilities reportedly
affect TWiki.  These issues are due to a failure of the application to
sanitize user-supplied input prior to using it to carry out critical
functionality.

An attacker may execute arbitrary commands, potentially facilitating a
compromise of the host computer, by leveraging these issues.  Any
command execution would take place with the privileges of the affected
process.  Other attacks may also be possible.

TWiki ImageGalleryPlugin Configuration Options Remote Arbitr...
BugTraq ID: 12638
Remote: Yes
Date Published: Feb 23 2005
Relevant URL: http://www.securityfocus.com/bid/12638
Summary:
A remote command execution vulnerability affects the
ImageGalleryPlugin of Twiki.  This issue is due to a failure of the
application to properly validate user access to sensitive
configuration options.

An attacker may execute arbitrary commands, potentially compromising
the host computer, by leveraging this issue.

ELOG Web Logbook Attached Filename Remote Buffer Overflow Vu...
BugTraq ID: 12639
Remote: Yes
Date Published: Feb 23 2005
Relevant URL: http://www.securityfocus.com/bid/12639
Summary:
ELOG Web Logbook is prone to a remote buffer overflow
vulnerability. The vulnerability is reported to exist due to a lack of
sufficient boundary checks performed on user-supplied data.

A remote attacker that can authenticate to the affected daemon may
leverage this issue to execute arbitrary instructions in the context
of the affected daemon.

This vulnerability is reported to affect ELOG versions up to and
including version 2.5.6.

ELOG Web Logbook Multiple Remote Unspecified Vulnerabilities
BugTraq ID: 12640
Remote: Yes
Date Published: Feb 23 2005
Relevant URL: http://www.securityfocus.com/bid/12640
Summary:
ELOG Web Logbook is reported prone to multiple vulnerabilities. The
following individual issues are reported:

ELOG Web Logbook is reported prone to two remote heap-based buffer
overflow vulnerabilities. It is reported that the overflows may be
leveraged remotely to have arbitrary code executed in the context of
the affected daemon.

A directory traversal vulnerability is also reported to affect ELOG
Web Logbook; again, the details of this issue are not specified. It is
conjectured that this issue may be exploited by a remote attacker to
disclose sensitive information.

These vulnerabilities are reported to exist in ELOG versions up to and
including version 2.5.6. Other versions might also be affected.

Ginp File Disclosure Vulnerability
BugTraq ID: 12642
Remote: Yes
Date Published: Feb 24 2005
Relevant URL: http://www.securityfocus.com/bid/12642
Summary:
ginp is prone to a vulnerability that may permit remote attackers to
gain unauthorized access to files on the computer hosting the
software.  Files that are readable by the Web server process may be
accessed through directory traversal sequences.

This may result in sensitive information being disclosed to remote
attackers.

[ En Java ]

Cisco Application and Content Networking System Multiple Rem...
BugTraq ID: 12648
Remote: Yes
Date Published: Feb 24 2005
Relevant URL: http://www.securityfocus.com/bid/12648
Summary:
Multiple remote vulnerabilities affect Cisco Application and Content
Networking System (ACNS).  This issue is due to a failure of the
affected software to properly handle malformed network data.

Specifically, multiple denial of service vulnerabilities and a single
default administrator password issues were reported.

An attacker may leverage these issues to trigger a denial of service
condition in affected devices or on the network segment that they
reside on.  The default password issue may allow an unauthorized user
to gain administrator access to an affected device.

[ firmware ]

Cyclades AlterPath Manager Multiple Remote Vulnerabilities
BugTraq ID: 12649
Remote: Yes
Date Published: Feb 24 2005
Relevant URL: http://www.securityfocus.com/bid/12649
Summary:
Cyclades AlterPath Manager is a network device designed to facilitate
remote administration of all network-accessible infrastructure
resources.

Multiple remote vulnerabilities affect Cyclades AlterPath Manager.
These issues are due to various design errors that affect the overall
security of the vulnerable device.

The first issue is an information disclosure issue.  The second would
allow unauthorized access to restricted console resources.  Finally
the third issue will facilitate privilege escalation.

An attacker may leverage these issues to gain unauthorized access to
network-based resources, to gain escalated privileges and to gain
access to potentially sensitive information.

