[gull-annonces] Résumé SecurityFocus Newsletter #204

[Marc SCHAEFER]

WZDFTPD Incomplete Port Command Denial Of Service Vulnerability
BugTraq ID: 8055
Remote: Yes
Date Published: Jun 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8055
Summary:

wzdftpd is an FTP server implementation that is available for a number of
operating systems, including Unix/BSD/Linux variants.

wzdftpd is reported to be prone to a denial of service when receiving an
incomplete or malformed FTP PORT command.  Sending such a command to the
FTP server will allegedly cause the server to crash.  This could be
exploited by authenticated FTP users to deny availability of FTP services
to legitimate users.

ImageMagick Temporary File Creation Vulnerability
BugTraq ID: 8057
Remote: No
Date Published: Jun 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8057
Summary:

ImageMagick is an image manipulation program. It is available for a
variety of platforms including Microsoft Windows and Unix and Linux
variant operating systems.

ImageMagick has been reported prone to an insecure temporary file creation
vulnerability. As a result, it may be possible for local attackers to
corrupt files owned by the user who is invoking the ImageMagick
application.

An attacker could potentially exploit this issue by creating a symbolic
link in place of the temporary file, which is created. Any actions
performed by ImageMagick when it is executed will be performed on the
linked file.

GTKSee PNG Image Loading Heap Corruption Vulnerability
BugTraq ID: 8061
Remote: No
Date Published: Jun 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8061
Summary:

GTKSee is an image viewer developed for Linux and Unix variant operating
systems.

A vulnerability has been reported for GTKSee that may result in the
corruption of heap memory. The vulnerability occurs when GTKSee attempts
to load PNG files with a certain colour depth.

An attacker may be able to exploit this vulnerability by creating a PNG
image file with a certain colour depth. When GTKSee is used to view the
image, the overflow issue will be triggered and will result in the
corruption of heap memory with attacker-supplied values.

Successful exploitation will result in the execution of attacker-supplied
code.

The precise technical details of this vulnerability are unknown. This BID
will be updated as further information becomes available.

Pam_Timestamp_Check Privilege Escalation Weakness
BugTraq ID: 8072
Remote: No
Date Published: Jul 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8072
Summary:

A weakness has been reported in the pam_timestamp_check implementation for
Red Hat 9.0 and other distributions that may be derived from this version
or include this functionality.

pam_timestamp_check is a tty ticketing implementation that is designed to
cache credentials so that users are not constantly required to use a
facility such as sudo or su to perform actions as another user.
pam_timestamp_check is implemented through the pam_timestamp_check.so
module and with the pam_timestamp_check setuid helper.  The implementation
works by fetching the pseudo-terminal name (A), current user name (B), and
the user whose credentials are cached (C).  The implementation then checks
to see if the timestamp of /var/run/sudo/B/A:C is recent to determine
whether access should be granted.  The ticket contents are not
sufficiently verified, allowing for ticket spoofing.

If the attacker can cause the timestamp of the file to change, it will be
possible to gain elevated privileges through exploitation of this
weakness.  This scenario will be possible in combination with file
corruption issues such as those that are the result of insecure temporary
file handling and allow files in privileged directories to be corrupted.

[ + Acrobat reader, Opera, etc ]