[gull-annonces] Résumé SecurityFocus Newsletter #228

Marc SCHAEFER schaefer at alphanet.ch
Sat Dec 27 13:11:01 CET 2003


Multiple Vendor IKE Implementation Certificate Authenticity ...
BugTraq ID: 9208
Remote: Yes
Date Published: Dec 12 2003
Relevant URL: http://www.securityfocus.com/bid/9208
Summary:
IKE is the Internet Key Exchange protocol. It is used for the negotiation
of authentication and encryption methods and keys during VPN session
initiation.

It has been reported that some default IKE implementations may carry out
insufficient certificate authenticity verification.

The vulnerability lies in the fact that some implementations fail to
thoroughly verify the authenticity of client/server certificates.
Specifically, a client or server will verify the authenticity of a
certificate by ensuring that the Certificate Authority (CA) that signed
it, is the same CA that signed their own certificate. No attempt is made
to verify that the owner of the certificate is trusted.

Exploitation of this issue may be carried out in a number of ways,
depending on the specific IKE implementations. An attacker may impersonate
a client and transmit a certificate subsequent to an IKE and
authentication session being established between the legitimate client and
server. If this were to occur, the impersonated clients certificate would
be erroneously trusted, and IKE would be renegotiated with the attacker,
potentially granting an attacker access to the entire session. The
attacker may also carry out a man-in-the-middle attack by impersonating a
server and initiating an IKE session with a client. Other attacks are also
possible.

It should be noted that the researcher specifically mentioned that certain
vendor VPN clients as being vulnerable, however it was also mentioned that
only some devices/products are vulnerable under some configurations. At
the time of writing, no confirmation has been made by Symantec regarding
which products/devices are directly affected. At this time all vendor VPN
clients have been added as potentially vulnerable. These details will be
modified and/or clarified as further information is made available.

The researcher has explicitly stated that Windows 2000 SP2 and later, as
well as Windows XP are vulnerable to such an implementation. Moreover, it
is said that this implementation may not be modified to allow a differing
CA to sign server and client certificates, potentially making attacks
unavoidable.

The researcher has indirectly stated that the following other vendors may
be affected:  Cisco, Nortel, FreeS\WAN and Certicom. It should be noted
that other vendors/products may be affected as well, and specific products
listed as vulnerable may not be explicitly affected.

Multiple Vendor IKE Insecure XAUTH Implementation Vulnerabil...
BugTraq ID: 9209
Remote: Yes
Date Published: Dec 11 2003
Relevant URL: http://www.securityfocus.com/bid/9209
Summary:
IKE is the Internet Key Exchange protocol. It is used for the negotiation
of authentication and encryption methods and keys during VPN session
initiation.

IKE, when implemented with 'XAUTH' extensions, has been reported prone to
sensitive information disclosure.

The vulnerability has been reported to result from a weaknesses in XAUTH
when used as an extension of IKE. For example, when IKE is configured to
use a 'group-password' and then transmit a second authenticator employing
XAUTH. Specifically, the server does not have to be authorized to the
client in an XAUTH based IKE negotiation. This issue may provide for a
circumstance, where an attacker with a malicious IKE server implementing
XAUTH, may be authorized with a client and the client may pass sensitive
data to the malicious server, without suspecting that the malicious server
is not in fact a legitimate server for this transaction.

This could potentially be exploited by an attacker to carry out a session
to a legitimate server, as the client who leaked the sensitive
information. Other attacks would also be possible.

IETF has not recommended the use of XAUTH as an extension of IKE.

It should be noted that the researcher specifically mentioned that certain
vendor VPN clients as being vulnerable, however it was also mentioned that
only some devices/products are vulnerable under specific configurations.

At the time of writing, no confirmation has been made by Symantec
regarding which products/devices are directly affected. At this time all
vendor VPN clients have been added as potentially vulnerable. These
details will be modified and/or clarified, as further information is made
available.

Although specific vendor product versions affected by this issue are not
currently known, the researcher has stated that the following vendors are
or may be affected: Cisco, Nortel, MovianVPN, SafeNet, Certicom, and Funk
AdmitOne. It should be noted that other vendors/products may be affected
as well.

lftp Try_Netscape_Proxy Buffer Overflow Vulnerability
BugTraq ID: 9210
Remote: Yes
Date Published: Dec 12 2003
Relevant URL: http://www.securityfocus.com/bid/9210
Summary:
lftp is a command-line file transfer client supporting FTP and HTTP.

