[gull-annonces] Résumé SecurityFocus Newsletter #211

Marc SCHAEFER schaefer at alphanet.ch
Tue Aug 26 07:21:00 CEST 2003


Cisco 7900 Series VoIP Phone ARP Spoofing Denial Of Service ...
BugTraq ID: 8398
Remote: Yes
Date Published: Aug 12 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8398
Summary:

The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by
Cisco Systems.

The Cisco 7900 Series of Voice-Over-IP phones have been reported prone to
a vulnerability where a spoofed ARP message may crash the phone.

It has been reported that an attacker that is connected to the same
segment as the affected phones may send spoofed ARP messages to a phone,
causing the target phone to be disconnected from the switch.  This will
result in the phone becoming unstable and crashing. Power cycling the
phone to regain normal functionality is required.  It has also been
reported that such an attack performed on a switchboard phone may deny all
incoming calls.

Other attacks including man in the middle style attacks, for example
packet injection and data interception, have also been reported possible.

[ hardware ]

HostAdmin Path Disclosure Vulnerability
BugTraq ID: 8401
Remote: Yes
Date Published: Aug 12 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8401
Summary:

HostAdmin is a web-based tool designed to automate web-hosting operations.

HostAdmin is prone to a path disclosure vulnerability. Passing invalid
data to the HostAdmin site will cause an error message to be displayed,
which contains installation path information.

Exploitation may be dependant on web server and PHP configuration.

This type of information may aid an attacker in mapping out the file
system for further attacks against the host.

[ licence + langage non clair ]

DistCC Insecure Temporary File Vulnerability
BugTraq ID: 8402
Remote: No
Date Published: Aug 12 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8402
Summary:
distcc is a distributed compiler application for Linux/Unix variants.
distcc acts as a compiler front-end that can distribute software builds
across multiple hosts.

distcc is reported to handle temporary files insecurely.  This could
permit attacks which cause sensitive files to be corrupted.  A local user
may be able to exploit this issue by creating malicious symbolic links.

Exploitation could result in destruction of critical files, causing a
denial of service.  Though unconfirmed, if a local attacker can corrupt
files with custom data, they may be able to gain elevated privileges.

SurgeLDAP Path Disclosure Vulnerability
BugTraq ID: 8406
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8406
Summary:

SurgeLDAP is an LDAP server implementation.  It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.

SurgeLDAP is prone to a path disclosure vulnerability.  It is possible to
gain access to sensitive path information by issuing an HTTP GET request
for an invalid resource.  This could help a remote attacker enumerate the
layout of the file system of the host running the vulnerable software,
which may be useful in further attacks against the host.

This issue exists in the web server component of SurgeLDAP.

[ licence ? ]

SurgeLDAP User.CGI Cross-Site Scripting Vulnerability
BugTraq ID: 8407
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8407
Summary:

SurgeLDAP is an LDAP server implementation.  It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.

SurgeLDAP is prone to cross-site scripting attacks.  The issue exists in
the user.cgi script and is due to insufficient sanitization of data
supplied via URI parameters, which will be echoed back to users.  Remote
attackers may exploit this issue by enticing a user to visit a malicious
link that specifies hostile HTML and script code as a value for the 'cmd'
parameter of the vulnerable script.  This code may be rendered in the
user's browser when the link is visited.  This would occur in the context
of the server.

Successful exploitation may allow theft of cookie-based authentication
credentials or other attacks.

This issue exists in the web server component of SurgeLDAP.

[ licence ? ]

ECartis LIScript Arbitrary Variable Viewing Vulnerability
BugTraq ID: 8420
Remote: Yes
Date Published: Aug 14 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8420
Summary:

ECartis is a freely available, open source mailing list manager.  It is
available for the Unix and Linux platforms.

A problem in the handling of user-supplied input has been reported in
ECartis.  Because of this, an attacker may be able to gain access to
unauthorized and potentially sensitive information.

The problem is in the handling of requests sent via e-mail for specific
functions and variables.  By supplying specially malformed requests, it is
possible to make ECartis disclose data or perform actions that may be
restricted and sensitive in nature.  Multiple instances of this type of
issue were reported to exist in the software.