[ firmware ]

Mozilla Firefox Scrollbar Remote Code Execution Vulnerabilit...
BugTraq ID: 12655
Remote: Yes
Date Published: Feb 25 2005
Relevant URL: http://www.securityfocus.com/bid/12655
Summary:
Reportedly a remote code execution vulnerability affects Mozilla
Firefox.  This issue is due to a failure of the application to
properly restrict the access rights of Web content.

An attacker may leverage this issue to compromise security of the
affected browser; by exploiting this issue along with others (BIDs
12465 and 12466) it is possible to execute arbitrary code.

It should be noted that although only version 1.0 is reported
vulnerable, other versions may be vulnerable as well.

DNA mkbold-mkitalic Remote Format String Vulnerability
BugTraq ID: 12657
Remote: Yes
Date Published: Feb 25 2005
Relevant URL: http://www.securityfocus.com/bid/12657
Summary:
A remote, client-side format string vulnerability reportedly affects
DNA mkbold-mkitalic.  This issue is due to a failure of the
application to securely implement a formatted printing function.

An attacker may leverage this issue to have arbitrary code executed
with the privileges of an unsuspecting user that processes a malicious
BDF format font file.

Mozilla Suite Multiple Remote Vulnerabilities
BugTraq ID: 12659
Remote: Yes
Date Published: Feb 25 2005
Relevant URL: http://www.securityfocus.com/bid/12659
Summary:
Multiple remote vulnerabilities affect Mozilla Suite, Firefox, and
Thunderbird.  The following text outlines the issues that have been
disclosed.

Mozilla Foundation Security Advisory 2005-28 reports an insecure
temporary directory creation vulnerability affecting the plugin
functionality. A dialog box spoofing vulnerability is disclosed in
Mozilla Foundation Security Advisory 2005-22. A '.lnk' link file
arbitrary file overwrite vulnerability is reported in Mozilla
Foundation Security Advisory 2005-21. Mozilla Foundation Security
Advisory 2005-20 outlines an XSLT stylesheet information disclosure
vulnerability. Mozilla Foundation Security Advisory 2005-19 outlines
an information disclosure issue affecting the form auto-complete
functionality. A buffer overflow vulnerability is disclosed in Mozilla
Foundation Security Advisory 2005-18. Mozilla Foundation Security
Advisory 2005-17 outlines an installation confirmation dialog box
spoofing vulnerability. A heap overflow vulnerability in UTF8 encoding
is outlined in Mozilla Foundation Security Advisory 2005-15.  Finally
multiple SSL 'secure site' lock icon indicator spoofing
vulnerabilities are outlined in Mozilla Foundation Security Advisory
2005-15.

An attacker may leverage these issues to spoof dialog boxes, SSL
'secure site' icons, carry out symbolic link attacks, execute
arbitrary code, and disclose potentially sensitive information.

Please note that this BID will be separated into individual BIDs as
soon as further research into each of the vulnerabilities is
completed. At that time this BID will be retired.

bsmtpd Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 12661
Remote: Yes
Date Published: Feb 25 2005
Relevant URL: http://www.securityfocus.com/bid/12661
Summary:
The bsmtpd daemon is reported prone to a remote arbitrary command
execution vulnerability.

A remote attacker may exploit his condition to execute arbitrary shell
commands in the context of the affected bsmtpd daemon.

NoMachine NX Local X Server Authentication Bypass Vulnerabil...
BugTraq ID: 12663
Remote: No
Date Published: Feb 25 2005
Relevant URL: http://www.securityfocus.com/bid/12663
Summary:
NoMachine NX is prone to a vulnerability that may local users to
bypass X server authentication.  The vulnerability presents itself
when the XAUTHORITY environment variable is not set.

This issue has been reported to affect NoMachine NX Server and
derivatives including FreeNX Server.

cmd5checkpw Local Poppasswd File Disclosure Vulnerability
BugTraq ID: 12668
Remote: No
Date Published: Feb 25 2005
Relevant URL: http://www.securityfocus.com/bid/12668
Summary:

cmd5checkpw is reported prone to a vulnerability that can result in
the disclosure of the '/etc/poppasswd' file.

A local user that has knowledge of one of the username/password
combinations stored in the '/etc/poppasswd' file may exploit this
vulnerability to disclose the contents of the 'poppasswd' file.