It has been reported that the lftp file transfer client is vulnerable to a
remotely exploitable buffer overflow condition.  The vulnerability is
present when lftp is used to retrieve content from a remote HTTP server.
According to the report, the client does not properly handle special
directories that exist on the server.

The error that causes this condition is in the function
"try_netscape_proxy()" of the file "src/HttpDir.cc".  The vulnerability is
reportedly due to an unbounded memory copy of data from the server into an
internal buffer of predefined length. It has been conjectured that the
issue is isolated to an erroneous sscanf() call where a member of a
structure (size_str), is copied into a buffer without sufficient
limitations enforced on the string size by its associated format
specifier. This however has not yet been confirmed.

The flaw is triggered when the user issues the "ls" and "rels" commands.

This vulnerability can be exploited by operators of web servers to execute
arbitrary instructions on the host running lftp.  Any such code executed
would run with the privileges of the user who invoked lftp.

This issue is reported to affect all versions of lftp prior to version
2.6.10.

** This BID, originally entitled "LFTP Undisclosed HTML Parsing
Vulnerability" described an issue that was also covered in BID 9212 "lftp
Buffer Overflow Vulnerabilities".  This BID has been revised with
information from one of the vulnerabilities originally described in BID
9212.  BID 9212 has also been revised to describe the other issue.

lftp Try_Squid_Eplf Buffer Overflow Vulnerability
BugTraq ID: 9212
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9212
Summary:
lftp is a command-line file transfer client supporting FTP and HTTP.

It has been reported that the lftp file transfer client is vulnerable to a
remotely exploitable buffer overflow condition.  The vulnerability is
present when lftp is used to retrieve content from a remote HTTP server.
According to the report, the client does not properly handle special
directories that exist on the server.

The error that causes this condition is in the function "try_squid_eplf()"
of the file "src/HttpDir.cc".  The vulnerability is reportedly due to an
unbounded memory copy of data from the server into an internal buffer of
predefined length. It has been conjectured that the issue is isolated to
an erroneous sscanf() call where a member of a structure (size_str), is
copied into a buffer without sufficient limitations enforced on the string
size by its associated format specifier. This however has not yet been
confirmed.

The flaw is triggered when the user issues the "ls" and "rels" commands.

This vulnerability can be exploited by operators of web servers to execute
arbitrary instructions on the host running lftp.  Any such code executed
would run with the privileges of the user who invoked lftp.

This issue is reported to affect all versions of lftp prior to version
2.6.10.

** This BID, originally entitled "lftp Buffer Overflow Vulnerabilities"
has been divided into two distinct issues.  BID 9210 has also been revised
to cover one of the issues described in the initial version of this BID.

Multiple Cisco PIX Remote Denial Of Service Vulnerabilities
BugTraq ID: 9221
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9221
Summary:
Cisco PIX is a firewall hardware appliance constructed and distributed by
Cisco Systems.

Cisco PIX has been reported prone to multiple remote denial of service
vulnerabilities.

The first issue has been reported to present itself when the affected PIX
firewall processes an SNMPv3 message, in certain circumstances.
Specifically, if the Cisco PIX is configured as an SNMP server
(snmp-server host [ip address]) and the device receives and processes an
SNMPv3 message, the PIX firewall will crash and reload, effectively
denying service while the appliance is cycling. It should be noted that
this issue occurs even though the Cisco PIX firewall does not support
SNMPv3.

The second issue that was reported by the vendor is that a remote attacker
may close established VPN sessions between a Cisco PIX appliance that is
configured as a VPN Client and a remote VPN server. This vulnerability
presents itself if an attacker uses an IPSec client to negotiate an IKE
Phase 1 connection to the outside interface of the Cisco PIX firewall that
is configured as a VPN Client.

[ hardware ]

Multiple Cisco FWSM Vulnerabilities
BugTraq ID: 9222
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9222
Summary:
Cisco has reported the following vulnerabilities in Cisco Firewall
Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600
Series:

Cisco FWSM is prone to a buffer overrun vulnerability when handling HTTP
Auth data.  The request is reportedly initiated when a user connects via
the telnet, FTP or HTTP protocols.  This information will then be verified
by a TACACS+ or RADIUS server.  At some point during this transaction,
malformed or excessive HTTP Auth data may trigger an overrun.  This would
most likely result in a denial of service but could also potentially allow
for arbitrary code execution (though this has not been confirmed).