Ecartis Multiple Buffer Overrun Vulnerabilities
BugTraq ID: 8421
Remote: Yes
Date Published: Aug 14 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8421
Summary:

ECartis is a freely available, open source mailing list manager.  It is
available for the Unix and Linux platforms.

Multiple buffer overrun vulnerabilities have been reported for Ecartis
1.0. The problems occur due to a variety of problems within the code, and
each appears to be a result of insufficient bounds checking when copying
the contents of e-mail into internal memory buffers.

One such problem occurs within the smtp_body_822bis() function, located in
the stmp.c source file, which is designed to copy data from a src buffer
into a destination buffer. However, the function does not include a size
parameter, which may allow for the destination to be overrun. As a result
of this issue, any later implementation of this function may result in a,
potentially exploitable, buffer overrun.

Other issues have been reported within the unhtml.c and unmime.c source
files. All issues located in these files appear to occur due insufficient
bounds checking before transferring data between pointers.

Successful exploitation of this vulnerabilities may result in a remote
denial of service. Also, although it has not yet been confirmed, due to
the nature of these vulnerabilities, it is theoretically possible that an
attacker may be capable of exploiting the overruns to execute arbitrary
instructions. It should be noted that due to the nature of e-mail
protocols, successfully exploiting this issue may be difficult due to a
restricted character set.

Skunkweb Error Page Cross-Site Scripting Vulnerability
BugTraq ID: 8422
Remote: Yes
Date Published: Aug 14 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8422
Summary:

Skunkweb is a web application server written in python.

Skunkweb has been reported to be prone a cross-site script vulnerability.
The problem exists in the Handler module of the software.  This module
handles error output for the server.  HTML and script code will not
filtered before being displayed to the user in 404 error pages.  Therefore
an attacker may create a malicious link containing HTML and script code,
which could be rendered in a legitimate user's browser when the link is
visited.  This would occur in the context of the vulnerable server and
could permit the attacker-supplied code to access properties of pages
hosted by the server.

This issue allows a user to be prone to attacks such as cookie-based
credential theft.  Other attacks may be possible as well.

Skunkweb Cache Module File Disclosure Vulnerability
BugTraq ID: 8424
Remote: Yes
Date Published: Aug 14 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8424
Summary:

Skunkweb is a web application server written in Python.

Skunkweb has been reported by the vendor to be prone to a vulnerability
that may allow remote users to access restricted data from the server.
The problem exists in the Cache module of the server that is responsible
for caching spread mailboxes.  The vulnerability allows clients to
traverse outside of the document root for the web server using various
character sequences.

This may allow the attacker to access system resources on the server.
Through successful exploitation of this issue sensitive information could
be disclosed to an attacker leading to further attacks.

Unix/Linux Keystroke Information Disclosure Weakness
BugTraq ID: 8425
Remote: Yes
Date Published: Aug 15 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8425
Summary:

Various Unix-derived operating systems implement the /dev/random device
which acts as a source of entropy when generating pseudo-random numbers.
This device contains an entropy pool, containing pseudo-random data from a
variety of sources. One such source is keyscan codes, triggered by a user
using the keyboard.

A weakness has been discovered in the /dev/random mechanism that could
theoretically allow an attacker to deduce keystrokes made by a user who is
physically at the system's console keyboard.

The problem appears to lie in the differing times between entropy pool
seeding times. Specifically, when a typical keystroke is made a keypress
in and keypress out scancodes are generated. These keystrokes typically
have different timing delays, due to the way a keyboard is used. For
instance, as Michal Zalewski described, a keypress scancode in will
generate 1-2 byte(s) of data with a 50-150 millisecond delay, whereas a
key release scancode in, which also generates 1-2 byte(s), will have a 50
millisecond or more delay. Other forms of seeding the entropy pool have
other patterns, making them easy to distinguish from keystrokes.

As a result of these timing differences, it may be possible for an
attacker to reliably time keystrokes made at the systems physical console.
This timing data may then be compared to statistics regarding keypress
times versus words typed, potentially allowing the attacker to deduce a
users keystrokes.

A conclusive list of affected systems is not available at this time.  It
is also not known at this point if any specific implementation is not
affected.  This BID will be updated and the affected systems modified as
more information becomes available.

