[gull-annonces] SecurityFocus Newsletter #208

Marc SCHAEFER schaefer at alphanet.ch
Tue Aug 5 17:01:02 CEST 2003 

ManDB Utility Local Buffer Overflow Vulnerability
BugTraq ID: 8278
Remote: No
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8278
Summary:

mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.

mandb has been reported prone to a local buffer overflow vulnerability.

It has been reported that a local attacker may exploit this issue to
execute arbitrary instructions with elevated privileges. Specifically,
user 'man' privileges.

The issue likely presents itself due to a lack of sufficient bounds
checking performed on user-supplied data. Although unconfirmed, it has
been conjectured that user supplied data copied into an insufficient
reserved memory buffer may overflow the bounds of that buffer and corrupt
saved values that are crucial to program execution flow control.

The attacker may exploit this issue to influence execution flow of the
vulnerable utility and have arbitrary attacker specified instructions
executed inline.

It should be noted that although the mandb utility is installed with
setuid root privileges by default, this issue has been reported to be only
exploitable to attain user 'man' privileges.

Additionally, although this vulnerability has been reported to affect man
version 2.3.19, other version may also be affected.

FreeRadius Chap Remote Buffer Overflow Vulnerability
BugTraq ID: 8282
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8282
Summary:

FreeRADIUS is a freely available, open source implementation of the RADIUS
protocol.  It is available for the Unix and Linux operating systems.

A problem with FreeRADIUS has been reported when handling CHAP requests.
Because of this, an attacker may be able to gain unauthorized access to a
system using the vulnerable software.

Specific details about the vulnerability are not currently available.  It
is known that the problem in CHAP may be exploited to execute code with
the privileges of the FreeRADIUS server.  This could give the attacker
access to the system with the privileges of the FreeRADIUS server.

University of Minnesota GopherD Do_Command Buffer Overflow Vulnerability
BugTraq ID: 8283
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8283
Summary:

gopherd is the implementation of the Gopher Protocol Daemon by the
University of Minnesota. It is available for the Unix and Linux platforms.

It has been reported that University of Minnesota gopherd is vulnerable to
a remotely exploitable boundary condition error. This may make it possible
for an attacker to gain unauthorized access to a host using the vulnerable
software.

The problem is in the do_command function of the Gopherd.c file.  Due to
insufficient bounds checking on the user-supplied data, it is possible for
an attacker to overwrite sensitive process memory.  This could result in
the execution of arbitrary instructions with the privileges of the gopher
daemon process.

Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service Vulnerability
BugTraq ID: 8290
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8290
Summary:

The Cisco Aironet AP1x00 is a series of wireless access point devices.

Cisco Aironet AP1x00 series devices are prone to a denial of service
vulnerability upon receipt of a malformed HTTP GET request.  This issue
exists in the web administrative interface for affected devices.  Such a
request will cause the device to reload.  It is possible to cause a
prolonged denial of service by repeatedly sending such requests to an
affected device.  This could be exploited to deny availability of a WLAN
that depends on the device.

[ hardware ]

Cisco Aironet Telnet Service User Account Enumeration Weakness
BugTraq ID: 8292
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8292
Summary:

Aironet is the Wireless Access Point solution distributed and maintained
by Cisco.

An information leak has been reported in Cisco Aironet Access Points when
the telnet service has been enabled.  This may allow a remote attacker to
gain potentially sensitive information.

The problem is in the response of the telnet daemon.  Usual implementation
returns a response to a failed authentication attempt that does not
validate the user name.  However, when an invalid username is sent to the
Aironet telnet daemon, the daemon responds with a "% Login invalid"
message, allowing the attacker to gather a list of valid user names on the
target device.

[ hardware ]

Mod_Mylo Apache Module REQSTR Buffer Overflow Vulnerability
BugTraq ID: 8287
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8287
Summary:

mod_mylo is a third party module for Apache HTTP server. The module is
designed to log data into a MySQL database in addition to standard
logging.

mod_mylo has been reported prone to remotely exploitable buffer overflow
vulnerability.

The issue presents itself due to insufficient bounds checking performed on
HTTP requests before the HTTP request string is copied into a buffer in
memory. Data excessive to the size of the buffer will corrupt adjacent
memory. Because memory adjacent to this buffer has been reported to store
a saved instruction pointer, it is possible for a remote attacker to
influence program execution flow. Ultimately a remote attacker may exploit
this condition to execute arbitrary instructions in the context of the
Apache HTTP server.

This issue has been reported to affect mod_mylo version 0.2.1 and all
versions prior.

