[gull-annonces] Résumé SecurityFocus Newsletter #203
Marc SCHAEFER
schaefer at alphanet.ch
Fri Jul 4 11:10:33 CEST 2003
WebFS Request-URI Buffer Overflow Vulnerability
BugTraq ID: 7990
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7990
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.
A buffer overflow vulnerability has been reported for WebFS that may
result in the execution of attacker-supplied code. The vulnerability
exists in the parse_request() function of the request.c source file and is
due to insufficient bounds checking on an overly long Request-URI HTTP
request.
Successful exploitation of this vulnerability will result in the
corruption of sensitive memory with attacker-supplied values and the
execution of code.
This vulnerability affects WebFS 1.1.8 and earlier.
osh Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 7992
Remote: No
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7992
Summary:
osh Operator Shell is a security enhanced, restricted shell. It allows a
system administrator to restrict access to special commands and files to
certain users. The osh shell is a setuid root shell.
A buffer overflow vulnerability has been reported for osh when processing
environment variables. The problem likely occurs due to insufficient
bounds checking when copying environment data into an internal memory
buffer. As a result, it may be possible for a malicious local user to
corrupt osh process memory in such a way as to redirect execution flow.
Although unconfirmed, this buffer overflow may be exploited to execute
arbitrary code with superuser privileges.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
This vulnerability was reported to affect osh 1.7.
osh File Redirection Buffer Overflow Vulnerability
BugTraq ID: 7993
Remote: No
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7993
Summary:
osh Operator Shell is a security enhanced, restricted shell. It allows a
system administrator to restrict access to special commands and files to
certain users. The osh shell is a setuid root shell.
A buffer overflow vulnerability has been reported for osh when processing
file redirection commands. The problem likely occurs due to insufficient
bounds checking when copying environment data into an internal memory
buffer. As a result, it may be possible for a malicious local user to
corrupt osh process memory in such a way as to redirect execution flow.
Although unconfirmed, this buffer overflow may be exploited to execute
arbitrary code with superuser privileges.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
This vulnerability was reported to affect osh 1.7.
Traceroute-Nanog Integer Overflow Memory Corruption Vulnerability
BugTraq ID: 7994
Remote: No
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7994
Summary:
Traceroute is a tool that is used to track packets in a TCP/IP network to
determine the path of network connections. Tracroute-Nanog is installed
setuid root on most systems, as it requires the use of raw sockets.
An integer overflow vulnerability has been reported for Traceroute-Nanog.
It has been reported that when processing certain user-supplied max_ttl
and nprobes values from a traceroute invocation, some functions or
utilities may fail to sufficiently handle integer wrapping.
Specifically, the issue presents itself when a large value is passed to
the affected application via the '-q' (nprobes) and '-m' (max_ttl) command
line arguments. If values of sufficient size are passed, when it is used
in subsequent boundary calculations (nprobes (-q) * max_ttl (-m)) the
integer value may wrap, causing it to be interpreted as a negative value
and thus bypassing boundary checks. This may result in excessive data
being copied into an insufficient memory space, effectively corrupting
adjacent heap based memory management structures.
Because the attacker can control arbitrary memory corruption, although
conjectured and unconfirmed, the attacker might exploit this condition to
execute arbitrary instructions with elevated privileges.
It should be noted that this vulnerability might only affect the Debian
implementation of Traceroute-Nanog.
Zope Empty Upload Information DisclosureVulnerability
BugTraq ID: 7998
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7998
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Reportedly, Zope will disclose path information if a user invokes an
upload operation via the 'addFile' script when a target file does not
exist as a URI parameter. An error will be triggered and traceback
information containing possible sensitive path information will be
returned to the browser of the attacker.
If an attacker can gain information about the details of the filesystem,
this information may be useful in further attacks against the host.
Zope addItems Script Information Disclosure Vulnerability
BugTraq ID: 7999
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7999
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
A vulnerability has been discovered in Zope which may result in the
disclosure of sensitive information to a remote attacker. The problem
occurs when a value greater then 11 is passed as the records URI parameter
to the addItems script. When this occurs, an exception will be triggered
causing the server to return an error page containing sensitive system
information.
Information disclosed may include session identification, the script
installation paths, the application installation path, etc.
Access to this information could potentially aid an attacker in launching
further attacks against the system.