Autorespond Buffer Overrun Vulnerability
BugTraq ID: 8436
Remote: Yes
Date Published: Aug 16 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8436
Summary:

autorespond is a program that is used with qmail to generate automated
responses to e-mail.  It is available for Unix and Linux variants.

autorespond is prone to a buffer overrun.  This issue may potentially be
exploited by remote attackers to execute arbitrary code in the context of
the software. Debian has reported that this issue may not be exploitable
due to "incidental" limits on the length of user-supplied input that could
potentially trigger this issue.  Exploitation should not be ruled out
though, since it is possible that there may be situations where these
limits do not apply.

If this issue were successfully exploited, it would be possible to execute
malicious instructions in the context of the user who has configured qmail
to forward messages to autorespond.

Dropbear SSH Server Username Format String Vulnerability
BugTraq ID: 8439
Remote: Yes
Date Published: Aug 18 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8439
Summary:

Dropbear SSH Server is a secure shell server designed to be usable with
low-end systems. Dropbear implements the use of various SSH 2 protocol
features as well as X and authentication-agent forwarding, and is
available for the Linux, Tru64, Solaris, and FreeBSD operating systems.

A remotely exploitable format string vulnerability has been discovered in
Dropbear SSH Server. The problem occurs due to an incorrectly formatted
call to the syslog() system call, occurring within the 'util.c' source
file. This syslog() call can be triggered by invoking the dropbear_log()
function, which amongst other locations is called during the
authentication stage.

The specific code which makes this vulnerability remotely exploitable
occurs within the 'auth.c' source file, and is invoked after the server
places the user-supplied 'username' variable within an internal memory
buffer. This buffer is then passed to the syslog() system call as a format
string, called via the dropbear_log() function, and is subsequently
interpreted as such.

As a result of this format string, an attacker may be capable of
influencing the flow of program execution by placing specially calculated
format specifiers within the 'username'. When this data is logged, it may
be possible for the attacker to execute arbitrary code with the privileges
of Dropbear, typically root.

This vulnerability affects Dropbear SSH Server v0.34 and earlier.

eMule Client OP_SERVERIDENT Heap Overflow Vulnerability
BugTraq ID: 8440
Remote: Yes
Date Published: Aug 17 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8440
Summary:

eMule is a freely available open source peer-to-peer file sharing
application. eMule uses the eDonkey file sharing protocol. EMule+, xMule
and lmule are similar peer-to-peer file sharing applications that are
derived from the eMule code base and so are affected by this
vulnerability.

eMule client has been reported prone to a heap overflow vulnerability. The
issue presents itself when the client parses OP_SERVERIDENT data received
from a server. An attacker may exploit this issue by transmitting
malicious data to an affected client using a malicious server. Excessive
data greater than the size of an allocated buffer in heap memory, will
corrupt data adjacent to that buffer. In this case corrupting heap memory
management structures. Ultimately an attacker may exploit this condition
to execute arbitrary supplied instructions in the context of the
vulnerable eMule application. Failed exploitation attempts will result in
a denial of service of the affected client.

It should be noted that this vulnerability has been reported to affect
eMule <= 0.29a, lmule <= 1.3.1, xMule <= 1.4.3, <= 1.5.4 and EMule+ 1.0.

ManDB Utility Hard Link Buffer Overrun Vulnerability
BugTraq ID: 8442
Remote: No
Date Published: Aug 18 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8442
Summary:

mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.

Debian released updates for previous mandb vulnerabilities (described in
BID 8303) that introduced a buffer overrun.  This vulnerability exists in
a routine that is responsible for resolving hard links.  The issue could
potentially be triggered by a malformed filename for a hard linked man
page.  This could permit local attackers to execute arbitrary code in the
context of the mandb utility, which is typically user 'man'.  Debian
addressed this by releasing revised updates that also fix this issue.

