[gull-annonces] Résumé SecurityFocus Newsletter # 210

[Marc SCHAEFER]

Multiple Vendor OSF Distributed Computing Environment Denial...
BugTraq ID: 8371
Remote: Yes
Date Published: Aug 08 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8371
Summary:
The DCE (Distributed Computer Environment) is a set of distributed
computing standards maintained by Open Software Foundation.  Numerous
vendors provide DCE client and server implementations.

A vulnerability has been announced that may be exploited to cause a denial
of services in multiple vendor implementations based on the OSF DCE
standards.  The consequences of this vulnerability are that a remote
attacker may cause a server implementation to hang or crash.  Exploitation
of this issue can deny availability of DCE services to legitimate clients.

Exact technical details are not known at this time but the issue is
believed to be caused by a null pointer deference, which would not be
exploitable to execute arbitrary code.  This BID will be updated
appropriately if further details become available.

This issue can be exposed via RPC services with some implementations.  

It should be noted that some of the vendors reported side-effects of
exploitation attempts for BID 8205 "Microsoft Windows DCOM RPC Interface
Buffer Overrun Vulnerability" may potentially trigger this issue in
affected implementations.  IBM also reported that this issue is an issue in
their RPC runtime implementation of DCE that can occur whenever a RPC
packet with invalid presentation context ID is received by a server. 
Scanning utilities for BID 8205 have also been reported to trigger this
issue in some implementations.  It is not known if this issue can also be
caused by attempts to exploit BID 8234 "Microsoft Windows 2000 RPC DCOM
Interface Denial of Service Vulnerability".

Red Hat Linux Up2Date GPG Signature Validation Vulnerability
BugTraq ID: 8372
Remote: No
Date Published: Aug 08 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8372
Summary:
up2date is the Red Hat Update Agent software that allows Red Hat Linux
users to connect to the Red Hat Network and download official updates and
fixes. up2date it intended to restrict installation of packages, it is
designed to allow installation of packages that are signed with the Red Hat
package signing key only.

It has been reported that the up2date tool does not sufficiently validate
GPG signatures on rpm packages downloaded from the Red Hat Network. This
issue may provide for the installation of a package, which does not posses
a GPG signature. 

It is not believed, however, that this vulnerability is easily exploited.
It has been illustrated that a local attacker would require that the
malicious package be hosted on the Red Hat Network, prior to installation.
To accomplish this the attacker would need to compromise Red Hat Network
servers.

Pam-PGSQL Username Logging Remote Format String Vulnerabilit...
BugTraq ID: 8379
Remote: Yes
Date Published: Aug 09 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8379
Summary:
Leon J Breedt's 'pam-pgsql' is a PAM authentication module to be used with
PostgreSQL.

pam-pgsql has been reported prone to a remote format string vulnerability. 

It has been reported that a remote attacker may supply malicious format
string specifiers as a username, to a program that is requesting PAM
authentication (HTTP, SSH, telnet, etc). The username will be later
processed, during logging procedures in pam-pgsql.

When logging the malicious username data, the format specifiers embedded in
the username, may be interpreted literally by an erroneous implementation
of a format function. This issue may be leveraged by the attacker to
corrupt arbitrary memory and potentially execute arbitrary instructions in
the context of the program that is requesting PAM authentication.

FreeBSD Ptrace/SPIgot Insufficient Signal Verification Denia...
BugTraq ID: 8387
Remote: No
Date Published: Aug 11 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8387
Summary:
The ptrace() system call is a debugging function designed to allow a parent
process to access the core memory image and registers of a child process.
This function is useful for debugging a process and tracing its execution.

The spigot device driver is a video capture driver developed for the
FreeBSD operating system. The spigot driver is specifically designed to
support Creative Labs video cards, however, support for spigot is not
enabled within the FreeBSD kernel by default.

A vulnerability has been discovered in the FreeBSD implementation of the
ptrace() system call, as well as the spigot driver, which could result in a
local denial of service. The problem lies in the fact that both mechanisms
fail to sufficiently verify the integrity of signal numbers. As a result,
under some circumstances, an out-of-bounds or negative signal number may be
delivered by one of the affected mechanisms. This will typically result in
an assertion failure or system panic, effectively causing the system to crash.

This issue could be exploited by an unprivileged attacker to crash a system
to which they have local access.

The described vulnerability affects all releases of FreeBSD including
4.8-RELEASE-p1 and 5.1-RELEASE.

It should be noted that FreeBSD 5.x kernels by default do not enable the
'INVARIANTS' option, which when enabled includes assertion code within the
kernel. Under such configurations as the default FreeBSD 5.x kernels, it
may be possible for an attacker to control kernel memory, and as such
potentially influence execution in such a way that complete system
compromise becomes possible. This possibility is not present in FreeBSD 4.x
kernels.

Distributed Shell Local HOME Environment Variable Buffer Ove...
BugTraq ID: 8391
Remote: No
Date Published: Aug 11 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8391
Summary:
The Distributed Shell (dsh) is a shell designed to execute single commands
across multiple systems. It was developed for use on clustered systems and
is available for the Linux operating system.

