[gull-annonces] Résumé SecurityFocus Newsletter # 209

Marc SCHAEFER schaefer at alphanet.ch
Tue Aug 12 23:11:01 CEST 2003


Multiple Atari800 Emulator Local Buffer Overflow Vulnerabili...
BugTraq ID: 8322
Remote: No
Date Published: Jul 31 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8322
Summary:
atari800 is multi platform Atari 800, 800XL, 5200 and 130XE emulator
software developed for Unix, WinCE, MS-DOS, Atari TT/Falcon, SDL and Amiga
platforms.

atari800 emulator has been reported prone to multiple local buffer overflow
vulnerabilities.

The issues are likely due to insufficient bounds checking performed on
user-supplied data before it is copied into reserved buffers in memory. A
local attacker may supply excessive data in a manner sufficient to trigger
these issues and in doing so corrupt arbitrary memory. Because atari800
requires direct access to graphic devices, it has been reported that one of
the affected applications is setuid root. Therefore, it has been reported
that a local attacker may exploit this condition to gain local root access.

It should be noted that although version 1.2.2 and prior have been reported
vulnerable, other versions are also likely to be prone to this issue.

Cisco IOS UDP Echo Service Memory Disclosure Vulnerability
BugTraq ID: 8323
Remote: No
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8323
Summary:
IOS is the router operating system maintained and distributed by Cisco Systems.

Under some circumstances Cisco IOS UDP Echo Service may leak sensitive
memory contents to remote attackers.

It has been reported that, if the upd-small-servers command is enabled, a
Cisco appliance running IOS may answer malicious malformed UDP echo packets
with replies that contain partial contents from the affected router's memory.

It has been reported that a remote attacker may repeat this process to
disclose portions of data stored in the router's memory. This could expose
sensitive information that may be useful in mounting other attacks.

**Update: This issue may be exploited in conjunction with other
vulnerabilities, as is demonstrated in BID 8373. In BID 8373, memory
disclosed through the exploitation of the UDP Echo Service, is used to
assist in the successful exploitation of the IOS HTTP 2GB Buffer Overflow
vulnerability. 

The vendor has reported that the udp-small-servers command is disabled by
default since IOS 11.2(1). Additionally, IOS 12.1, 12.2, and 12.3 based
images are not reported to be affected by this issue.

[ firmware ]

CDRTools RSCSI Debug File Arbitrary Local File Manipulation ...
BugTraq ID: 8328
Remote: No
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8328
Summary:
rscsi is a helper component of the cdrtools package.

It has been reported that a local attacker may invoke the rscsi utility
against an attacker specified file. The attacker may accomplish this by
supplying a rscsi 'debug file' argument that points to a file that already
exists, to the affected utility. This action will have the affect of
causing the group ownership of the target file to be modified. The changes
will reflect the group of which the individual invoking the rscsi utility
is a member. Additionally the target file contents will be corrupted with
data that may be influenced by the attacker.

Because the rscsi utility is installed with setuid 'root' permissions by
default, a local attacker may harness this vulnerability to achieve
elevated privileges.

This vulnerability has been reported to affect the version 2.x branch of
cdrtools, and all previous versions.

Linux Netfilter NAT Remote Denial of Service Vulnerability
BugTraq ID: 8330
Remote: Yes
Date Published: Aug 02 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8330
Summary:
The Netfilter project maintains the packet filter component of the Linux
kernel.  A fix for a denial of service vulnerability has been reported by
the Netfilter project.  

The vulnerability is present on systems with the ip_nat_ftp or ip_nat_irc
modules loaded or with a kernel built supporting options
CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC.  These optional subcomponents
implement limited stateful inspection of the FTP and IRC application
protocols, allowing for features such as active mode FTP and DCC through NAT.

A remotely exploitable denial of service vulnerability exists when at least
one of these features are enabled and communication to FTP/IRC servers is
permitted.

Version 2.4.20 of the Linux kernel is confirmed vulnerable.  A patch is
available.  According to the Netfilter team, the 2.4.20 kernels shipped
with Red Hat Linux include the patch.


Netfilter Connection Tracking Denial of Service Vulnerabilit...
BugTraq ID: 8331
Remote: Yes
Date Published: Aug 02 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8331
Summary:
The Netfilter project maintains the packet filter component of the Linux
kernel.  A fix for a denial of service vulnerability has been reported by
the Netfilter project.  

The vulnerability is present on systems with support for connection
tracking enabled.  Connection tracking allows for the firewall to identify
which packets belong to established connections.  Linux 2.4.20 systems with
kernels built supporting the CONFIG_IP_NF_CONNTRACK option or with the
ip_conntrack module loaded are vulnerable.  Other kernel versions are not
affected.

The vulnerability is due to the introduction into the Linux 2.4.20 kernel
of a new generic linked list implementation.  The reliance on the previous
linked list implementation resulted in a condition which could result in a
denial of service.

