[linux-leman-annonces] Résumé SecurityFocus Newsletter #194

Marc SCHAEFER schaefer at alphanet.ch
Tue Apr 29 18:24:02 CEST 2003 

Xinetd Rejected Connection Memory Leakage Denial Of Service Vulnerability
BugTraq ID: 7382
Remote: Yes
Date Published: Apr 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7382
Summary:

Xinetd is intended as a secure replacement for inetd. It is designed for
use with Linux and Unix variant operating environments.

A denial of service vulnerability has been reported for Xinetd. The
vulnerability exists due to memory leaks occuring when connections are
rejected. This issue was reported to occur in the svc_request() function
of the service.c source file where some allocated memory is not properly
freed when a connection is rejected.

An attacker can exploit this vulnerability by repeatedly connecting to a
Xinetd server and having the connection rejected. This will result in a
memory exhaustion issue that will result in a denial of service condition.

This vulnerability was reported for Xinted prior to 2.3.11.

Mod_NTLM Authorization Heap Overflow Vulnerability
BugTraq ID: 7388
Remote: Yes
Date Published: Apr 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7388
Summary:

mod_ntlm is an Apache module, which implements NLTM authentication. It is
available for Apache 2.0.x and 1.3.x on the Linux operating system.


The mod_ntlm Apache module has been reported prone to a heap overflow
vulnerability.

The vulnerability is due to a lack of sufficient bounds checking performed
on user-supplied data, stored in a 2048 byte buffer within heap memory.

Specifically, an insecure 'vsprintf()' function call is made within the
mod_ntlm 'log()' function. The call to 'vsprintf()' copies user-supplied
authorization data without carrying out sufficient bounds checking. As a
result, excessive data may be copied into the 2048 byte buffer, resulting
in the corruption of sensitive memory management information.

By modifying an adjacent malloc header to contain malicious values, it may
be possible for an attacker to overwrite sensitive locations in memory
when a subsequent call to free() is made. As a result, it may be possible
for an attacker to execute arbitrary instructions, with the privileges of
the Apache server.

This vulnerability is reported to affect mod_ntlm v0.4 for Apache 1.3 and
mod_ntlmv2 version 0.1 for Apache 2.0. Although unconfirmed, previous
versions may also be affected.

Mod_NTLM Authorization Format String Vulnerability
BugTraq ID: 7393
Remote: Yes
Date Published: Apr 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7393
Summary:

mod_ntlm is an Apache module which implements NLTM authentication. It is
available for Apache 2.0.x and 1.3.x on the Linux operating system.

A format string vulnerability has been discovered in the mod_ntlm Apache
module. The issue occurs when processing authorization information located
in HTTP headers.

The problem occurs in a call to ap_log_rerror(), by the log() function,
without including format specifier arguments. As a result, it may be
possible for a remote attacker to embed their own specifiers within
authorization data. This may allow for an attacker to write to sensitive
locations in memory.

It should be noted that the exploitability of this issue to execute
arbitrary code may be hindered by various system specific limitations. As
a result, exploitation may only result in a denial of service.

This vulnerability was reported in mod_ntlm <= 0.4 and mod_ntlm2 0.1.

MIME-Support Package Insecure Temporary File Creation Vulnerability
BugTraq ID: 7403
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7403
Summary:

The mime-support package contains a variety of MIME applications and
tools. It is available for the Linux operating system.

A vulnerability has been discovered in the run-mailcap application
included with mime-support. The problem occurs due to invalid sanity
checks when creating temporary files.

By populating the /tmp directory with symbolic links which point to
sensitive system files, it may be possible for an unprivileged user to
corrupt arbitrary files. As a result, an unprivileged user may be capable
of rendering a target system unusable or possibly gain elevated
privileges.

This vulnerability affects run-mailcap included in mime-support verison
3.21 and earlier.

SAP Database Development Tools INSTDBMSRV INSTROOT Environment Variable Vulnerability
BugTraq ID: 7407
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7407
Summary:

SAP DB is a free database software package for Unix, Linux, and Microsoft
Operating Systems.

It has been reported that a vulnerability exists in the SAP Database
program instdbmsrv.  Because of this, a local attacker may be able to gain
elevated privileges.

The problem is in the handling of input from untrusted sources.  When
executed, the instdbmsrv program checks the INSTROOT environment variable
for the location of the pgm/dbmsrv program.  The permissions of the dbmsrv
program are changed to give the program setuid root privileges when the
instdbmsrv is executed.  An attacker could modify the INSTROOT environment
variable locally to point to an arbitrary directory.  When the instdbmsrv
program is executed, an attacker-supplied version of the dbmsrv program
would be changed to setuid root.

This could result in an attacker gaining local administrative privileges.

SAP Database Development Tools INSTLSERVER INSTROOT Environment Variable Vulnerability
BugTraq ID: 7408
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7408
Summary:

SAP DB is a free database software package for Unix, Linux, and Microsoft
Operating Systems.

It has been reported that a vulnerability exists in the SAP Database
program instlserver. Because of this, a local attacker may be able to gain
elevated privileges.

The problem is in the handling of input from untrusted sources. When
executed, the instlserver program checks the INSTROOT environment variable
for the location of the pgm/lserver program. The permissions of the
lserver program are changed to give the program setuid root privileges
when the instlserver is executed. An attacker could modify the INSTROOT
environment variable locally to point to an arbitrary directory. When the
instlserver program is executed, an attacker-supplied version of the
lserver program would be changed to setuid root.

This could result in an attacker gaining local administrative privileges.

[ un anti-virus propriétaire pour Linux semble être attaquable ]

More information about the gull-annonces mailing list