Cisco FWSM has also been reported to be prone to denial of service attacks
via SNMPv3 messages.  This may occur when snmp-server host <ip_addr> is
configured on the FWSM.  This will cause a vulnerable device to reboot.

Both of these issues have been addressed in FWSM 1.1.3 and later for
affected devices.

[ hardware ]

SEH InterCon Smart PrintServer Access Validation Vulnerabili...
BugTraq ID: 9224
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9224
Summary:
SEH InterCon Smart PrintServer is a high speed print server compliant with
IEEE 1284.

A vulnerability has been reported to exist in the software that may allow
an attacker to gain administrative access to a vulnerable system.  It has
been reported that an attacker may be able to access and modify
configuration files reserved for administration without supplying proper
authentication credentials.  It has been reported that the path of server
configuration files can be obtained via the server and by supplying the IP
address of the vulnerable server in a link to the configuration files, an
attacker may access the sensitive resources.

Successful exploitation of this issue may allow an attacker to gain access
to configuration files, which can then be modified to gain administrative
access to a vulnerable server.  Other attacks may be possible as well.

Specific version information was not provided in the report.  All versions
are assumed to be vulnerable until further information is made public.

[ hardware ]

Cyrus IMSP Daemon Remote Buffer Overflow Vulnerability
BugTraq ID: 9227
Remote: Yes
Date Published: Dec 15 2003
Relevant URL: http://www.securityfocus.com/bid/9227
Summary:
The IMSP Daemon is an implementation of the Internet Message Support
Protocol by the Cyrus project.  It is available for the Unix and Linux
operating systems.

A vulnerability has been identified in the Cyrus IMSP Daemon
implementation when handling certain types of requests.  Because of this,
it may be possible for a remote attacker to gain unauthorized access to a
system using the vulnerable software.

The problem is in exploitable buffer overflow in the IMSP daemon.  The
source of this issue is that an sprintf() operation is performed using
externally supplied data without sufficient bounds checking.  This data
may be supplied remotely via several IMSP protocol messages.  This issue
could be exploited by sending a maliciously crafted packet to a vulnerable
daemon, it is possible to overwrite sensitive process memory, potentially
executing arbitrary code with the privileges of the IMSP daemon process.
This process is usually run as root.

It should be noted that this issue permits attacks in the
pre-authentication phase, which could potentially result in anonymous
attacks.

X Design sipd Remote Format String Vulnerability
BugTraq ID: 9236
Remote: Yes
Date Published: Dec 16 2003
Relevant URL: http://www.securityfocus.com/bid/9236
Summary:
sipd is a SIP (Session Initiation Protocol) proxy and location server.

sipd has been reported prone to a format string vulnerability that may be
triggered remotely. It has been reported that sip URI arguments passed to
the affected server as REGISTER data, are not sufficiently handled. An
attacker may place format specifiers in the URI and they will be handled
literally, potentially allowing the attacker to read from and write to
arbitrary memory.

Although unconfirmed, it has been conjectured that a remote attacker may
exploit this condition to execute arbitrary instructions in the context of
the affected sip daemon.

It should be noted that this issue has been reported to affect sipd
versions 0.1.4 and prior.

Dizzy unix2tcp Unspecified Buffer Overflow Vulnerability
BugTraq ID: 9240
Remote: No
Date Published: Dec 17 2003
Relevant URL: http://www.securityfocus.com/bid/9240
Summary:
Dizzy unix2tcp is a connection forwarding application that listens on
local Unix sockets and forwards traffic to a remote IP address or port.

A vulnerability has been reported to exist in the 'unix2tcp.c' module of
the  software that may allow a local attacker to execute arbitrary code on
a vulnerable system in order to gain unauthorized access. The condition is
present due to insufficient boundary checking.

An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice.  Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access.

unix2tcp versions 0.7.2 and prior may be vulnerable to this issue. This
BID will be updated as more information becomes available.

Advanced Research Security Auditor Research Assistant Servic...
BugTraq ID: 9241
Remote: Yes
Date Published: Dec 17 2003
Relevant URL: http://www.securityfocus.com/bid/9241
Summary:
Advanced Research Security Auditor Research Assistant (SARA) is the third
generation of security auditing software based off the original SATAN
scanner. SARA employs a HTTP server to allow the end user to interact with
the software, using a web browser. SARA software is used to scan remote
systems for security vulnerabilities and a dynamic report is generated
from findings.