Zope Invalid Query Information Disclosure Vulnerability
BugTraq ID: 8000
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8000
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Reportedly, Zope will disclose path information if a user invokes an
invalid query operation using Shopping cart example scripts. An error will
be triggered and traceback information containing possible sensitive path
information will be returned to the browser of the attacker.
If an attacker can gain information about the details of the filesystem,
this information may be useful in further attacks against the host.
Zope ExampledbBrowseReport Description Field HMTL Injection
Vulnerability
BugTraq ID: 8001
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8001
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
It has been reported that Zope ExampledbBrowseReport example script
suffers from an HTML injection vulnerability. The problem is said to occur
due to insufficient input validation of user-supplied form data.
Specifically, it is possible to embed HTML code within the 'Description'
field of the Zope ExampledbBrowseReport example script.
All script code will be interpreted by the browsers of other Zope users,
who view the affected page, within the context of the site hosting the
affected script.
The successful exploitation of this issue could ultimately result in the
attacker obtaining cookie-based authentication credentials or other
sensitive information, which, could be used to impersonate the other user.
Linux /proc Filesystem Potential Information Disclosure Vulnerability
BugTraq ID: 8002
Remote: No
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8002
Summary:
A potential information disclosure vulnerability has been reported for the
Linux /proc filesystem. The problem occurs specifically when invoking a
setuid application.
The problem lies in the permissions of the /proc/PID/environ file when the
file has been accessed prior to privilege elevation. It has been reported
that, if the environ file has been opened by a user application, forking
and invoking a setuid application will not in fact modify the ownership of
the open file. As a result, an attacker may be capable of reading the
environment data of a privileged process.
This may pose a security risk as the application may place sensitive or
privileged information within it's environment. Access to this information
could theoretically aid an attacker in launching further attacks against a
target system.
It has been conjectured that this issue affects the 2.2 and 2.4 Linux
kernel trees. This, however has not been confirmed by Symantec. This
information will be updated as further information becomes available.
GNU GNATS PR-Edit Command Line Option Heap Corruption Vulnerablity
BugTraq ID: 8003
Remote: No
Date Published: Jun 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8003
Summary:
GNU GNATS is a freely available bug tracking system. It is available for a
variety of Linux and Unix variant operating environments.
The pr-edit utility is shipped as part of GNATS and is intended as an
editor for problem reports. The pr-edit utility is a setuid utility
typically with UID 'gnats' privileges.
A heap overflow vulnerability has been reported for the pr-edit utility.
The vulnerability occurs due to insufficient checks performed on the
arguments to the '-d' commandline option.
The vulnerability exists due to the improper use of the sprintf()
function. Due to this a determined attacker can invoke pr-edit with a
malicious '-d' commandline argument to trigger the heap corruption
vulnerability.
Successful exploitation may result in the execution of attacker-supplied
code with potentially elevated privileges.
It should be noted that on some systems, the pr-edit utility may be
installed with setuid 'root' privileges.
This vulnerability was reported to affect GNATS 3.002.
GNU GNATS PR-Edit Lock File Buffer Overflow Vulnerability
BugTraq ID: 8004
Remote: No
Date Published: Jun 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8004
Summary:
GNU GNATS is a freely available bug tracking system. It is available for a
variety of Linux and Unix variant operating environments.
The pr-edit utility is shipped as part of GNATS and is intended as an
editor for problem reports. The pr-edit utility is a setuid utility
typically with UID 'gnats' privileges.
A stack overflow vulnerability has been reported for the pr-edit utility.
The vulnerability occurs when pr-edit locks a file for reading. If a file
is locked, pr-edit will read the file to output a message stating the user
that locked the file. Due to the improper use of fscanf(), there are no
bounds checks performed on the length of the user that locked the file.
An attacker can exploit this vulnerability by creating a lock file
containing over 2000 bytes. This will trigger the buffer overflow
condition when pr-edit attempts to read the file.
Successful exploitation may result in the execution of attacker-supplied
code with potentially elevated privileges.
It should be noted that on some systems, the pr-edit utility may be
installed with setuid 'root' privileges.
This vulnerability was reported to affect GNATS 3.002.
GNU GNATS Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 8005
Remote: No
Date Published: Jun 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8005
Summary:
GNU GNATS is a freely available bug tracking system. It is available for a
variety of Linux and Unix variant operating environments.
It has been reported that GNATS is prone to a buffer overflow condition
when parsing certain environment variables. Specifically, the configure()
function of the config.c source file does not perform proper bounds checks
on the GNATS_ROOT function.