A vulnerability has been discovered in dsh. The problem occurs due to
incorrect bounds checking within the programmer-defined 'asprintf()'
function. A call is made to the function as shown in the following piece of
code:

asprintf (&buf, "%s/.dsh/dsh.conf", getenv("HOME")

The bounds checking is then carried out by the following code snippet:

ssize_t buflen = 50 * strlen(fmt);

At this point of execution the 'fmt' variable, passed via a call to
'asprintf()' still contains "%s/.dsh/dsh.conf". However, by examining the
bounds checking code, it appears that the author incorrectly assumed that
the '%s' format specifier would have been interpreted, which is not the case.

As a result, the 'buflen' variable, later used as the size argument for
dynamically allocating the storage buffer, will only contain the length of
'50 * "%s/.dsh/dsh.conf"'. As such, if a HOME environment variable exists
which is greater in size then the aforementioned length, when the data is
copied into the buffer the dynamically allocated memory buffer via
vsnprintf(), it will be overrun, effectively resulting in the corruption of
heap-based memory management structures.

If the dsh utility were installed with the setuid bit enabled, it may be
possible for an attacker to exploit this issue to execute arbitrary
instructions with elevated privileges.

This vulnerability is said to affected dsh 0.24.


*** New information has been posted to bugtraq which suggests that this
issue is in fact not a legitimate vulnerability. As such, this BID will
subsequently be retired.

FreeBSD IBCS2 System Call Translator Kernel Memory Disclosur...
BugTraq ID: 8392
Remote: No
Date Published: Aug 11 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8392
Summary:
Intel Binary Compatibility Specification 2 is a kernel level suite of tools
for FreeBSD that allows the execution of IBCS2 compliant binaries.

A problem has been reported in the iBCS2 code distributed with FreeBSD that
may result in the disclosure of sensitive kernel memory.  Because of this,
an attacker may be able to gain access to sensitive information.

The problem is in the system call translator implemented with the iBCS2
code.  The translator uses a flawed version of the statfs system call that
permits a user to supply an unchecked length variable.  By doing so, an
attacker can view large portions of kernel memory space, which may contain
sensitive information such as user credentials.

It should be noted that iBCS2 code is not compiled into the kernel by default.

Cisco 7900 Series VoIP Phone ARP Spoofing Denial Of Service ...
BugTraq ID: 8398
Remote: Yes
Date Published: Aug 12 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8398
Summary:
The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by
Cisco Systems.

The Cisco 7900 Series of Voice-Over-IP phones have been reported prone to a
vulnerability where a spoofed ARP message may crash the phone.

It has been reported that an attacker that is connected to the same segment
as the affected phones may send spoofed ARP messages to a phone, causing
the target phone to be disconnected from the switch.  This will result in
the phone becoming unstable and crashing. Power cycling the phone to regain
normal functionality is required.  It has also been reported that such an
attack performed on a switchboard phone may deny all incoming calls.

Other attacks including man in the middle style attacks, for example packet
injection and data interception, have also been reported possible.

[ hardware ]

DistCC Insecure Temporary File Vulnerability
BugTraq ID: 8402
Remote: No
Date Published: Aug 12 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8402
Summary:
distcc is a distributed compiler application for Linux/Unix variants. 
distcc acts as a compiler front-end that can distribute software builds
across multiple hosts.

distcc is reported to handle temporary files insecurely.  This could permit
attacks which cause sensitive files to be corrupted.  A local user may be
able to exploit this issue by creating malicious symbolic links.

Exploitation could result in destruction of critical files, causing a
denial of service.  Though unconfirmed, if a local attacker can corrupt
files with custom data, they may be able to gain elevated privileges.

ECartis LIScript Arbitrary Variable Viewing Vulnerability
BugTraq ID: 8420
Remote: Yes
Date Published: Aug 14 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8420
Summary:
ECartis is a freely available, open source mailing list manager.  It is
available for the Unix and Linux platforms.

A problem in the handling of user-supplied input has been reported in
ECartis.  Because of this, an attacker may be able to gain access to
unauthorized and potentially sensitive information.

The problem is in the handling of requests sent via e-mail for specific
functions and variables.  By supplying specially malformed requests, it is
possible to make ECartis disclose data or perform actions that may be
restricted and sensitive in nature.  Multiple instances of this type of
issue were reported to exist in the software.

Ecartis Multiple Buffer Overrun Vulnerabilities
BugTraq ID: 8421
Remote: Yes
Date Published: Aug 14 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8421
Summary:
ECartis is a freely available, open source mailing list manager.  It is
available for the Unix and Linux platforms.

Multiple buffer overrun vulnerabilities have been reported for Ecartis 1.0.
The problems occur due to a variety of problems within the code, and each
appears to be a result of insufficient bounds checking when copying the
contents of e-mail into internal memory buffers.

One such problem occurs within the smtp_body_822bis() function, located in
the stmp.c source file, which is designed to copy data from a src buffer
into a destination buffer. However, the function does not include a size
parameter, which may allow for the destination to be overrun. As a result
of this issue, any later implementation of this function may result in a,
potentially exploitable, buffer overrun.

Other issues have been reported within the unhtml.c and unmime.c source
files. All issues located in these files appear to occur due insufficient
bounds checking before transferring data between pointers.

Successful exploitation of this vulnerabilities may result in a remote
denial of service. Also, although it has not yet been confirmed, due to the
nature of these vulnerabilities, it is theoretically possible that an
attacker may be capable of exploiting the overruns to execute arbitrary
instructions. It should be noted that due to the nature of e-mail
protocols, successfully exploiting this issue may be difficult due to a
restricted character set.