SARA has been reported prone to a HTML injection vulnerability. The issue
has been reported to exist due to a lack of sufficient sanitization
performed on banner data enumerated from remote services. It has been
reported that in interactive mode, HTML code received as a banner from a
server responding to a SARA scan will be incorporated into dynamic content
and rendered in the browser of the user who is monitoring the SARA scan.

Successful exploitation of this issue may allow a remote attacker to steal
cookie-based authentication credentials. Other attacks are possible as
well. The impact of this issue may be exaggerated because the affected
software invokes the web browser, and the software must be run as the root
user. HTML form variables are also assigned to global variables in PERL
scripts.

It should be noted that this vulnerability has been reported to affect
SARA version 4.2.7 and all prior versions.

**Additional reports indicate that this issue may also affect SATAN
version 1.1.1 and previous versions, as SARA is derived from the SATAN
engine. It has been reported that SATAN does not strip "<" and ">"
characters from HTML code.

Botan Es_Unix Privilege Escalation Vulnerability
BugTraq ID: 9242
Remote: No
Date Published: Dec 12 2003
Relevant URL: http://www.securityfocus.com/bid/9242
Summary:
Botan is a library of cryptographic algorithms for various Linux/Unix
derivatives.

Botan is prone to a privilege escalation vulnerability in the es_unix
module on Unix systems that do not support /dev/random.  This module
provides a generic entropy source and works by gathering entropy from
external programs.  The source of this vulnerability is that external
programs may be called using popen() without fully qualifying the path to
the file.  A local user could effectively change their PATH environment
variable so that a malicious program is called instead of the intended
program.  In some situations, this could be leveraged to elevate
privileges.

This issue was reported by the vendor to exist in the 1.3.x development
series of the software.

Ethereal SMB Protocol Dissector Denial of Service Vulnerabil...
BugTraq ID: 9248
Remote: Yes
Date Published: Dec 18 2003
Relevant URL: http://www.securityfocus.com/bid/9248
Summary:
Ethereal SMB protocol dissector is prone to remotely exploitable denial of
service vulnerability.  This issue has been addressed with the release of
Ethereal 0.10.0.

It has been reported that a malformed SMB packet could cause a
segmentation fault in Ethereal.  This occurs when "Match->Selected" or
"Prepare->Selected" is selected for the packet.

This issue may be exploited by causing Ethereal to process a malformed
packet.  Successful exploitation will cause a denial of service condition
in the Ethereal application.  Although unconfirmed, this issue may allow
an attacker to cause a buffer overflow in the application leading to
arbitrary code execution.

Ethereal versions 0.9.16 and prior have been reported to be prone to this
issue.

Ethereal Q.931 Protocol Dissector Denial of Service Vulnerab...
BugTraq ID: 9249
Remote: Yes
Date Published: Dec 18 2003
Relevant URL: http://www.securityfocus.com/bid/9249
Summary:
Ethereal Q.931 protocol dissector is prone to remotely exploitable denial
of service vulnerability.  This issue has been addressed with the release
of Ethereal 0.10.0.

It has been reported that when reading a malformed packet the Q.931
dissector  dereferences a null pointer.

The issue may be exploited by causing Ethereal to process a malformed
packet.  Successful exploitation will cause a denial of service condition
in the Ethereal application.  Although unconfirmed, this issue may allow
an attacker to cause a buffer overflow in the application leading to
arbitrary code execution.

Ethereal versions 0.9.16 and prior have been reported to be prone to this
issue.  This issue has been reported to affect Tethereal as well.

laitcg Pop 3 Scan Renattach Malicious Attachment Scanning By...
BugTraq ID: 9252
Remote: Yes
Date Published: Dec 18 2003
Relevant URL: http://www.securityfocus.com/bid/9252
Summary:
laitcg Pop 3 Scan is a proxy server used by POP3 clients.  Pop 3 Scan
scans incoming email messages for viruses, worms, trojans, spam, and
harmful attachments.

A vulnerability has been identified in the software.  It has been reported
that when Pop 3 Scan is used with renattach, the software may not identify
malicious attachments and therefore allow malicious code to pass through
undetected.  This issue is reported to present itself when a Pop 3 Scan
user has also enabled renattach.  renattach is an open source Unix stream
filter used to rename or delete potentially malicious e-mail attachments.

This vulnerability could allow malicious attachments to pass through the
proxy. This could also cause users to assume that the attachment is safe,
which would create a false sense of security.

laitcg Pop 3 Scan version 1.0-rc5 has been reported to be vulnerable to
this issue.



More information about the gull-annonces mailing list