A patch has been released that removes dependence on a specific kernel
linked list API.

mindi Temporary File Creation Vulnerabilities
BugTraq ID: 8332
Remote: No
Date Published: Aug 02 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8332
Summary:
Mindi is a program for creating boot/root disks that is maintained by Hugo
Robson.

Debian has reported that Mindi is affected by several temporary file
creation vulnerabilities that could allow for corruption of local files
and, possibly, elevation of privileges.  Throughout it's operation, mindi
creates numerous files in /tmp with predictable filenames.  Because /tmp is
world-writeable, symbolic link attacks are possible.  Some of the temporary
file filenames are static and can be predicted with certainty and others
are based on process IDs. 

If malicious local attackers know that another user on the system is going
to run mindi, symbolic links with anticipated filenames can be created in
/tmp.  If the file pointed to by the symbolic link is writeable by the user
running mindi, the file will be overwritten or deleted if the attacker
chose the correct filenames.  If the contents can be controlled by the
attacker, privilege escalation may be possible.  As there are numerous
temporary files, different attack channels may yield different consequences.

Debian has issued fixes.

Multiple Postfix Denial of Service Vulnerabilities
BugTraq ID: 8333
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8333
Summary:
Postfix is a free, open-source mailer that was designed to be an
alternative to Sendmail. It is written and maintained by Wietse Venema. 

Debian has reported two vulnerabilities in the Postfix mail transfer agent.
 The first vulnerability, CAN-2003-0468, can allow for an adversary to
"bounce-scan" a private network.  It has also been reported that this
vulnerability can be exploited to use the server as a distributed denial of
service tool.  This is reportedly possible through forcing the server to
connect to an arbitrary port on an arbitrary host.  

The second vulnerability, CAN-2003-0540, is another denial of service.  It
can be triggered by a malformed envelope address and can cause the queue
manager to lock up until the message is removed manually from the queue. 
It is also reportedly possible to lock the SMTP listener, also resulting in
a denial of service.

This BID has been divided into BIDs 8361 and 8362 and is being retired.


NetBSD Kernel OSI Packet Handler Remote Denial Of Service Vu...
BugTraq ID: 8340
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8340
Summary:
It has been reported that NetBSD systems that have OSI networking support
compiled into their kernel are prone to a remote denial of service
vulnerability.

The issue exists because error-reporting functions invoked by the netiso
enabled kernel, under some circumstances, are not implemented correctly to
abide by requisites of the BSD networking stack. 

When the kernel processes an OSI packet that is sufficient to trigger the
generation of an error indication response packet one of two outcomes may
occur. If the kernel has been compiled with "options DEBUG" a kernel panic
may result and the kernel will report this condition. Otherwise the system
may crash unpredictably.

This is because the function that is responsible for crafting error
indication response packets was not converted to use a "PKTHDR" mbuf, which
is the standard for the BSD networking stack.

It has been reported that this issue does not affect systems that do not
have OSI networking support installed and an OSI network address assigned.


Man-db DEFINE Arbitrary Command Execution Vulnerability
BugTraq ID: 8341
Remote: No
Date Published: Aug 04 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8341
Summary:
man-db is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.

man-db could allow a local user to execute commands with elevated privileges.

This occurs because man-db allows commands to be executed through the
DEFINE directive even if it is running setuid "man".  This would allow a
local user to execute any command with "man" privileges.

It is important to note that man-db is not installed setuid by default. 
This vulnerability is only present if man-db was installed setuid "man".

gURLChecker HTML Parser Denial Of Service Vulnerability
BugTraq ID: 8348
Remote: Yes
Date Published: Aug 05 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8348
Summary:
gURLChecker is software that can validate web links.  It is available for
Unix and Linux variants.

gURLChecker is reported to be prone to a denial of service vulnerability. 
This issue is exposed when the HTML parser (html_parser.c) included with
the software encounters specifically malformed HTML tags of excessive
length.  The issue appears to be present in the
uc_html_parser_get_attributes() function.  This could be exploited to cause
gURLChecker to crash if the software is used to access an untrusted web
page that contains code designed to trigger the condition.  

Though unconfirmed, this condition could result in memory corruption.  Due
to the nature of memory corruption issues, it may be possible to exploit
this issue to execute arbitrary code in the context of the software.

 Webware WebKit Cookie String Command Execution Vulnerability
BugTraq ID: 8349
Remote: Yes
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8349
Summary:
Webware is an application suite which provides tools for development of
web-based applications.  It is implemented in Python.

Webware ships with a component entitled WebKit that provides Python classes
for dynamically generating web server content.

The Webware WebKit component is prone to a vulnerability that may allow for
execution of malicious commands.  This issue is due to usage of
SmartCookie, which is provided in the CookieEngine module.  SmartCookie
will attempt to unpickle malicious client-supplied cookie strings.  This
could result in the Python pickle module executing malicious code contained
in cookie-strings.