An attacker can exploit this vulnerability by setting an overly long
GNATS_ROOT environment variable, consisting of at least 5000 characters,
and invoking one of several GNATS utilities. This will trigger the
overflow condition and will result in the corruption of sensitive memory.
The following utilities have been reported to be affected: pr-edit,
queue-pr, gen-index
The affected utilities are typically installed with setuid 'gnats'
privileges however, on some systems, they may be installed with setuid
'root' privileges.
Successful exploitation may result in the execution of attacker-supplied
code with elevated privileges.
This vulnerability was reported to affect GNU GNATS 3.113.1 and 3.113.
tcptraceroute Failure To Relinquish Root Privileges Weakness
BugTraq ID: 8020
Remote: No
Date Published: Jun 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8020
Summary:
tcptraceroute is a traceroute implementation that uses TCP packets. It is
a setuid-root program.
It has been reported that tcptraceroute does not properly drop root
privileges after obtaining a file descriptor for raw packet capture.
There are not currently any known exploitable conditions that exist for
tcptraceroute. However, if an exploitable condition were discovered
within the program, this weakness could allow local privilege escalation.
Gkrellmd Remote Buffer Overflow Vulnerability
BugTraq ID: 8022
Remote: Yes
Date Published: Jun 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8022
Summary:
GKrellM is a suite of system monitors, designed to display a graphic
representation of system performance statistics. GKrellMd is a daemon that
is shipped as a part of the GKrellM software.
GKrellMd has been reported prone to a remote buffer overflow
vulnerability, arbitrary code execution is possible.
The issue presents itself due to a lack of sufficient bounds checking
performed on network-based data. If data exceeding the maximum reserved
memory buffer size (128 bytes) is received and processed by the affected
daemon, excessive data is copied beyond the boundary of the assigned
buffer and will corrupt adjacent memory. It has been confirmed that a
saved instruction pointer may be corrupted in this manner; a remote
attacker may ultimately exploit this issue remotely to seize control of
the affected daemon and execute arbitrary code in the context of the user
who is running the daemon.
This vulnerability has been reported to affect Gkrellm 2.1.13.
Sharp Zaurus Samba Server Unauthorized Remote Filesystem Access
Vulnerability
BugTraq ID: 8026
Remote: Yes
Date Published: Jun 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8026
Summary:
Zaurus is a handheld device distributed by Sharp Electronics. Zaurus runs
an embedded Linux-based operating system called Embedix.
When mounted on the docking station, the station's USB cable and
respective connection is perceived as the network interface to the
attached PC. As a result, a user from an attached PC may remotely connect
to the Zaurus. It is may also possible to connect to a Zaurus via an
802.11b connection.
A vulnerability has been reported for Samba server when run on the Sharp
Zaurus Embedix operating system. The problem occurs when mounting the
device to the docking station. When docked, a Samba server will
immediately be invoked, allowing access via any external interface.
It has been discovered that by default the Samba server is configured to
allow unauthorized users unrestricted read/write access to the local file
system.
This could potentially result in the disclosure of sensitive information
or the corruption of system resources. It may also allow an attacker to
potentially execute arbitrary code on the target device.
[ hardware? firmware ? OSS ? libre ? ]
Tripbit Secure Code Analizer Local fgets() Buffer Overrun
BugTraq ID: 8028
Remote: No
Date Published: Jun 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8028
Summary:
Tripbit Secure Code Analizer is a source code auditing utility design to
parse through source files and identify the use of potentially insecure
functions, such as strcpy(), gets(), fgets(), etc.
A buffer overrun vulnerability has been discovered in Secure Code Analizer
v1.0. The problem occurs when reading in data from a target source file.
The vulnerability occurs within the single_source() function during a call
to fgets().
The fgets() call is used to copy data from the target source file into an
internal memory buffer: puffer[256]. However, the 'size' argument of the
fgets() function is incorrectly set to 1024 bytes, potentially allowing
for 768 bytes of stack memory to be overwritten. An attacker could exploit
this vulnerability by creating a file containing approximately 257 or more
bytes of data.
It should be noted that 'puffer' is the first variable declared within the
single_source() function, typically placing it adjacent to the saved frame
pointer and return address. As a result, an attacker could potentially
exploit this vulnerability by writing only 8 bytes past the end of the
buffer. This would effectively overwrite the return address of the
function, allowing for the execution of attacker-supplied code. This
memory layout may differ between compilers.
More information about the gull-annonces
mailing list