[gull-annonces] Résumé SecurityFocus Newsletter #227
Marc SCHAEFER
schaefer at alphanet.ch
Tue Dec 16 14:11:01 CET 2003
PLD Software Ebola Buffer Overflow Vulnerability
BugTraq ID: 9156
Remote: Yes
Date Published: Dec 05 2003
Relevant URL: http://www.securityfocus.com/bid/9156
Summary:
Ebola is a utility for making virus-scanning on Unix-based systems more
efficient.
It has been reported that a buffer overflow condition is present in the
authentication mechanism implemented in Ebola. The condition is due to
the use of the C library function "sprintf()" to construct an error string
insecurely when authentication is not successful. The flaw exists in the
"handle_PASS()" procedure, implemented in source file "ebola.c":
char outstr[100];
...
if (passwd) {
if (PASS_authenticate(username, passwd) == _PASS_OK) {
sprintf(outstr,"PASS NOT ACCEPTED for user \"%s\",
pass \"%s\".\n",username,passwd);
If the procedure "PASS_authenticate" returns the value defined as
"_PASS_OK", presumably an error result due to an unacceptable password, an
error string is constructed using the user-supplied username and password
and stored in the buffer "outstr". The "sprintf()" function does not
check to ensure that the created string is greater in size than the space
allocated to store it (100 bytes in this case).
It is possible for an attacker to cause the string to exceed 100 bytes by
supplying a username, password, or both, of adequate length. As the error
message states that the password was not accepted, it is assumed that
valid credentials are not required by attackers before this vulnerability
can be exploited.
According to the discoverer of this flaw, the vulnerability is remotely
exploitable.
NetScreen ScreenOS Session Timeout Unauthorized Access Vulne...
BugTraq ID: 9160
Remote: Yes
Date Published: Dec 05 2003
Relevant URL: http://www.securityfocus.com/bid/9160
Summary:
ScreenOS is the security appliance operating system used on NetScreen
devices. It is distributed and maintained by NetScreen.
It has been reported that NetScreen ScreenOS does not properly handle
timed out sessions. Because of this, it may be possible for a user regain
access to a previous session.
Reportedly, upon crossing the threshold of the idle timeout limit, the
NetScreen web management interface attempts to close the browser window
open to the interface. However, if one chooses not to allow the interface
to close the window, and returns to the management interface login
address, the user regains access to the device management tools. This
could potentially expose sessions, especially in situations where other
vulnerabilities facilitate session hijacking.
[ firmware ]
FVWM fvwm-menu-directory Command Execution Vulnerability
BugTraq ID: 9161
Remote: No
Date Published: Dec 05 2003
Relevant URL: http://www.securityfocus.com/bid/9161
Summary:
FVWM is a virtual desktop window manager for the X Window system.
A vulnerability has been reported to exist in the software that may allow
an attacker to execute malicious commands on a vulnerable system. The
problem is reported to exist in fvwm-menu-directory component of the
software that allows users to browse directories from FVWM menus. It has
been reported that fvwm-menu-directory does not properly sanitize user
input and allows a user with write permissions to a directory to execute
arbitrary commands.
A local attacker could potentially exploit this issue to execute malicious
commands with the privileges of the software. A successful attack may
allow an attacker to modify FVWM configuration files that could lead to a
denial of service. Root compromise is possible if the vulnerable
application is installed with setuid root.
FVWM versions 2.14.17 and 2.5.8 have been reported to be vulnerable to
this issue, however other versions may be affected as well.
Cdwrite Insecure Temporary File Vulnerability
BugTraq ID: 9165
Remote: No
Date Published: Dec 06 2003
Relevant URL: http://www.securityfocus.com/bid/9165
Summary:
Cdwrite is a CD writing application for Unix/Linux variants.
Cdwrite creates files in the temporary directory in an insecure manner.
As a result, a local attacker may launch symlink attacks that could cause
system files to be corrupted. In particular, the program creates
'/tmp/.tempfile' when it is run. An attacker could take advantage of this
by creating a symbolic link in the same location as where the temporary
file will be created. When the program is run, any operations that are
intended to be performed on the temporary file will instead be performed
on the file pointed to by the symbolic link (provided the file is
writeable by the user invoking Cdwrite).
This will most likely result in a denial of service or loss of data. This
type of vulnerability could also result in privilege escalation if the
attacker can influence what is written during the symbolic link attack.
HSFTP Username Command Line Argument Buffer Overrun Vulnerab...
BugTraq ID: 9174
Remote: No
Date Published: Dec 07 2003
Relevant URL: http://www.securityfocus.com/bid/9174
Summary:
hsftp is an FTP emulation program that is available for Unix/Linux
variants.
hsftp is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds checking of username arguments supplied as command
line input. By supplying an overly long argument as a username argument
when invoking the program, it will be possible to corrupt adjacent regions
of memory with superfluous user-supplied data. In this manner, it may be
possible to corrupt sensitive variables in memory and control execution
flow, resulting in execution of arbitrary code.