A remote attacker could potentially exploit this issue to execute malicious
commands with the privileges of the software.

ERoaster Local Insecure Temporary File Creation Vulnerabilit...
BugTraq ID: 8350
Remote: No
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8350
Summary:
eroaster is a freely available graphical frontend to cdrecord.  It is
available for the Linux operating system.

A problem has been reported in the secure creation of temporary files by
the eroaster application.  This may allow an attacker to overwrite files
belonging to the eroaster user.

Few details are available about this vulnerability.  However, it is
theorized that this issue results from inadequate checks on the existence
of a predictable temporary file prior to an attempt to create the file
during program execution.  By creating a symbolic link, an attacker could
potentially destroy data at the end of the symbolic link, or perform other
nefarious deeds.

ManDB Compressor Binary Substitution Vulnerability
BugTraq ID: 8352
Remote: No
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8352
Summary:
mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.

mandb is prone to a vulnerability that may permit local attackers to gain
elevated privileges.  The source of this issue is that local users are able
to specify an arbitrary program as the location for a compressor utility
for cat files.  In particular, the open_cat_stream() function call will be
made while the program still has privileges.  By specifying a malicious
program, the attacker can cause arbitrary code execution with the
privileges of mandb.  mandb typically executes with the privileges of user
'man'.

D-Link DI-704P Long URL Denial Of Service Vulnerability
BugTraq ID: 8355
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8355
Summary:
The D-Link DI-704P is an Internet Broadband Gateway device. The DI-704P
provides a method to share a single broadband Internet connection and share
a single printer among systems connected to the local network.

D-Link DI-704P has been reported prone to a remote denial of service
vulnerability. 

The issue presents itself when a request of excessive length is sent to the
router. It has been reported that when a URL of excessive length is
requested, the device behaves in an unstable manner. This may result in a
complete denial of service condition requiring a device reboot, or the loss
of the ability to log in to the administration interface.

Although unconfirmed, it should be noted that other D-Link devices that use
related firmware might also be affected.

[ hardware ]

Cisco Content Service Switch ONDM Ping Failure Denial Of Ser...
BugTraq ID: 8358
Remote: Yes
Date Published: Aug 07 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8358
Summary:
Cisco Content Service Switch is an appliance designed to provide a
front-end for server farms and cache clusters.

It has been reported that under certain circumstances, it may be possible
for remote attackers to force the System Controller Module (SCM) on Cisco
Content Service Switches to reboot. A component on the device known as the
Online Diagnostics Monitor (ONDM) periodically sends out ping packets to
all SFP cards present on the device to ensure functionality. In the event
that a reply is not received, the SCM will reboot the device. 

Remote attackers may be able to perform a SYN flood attack against the
device by directing a large amount of data to the circuit IP address of the
Content Service Switch. This may prevent delivery of these diagnostic ping
packets, causing the router to believe the component is not functional and
cause the SCM to reboot.

[ hardware ]

Postfix Connection Proxying Vulnerability
BugTraq ID: 8361
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8361
Summary:
Postfix is a free, open-source mailer that was designed to be an
alternative to Sendmail. It is written and maintained by Wietse Venema. 

A vulnerability has been reported in Postfix that may allow an adversary to
"bounce-scan" a private network.  

The problem is in handling an attempt to deliver a message to an address
with the following format:

<[server_ip]:service!@local-host-name>  

This will cause the server to make a connection to the port and IP address
that is specified.  Such an address can be included in the "RCPT TO" or
"MAIL FROM" / Errors-To SMTP header fields.  By designing requests that
create bounces, an adversary can abuse this issue to proxy scans to
networks that the adversary would not normally have direct access to. 

It has been reported that this vulnerability can be exploited to use the
server as a distributed denial of service tool.  This is reportedly
possible through forcing the server to connect repeatedly to an arbitrary
port on an arbitrary host.

This issue was described in BID 8333 and is now being assigned an
individual BID.

Postfix SMTP Malformed E-mail Envelope Address Denial of Ser...
BugTraq ID: 8362
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8362
Summary:
Postfix is a free, open-source mailer that was designed to be an
alternative to Sendmail. It is written and maintained by Wietse Venema. 

Postfix is reported to be prone to a denial of service attack. It can be
triggered by a malformed envelope address and can cause the queue manager
to lock up until the message is removed manually from the queue. It is also
reportedly possible to lock the SMTP listener, also resulting in a denial
of service.  The vulnerability is present in the address parser code.

Evidence of exploitation of this vulnerability can be detected in the mail
server logs.  Deleting the malicious message in the queue that is
associated to the "resolve_clnt_query: null recipient" error message
contained in Postfix logs and restarting the service can restore normal
functionality.

This issue was described in BID 8333 and is now being assigned an
individual BID.




More information about the gull-annonces mailing list