It is not known if the utility is prone to this issue on other
distributions.

eMule Client OP_SERVERMESSAGE Format String Vulnerability
BugTraq ID: 8443
Remote: Yes
Date Published: Aug 17 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8443
Summary:

eMule is a freely available, open source peer-to-peer file sharing
application. eMule uses the eDonkey file sharing protocol. EMule+, xMule
and lmule are similar peer-to-peer file sharing applications that are
derived from the eMule code base and so are affected by this
vulnerability.

eMule client has been reported prone to a format string vulnerability. The
issue presents itself when the client processes OP_SERVERMESSAGE data
received from a server. An attacker may exploit this issue by transmitting
malicious data, containing embedded format string specifiers to an
affected client using a malicious server. The format specifiers will be
interpreted literally and may result in attacker controlled arbitrary
memory being corrupted. Ultimately a remote attacker may exploit this
condition to execute supplied instructions in the context of the
vulnerable eMule application. Failed exploitation attempts will result in
a denial of service of the affected client.

It should be noted that this vulnerability has been reported to affect
eMule 0.29a and earlier, lmule 1.3.1 and earlier, xMule 1.4.3 and earlier
as well as 1.5.4 and earlier, and EMule+ 1.0.

eMule AttachToAlreadyKnown Double Free Vulnerability
BugTraq ID: 8444
Remote: Yes
Date Published: Aug 17 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8444
Summary:

eMule is a freely available open source peer-to-peer file sharing
application. eMule uses the eDonkey file sharing protocol. xMule and lmule
are similar peer-to-peer file sharing applications that are derived from
the eMule code base and so are affected by this vulnerability.

eMule client has been reported prone to a double free vulnerability. It
has been reported that when the eMule client receives a specific sequence
of packets from a malicious server, the AttachToAlreadyKnown client object
that is currently used is freed from reserved memory. The program may fail
to sufficiently format the pointer to the object after it has been freed.
As a result an attacker may be capable of freeing the object a second
time, potentially resulting in attacker-controlled data being referenced.
Ultimately an attacker may exploit this condition to execute arbitrary
supplied instructions in the context of the vulnerable eMule application.
Failed exploitation attempts will result in a denial of service of the
affected client.

It has been reported that this issue may be exploited with packets that
conform to the eDonkey protocol. This may make exploitation attempts
difficult to detect.

It should be noted that this vulnerability has been reported to affect
eMule <= 0.29c, lmule <= 1.3.1 and xMule <= 1.4.2, <= 1.5.6a.

eMule Client Servername Format String Vulnerability
BugTraq ID: 8445
Remote: Yes
Date Published: Aug 17 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8445
Summary:

eMule is a freely available, open source peer-to-peer file sharing
application. eMule uses the eDonkey file sharing protocol. EMule+, xMule
and lmule are similar peer-to-peer file sharing applications that are
derived from the eMule code base and so are affected by this
vulnerability.

eMule client has been reported prone to a format string vulnerability. The
issue presents itself when the client processes a malicious server name.

An attacker may exploit this issue by passing a server name containing
embedded format string specifiers to an affected client in a sufficient
manner. The format specifiers will be interpreted literally and may result
in attacker controlled arbitrary memory being corrupted or revealed.
Ultimately, a remote attacker may exploit this condition to trigger a
denial of service condition in the affected client. Although unconfirmed
it has been conjectured that this issue may also be exploited to reveal
contents in arbitrary locations of memory. Remote code execution is not
believed to be possible.

It should be noted that this vulnerability has been reported to affect
eMule 0.29c and earlier, lmule 1.3.1 and earlier, xMule 1.4.2 and earlier
as well as 1.5.5 and earlier and EMule+ 1.0.

OpenSLP Initialization Script Insecure Temporary File Vulner...
BugTraq ID: 8446
Remote: No
Date Published: Aug 18 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8446
Summary:

OpenSLP is a freely available, open source implementation of the Service
Location Protocol.  It is available for the Unix and Linux platforms.

A problem exists in the creation of temporary files by OpenSLP.  Because
of this, an attacker may be able to destroy data, resulting in a denial of
service.

The problem is in the initialization script used by OpenSLP.  The default
script, slpd.all_init, does not properly check for the existence of the
/tmp/route.check file prior to attempting to create it.  Because of this,
a symbolic link to a file can result in the destruction of the file at the
end of the symbolic link, depending upon the privileges of the user
executing the initialization script.

It should be noted that the initialization script is typically executed by
a privileged user.



More information about the gull-annonces mailing list