This could occur in situations where hsftp is installed setuid root and
not configured to drop privileges, this could be exploited to execute
arbitrary code with elevated privileges.
HSFTP Hostname Command Line Argument Buffer Overrun Vulnerab...
BugTraq ID: 9175
Remote: No
Date Published: Dec 07 2003
Relevant URL: http://www.securityfocus.com/bid/9175
Summary:
hsftp is an FTP emulation program that is available for Unix/Linux
variants.
hsftp is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds checking of hostname arguments supplied as command
line input. By supplying an overly long argument as a host argument when
invoking the program, it will be possible to corrupt adjacent regions of
memory with superfluous user-supplied data. In this manner, it may be
possible to corrupt sensitive variables in memory and control execution
flow, resulting in execution of arbitrary code.
This could occur in situations where hsftp is installed setuid root and
not configured to drop privileges, this could be exploited to execute
arbitrary code with elevated privileges.
CVS Malformed Request System Root File Creation Vulnerabilit...
BugTraq ID: 9178
Remote: Yes
Date Published: Dec 09 2003
Relevant URL: http://www.securityfocus.com/bid/9178
Summary:
CVS is the Concurrent Versions System, which is a freely available
open-source version management package. It is available for the Unix and
Linux operating systems.
A vulnerability has been discovered in the handling of some types of
requests by CVS. Because of this, it may be possible for an attacker to
create files in the root directory of a system hosting the vulnerable
server.
The problem involves the handling of malformed requests by modules. An
attacker supplying a maliciously crafted request to the server could,
depending upon the permissions of the CVS server, create files and/or
directories in the system root directory. However, this problem is
limited by the write permissions of the root directory, and the privileges
with which the CVS server executes.
BNCweb BNCquery.pl File Disclosure Vulnerability
BugTraq ID: 9181
Remote: Yes
Date Published: Dec 09 2003
Relevant URL: http://www.securityfocus.com/bid/9181
Summary:
BNCweb is web based CGI program for searching and retrieving lexical,
grammatical and textual data from the 100 million word collection of
English texts in British National Corpus.
BNCweb has been reported to be prone to a file disclosure vulnerability
due a flaw in the BNCquery.pl script. This could potentially permit
remote attackers to gain unauthorized access to sensitive files hosted on
the system running the software. Files that are readable to the web server
and system password files will be accessible to an attacker if this
vulnerability is successfully exploited. It has been reported that the
scripts are protected by the web server's access control mechanism;
therefore an attacker needs to have a user account to carry out a
successful attack.
Multiple Browser URI Display Obfuscation Weakness
BugTraq ID: 9182
Remote: Yes
Date Published: Dec 09 2003
Relevant URL: http://www.securityfocus.com/bid/9182
Summary:
A weakness has been reported in multiple browsers that may allow attackers
to obfuscate the URI for a visited page. The problem is said to occur when
a URI designed to pass access a specific location with a supplied
username, contains a non-printable hexadecimal value prior to the @
symbol.
Specifically, the malicious URI must be formatted as follows, where %00
may be any non-displayable hexadecimal value:
http://www.trusted.com%00@www.malicious.com
Upon clicking the link, the URI field would contain www.trusted.com
despite the access site actually being www.malicious.com. It should be
noted that manually placing such a URI into the location may not work, as
the hexadecimal value must not be escaped.
An attacker could exploit this issue by supplying a malicious URI pointing
to a page designed to mimic that of a trusted site. If an unsuspecting
victim were to follow the link and attempt to verify the authenticity of
the current location by checking the current URI, they may be decieved
into believing they are at the actual trusted site. This could potentially
cause a false sense of security for the victim.
The are currently conflicting reports regarding which versions of Internet
Explorer this weakness affects, including versions for Mac OSX. As more
information becomes available the necessary clarifications will be
addressed.
Symantec has confirmed however, that this issue does affect the latest
Internet Explorer with all service packs and patches applied.
Reports indicate that Microsoft Outlook Express 6 is affected by this
issue as well. As such, it is believed that all releases of Outlook
Express and possibly Outlook are affected.
Mozilla and Mozilla Firebird browsers are also vulnerable to this issue.
This has not yet been confirmed.
[ le vieux exploit par injection de \0 (langage C) ]
Cisco ACNS Authentication Library Remote Buffer Overrun Vuln...
BugTraq ID: 9187
Remote: Yes
Date Published: Dec 10 2003
Relevant URL: http://www.securityfocus.com/bid/9187
Summary:
Cisco has reported a remotely exploitable buffer overrun in ACNS
authentication libraries, which are typically deployed on various Content
devices. In particular, there is insufficient bounds checking of
passwords. If an overly long password is supplied, it may be possible to
corrupt sensitive regions of memory in such a way as to control execution
flow and execute malicious instructions. The issue is exposed via the CE
GUI server, which uses the vulnerable authentication libraries.