Mini SQL Remote Format String Vulnerability
BugTraq ID: 8295
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8295
Summary:

Mini SQL (mSQL) is a relational database management system.

mSQL has been reported prone to a remotely exploitable format string
vulnerability.

Reportedly a remote attacker may send malicious format specifiers to
trigger the issue. This issue is due to erroneous use of a formatting
function, which may allow format specifiers to be supplied by an external
source, in this case a remote user. By passing specially crafted format
specifiers through a session, may corrupt process memory and thereby have
the ability to execute arbitrary code with the privileges of the affected
daemon, which is typically root.

This vulnerability has been reported to affect mSQL version 1.3 and all
prior versions; other versions may also be affected.

KDE Konqueror HTTP REFERER Authentication Credential Leak Vulnerability
BugTraq ID: 8297
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8297
Summary:

Konqueror is a freely available, open source web browser distributed and
maintained by the KDE project.  It is available for the Unix and Linux
operating systems.

It has been reported that a problem in KDE Konqueror may result in the
leak of authentication credentials through the HTTP REFERER header field.
This could result in an attacker gaining unauthorized access to
authentication information.

When a user visits a site that keeps the authentication credentials in the
URL, the browser will pass the authentication credentials to the site at
the end of the URL through the referrer log.  This could result in
unauthorized access to the user account of the referring page site.

Linux Kernel 2.4 XDR Packet Handler For NFSv3 Remote Denial Of Service 
Vulnerability
BugTraq ID: 8298
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8298
Summary:

XDR (External Data Representation) is a protocol governing the platform
independent description and encoding of data, in this particular case it
is used in conjunction with the Linux implementation of NFSv3 (Network
File System), used to share system based resources across a network. NFS
uses XDR to describe the format of its data.

Linux Kernel 2.4 XDR handler routines for NFSv3 have been reported prone
to a remote denial of service vulnerability.

The issue presents itself in the decode_fh XDR handler routine contained
in the nfs3xdr.c kernel source file. The issue is due to a signed/unsigned
mismatch, when processing the size field of an XDR packet.

A malicious attacker may bypass the following signed sanity check
arithmetic (if (size > NFS3_FHSIZE) of the decode_fh XDR handler routine,
by crafting an XDR packet that contains a negative two's compliment
representation of -1, or 0xFFFFFFFF. This value will be passed to a
memcpy() function that uses the unsigned value of 0xFFFFFFFF or (4 GB), as
its size parameter, the massive memcpy operation will trigger a kernel
panic.

It has been reported that the target host may need an accessible exported
directory, if this vulnerability is to be successfully exploited. It
should be noted that other methods to trigger the vulnerability might also
be possible.

This vulnerability has been reported to affect the Linux 2.4 kernel tree.

NetScreen ScreenOS TCP Window Size Remote Denial Of Service Vulnerability
BugTraq ID: 8302
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8302
Summary:

NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.

NetScreen ScreenOS has been reported prone to a vulnerability that may
allow a remote user to trigger a denial of service condition in an
affected appliance.

It has been reported that by modifying system configuration values that
control the TCP window size, an attacker may trigger a denial of service
in a remote appliance, by connecting to the target appliance.

It has been reported that the issue only affects NetScreen appliances that
are configured to use management services. For example HTTP, SSH or
Telnet.

This issue only affects some ScreenOS 4.0.1rx and 4.0.3rx releases.
NetScreen IDP, NetScreen Firewall/VPN products running ScreenOS 3.x and
earlier, 4.0.0, and 4.0.2 are not vulnerable.  The vendor has supplied
upgrades for affected versions.

[ hardware ]
 
Multiple ManDB Utility Local Buffer Overflow Vulnerabilities
BugTraq ID: 8303
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8303
Summary:

mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.

mandb has been reported to be affected by multiple buffer overflow
vulnerabilities.

These issues present themselves in the ult_src(), add_to_dirlist(),
test_for_include() functions and in the PATH/MANPATH argument handler of
mandb.

The issues are due to insufficient bounds checking performed on
user-supplied data before it is copied into reserved buffers in memory. A
local attacker may supply excessive data in a manner sufficient to trigger
these issues and in doing so corrupt arbitrary memory. It has been
conjectured that an attacker may ultimately exploit this issue to execute
arbitrary instructions, with elevated privileges.

Code execution would occur in the context of the mandb utility, typically
user 'man'.

This BID will be split up into unique BIDs as these issues are analyzed in
further detail.

More information about the gull-annonces mailing list