The following devices running ACNS software versions prior to 4.2.11 or
5.0.5 are affected:
Content Routers 4400 series
Content Distribution Manager 4600 series
Content Engine 500 and 7300 series
Content Engine Module for Cisco Routers 2600, 3600 and 3700 series
This issue could be potentially exploited to execute arbitrary code on a
vulnerable device, resulting in full compromise. Denial of services is
another possible consequence of exploitation.
[ firmware ]
Cisco Unity Default User Accounts and IP Addresses Multiple ...
BugTraq ID: 9189
Remote: Yes
Date Published: Dec 10 2003
Relevant URL: http://www.securityfocus.com/bid/9189
Summary:
Unity is a Cisco software product designed to unify voice message, fax,
and e-mail into a user's inbox.
Multiple vulnerabilities have been identified in Cisco Unity running on
IBM servers. It has been reported that vulnerable systems contain default
user accounts and default IP addresses that could be used by an attacker
to gain unauthorized access.
The following specific issues have been identified:
A local user account with 'log on locally' rights named "bubba" may be
present on the system. Remote attackers who are aware of the default
account may use it to gain unauthorized access to the vulnerable system.
It has been reported that upon installation, the RAID Management service
attempts to establish a TCP session with a RAID server address embedded in
the RaidNLst.ser file. The RaidNLst.ser file is stored in the C:\Program
Files\RaidMan directory. This specific address was used during the
testing of the application. The issue results in opening TCP port 34571
and listening for remote contact. This vulnerability may allow a remote
attacker to gain access to a vulnerable system via this open port.
The Cisco Unity Server is configured to get an IP Address from a DHCP
server upon installation. If a local DHCP server does not exist, the
vulnerable system will repeatedly send packets to a DHCP server specified
by the manufacturer during testing. This server only stops contacting the
default network once a local DHCP server is identified or a static entry
is made for a local DHCP server.
These issues are only present on Unity installation disks with specific
part numbers. Part numbers on disks containing these issues are as
follows:
80-7111-01 for the UNITY-SVRX255-1A
80-7112-01 for the UNITY-SVRX255-2A
[ firmware ]
NetGear WAB102 Wireless Access Point Password Management Vul...
BugTraq ID: 9194
Remote: Yes
Date Published: Dec 10 2003
Relevant URL: http://www.securityfocus.com/bid/9194
Summary:
NetGear WAB102 is a dual band Wireless Access point.
A vulnerability has been reported in the software that may allow a remote
attacker to access a vulnerable unit by using a default password or any
password containing a space ' '. Furthermore, if the unit loses power and
is restarted or reset, the password is changed backed to the default
password. The access point is shipped with a default account of 'admin'
and a password of '1234'.
Successful exploitation of this issue may allow an attacker to gain access
to the access point and launch further attacks against a system.
NetGear WAB102 running firmware version 1.2.3 has been reported to be
prone to this issue.
[ firmware ]
SX Design sipd Remote Denial of Service Vulnerability
BugTraq ID: 9198
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9198
Summary:
sipd is a SIP (Session Initiation Protocol) proxy and location server.
A vulnerability has been identified in sipd that may allow a remote
attacker to cause a denial of service condition in the software. The
problem is reported to exist in the gethostbyname_r function of the
software. It has been reported that the vulnerable function returns a
value of 1 when faced with an erroneous situation, however it may be
possible to cause it return 0. This situation can arise when trying to
resolve a non-existent hostname. An attacker may be able to cause the
server to crash by sending a malformed SIP request.
Successful exploitation of this issue may allow a remote attacker to crash
an affected sipd daemon, effectively denying service to other legitimate
users.
sipd version 0.1.2 has been reported to be prone to this issue, however
other versions could be affected as well.
Multiple Vendor XML DTD Parameter Entity SOAP Server Denial ...
BugTraq ID: 9204
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9204
Summary:
SOAP is the Simple Object Access Protocol, which is implemented in
numerous web service software packages by various vendors. SOAP servers
are available for the Unix, Linux, and Microsoft Windows platforms.
XML DTD (Document Type Definition) defines how XML markup tags should be
interpreted by the application handling the XML document.
A problem has been identified in several different SOAP servers when
handling certain types of SOAP requests. Because of this, it is possible
for an attacker to force a denial of service on systems using a vulnerable
implementation.
The problem is in the handling of SOAP requests that contain references to
DTD parameter entities. By making a SOAP request with maliciously crafted
DTD data, it is possible to cause the SOAP server to consume excessive
amounts of system resources. This issue can be used to make the server
unavailable while it handles the requests, and could be continuously used
to create a prolonged denial of web services.
More information about the gull-annonces
mailing list