[gull-annonces] Résumé SecurityFocus Newsletter #206

Marc SCHAEFER schaefer at alphanet.ch
Thu Jul 24 10:11:01 CEST 2003 

University of Minnesota Gopherd FTP Gateway Buffer Overflow Vulnerability
BugTraq ID: 8167
Remote: Yes
Date Published: Jul 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8167
Summary:

Gopherd is a daemon written by the University of Minnesota that provides
support for the gopher protocol. By default, gopherd ships with the "FTP
gateway" component enabled. The purpose of this component is to server as
an FTP proxy for clients.

It is reported that the routine used by this component to process FTP LIST
commands may be subject to a buffer overflow vulnerability due to a
failure to perform bounds checking on filenames returned by the FTP
server. Reportedly, the filenames returned are stored in a buffer residing
on the stack capable of holding 256 bytes. It is possible to cause the
gopherd server to read filenames up to 8 kilobytes in size, which will
overrun the buffer by approximately 7500 bytes.

Attackers may be able to corrupt adjacent data stored on the stack, such
as saved instruction pointers. This could result in execution of malicious
attacker-supplied instructions. It should be noted that by default,
gopherd restricts the process environment using a chroot() call, and as a
result, the impact of successful exploitation may confine the attackers to
a chroot jail.

University of Minnesota Gopherd GSisText Buffer Overflow Vulnerability
BugTraq ID: 8168
Remote: Yes
Date Published: Jul 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8168
Summary:

Gopherd is a daemon written by the University of Minnesota that provides
support for the gopher protocol.

It is reported that the function used by gopherd to determine view-types
associated with a given gopher object fails to perform bounds checking on
user-submitted requests. The user-supplied string passed to this function
is stored in a temporary buffer residing on the stack, capable of holding
64 bytes of data. It is possible to cause the gopherd server to read
excessive data, potentially overflowing the buffer. This may allow
attacker to corrupt adjacent data stored on the stack, such as saved
instruction pointers. It should be noted that by default, gopherd
restricts the process environment using a chroot() call, and as a result,
the impact of successful exploitation may confine the attackers to a
chroot jail.

In order to successfully exploit this vulnerability, the request must
begin with one of the following characters, followed by a tab character
and a string of sufficient size to overrun the buffer:

h, 0, 4, 5, 9, s, I, or g.

ImageMagick Display Filename Format String Vulnerability
BugTraq ID: 8177
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8177
Summary:

ImageMagick is an image manipulation program.  It is available for a
variety of platforms including Microsoft Windows and Unix and Linux
variant operating systems.

The ImageMagick display program is alleged to be prone to a format string
vulnerability.  Exploitation may occur when the program is invoked with a
filename that includes malicious format specifiers.  This issue could be
exploited to corrupt arbitrary regions of memory with attacker-supplied
data, potentially resulting in execution of arbitrary code in the context
of the user running the program.

For this issue to be exploited, the program would need to be invoked with
an untrusted filename.  This could occur automatically if the program was
specified as the default image viewer for an e-mail client or some other
program.

This issue was reported for Unix/Linux platforms.  It is not known if
other platforms are similarly affected.

NFS-Utils Xlog Remote Buffer Overrun Vulnerability
BugTraq ID: 8179
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8179
Summary:

nfs-utils provides various NFS tools, including a daemon for handling RPC
requests. It is available for Unix and Linux variants.

A remote buffer overrun vulnerability has been reported in xlog, which is
a logging facility for nfs-utils.  It is possible to exploit this issue
via mountd.  It has been reported that exploitation of this issue will
most likely result in a denial of service.  There is a likelihood that
this issue could be exploited to run arbitrary code in the context of
mountd, which runs as root.

This vulnerability is an off-by-one boundary condition error in the xlog.c
source file, which contains code for handling logging of RPC requests.
In particular, the xlog() function is prone to this issue when a buffer
equal to or longer than 1023 bytes is supplied, causing one byte of memory
to be overrun with attacker-supplied data.

The issue could also occur in other nfs-utils components that call xlog
with externally-supplied data.

xfstt Denial Of Service Vulnerability
BugTraq ID: 8182
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8182
Summary:

xfstt is an X font server designed to provide support for TrueType fonts.

It has been reported that attackers may be able to crash an xfstt server
by sending it a specially malformed packet. Remote execution may also be
possible.

Within the xfstt.cc source file, there exists a function called working().
In certain cases, this function may not properly perform bounds checking
on incoming packets prior to parsing headers and storing information in
internal buffers. Specifically, it is reported that it is possible to
overflow the 'req->num_ranges' variable, causing a subsequent for loop to
be miscalculated. This may allow arbitrary data to be written to adjacent
memory locations, possibly resulting in a denial of service condition
against the server.

It is not known whether or not this can be exploited to execute arbitrary
code at this time.

Asus ADSL Router Information Disclosure Vulnerability
BugTraq ID: 8183
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8183
Summary:

It has been reported that certain Asus ADSL routers make sensitive files
available via a Web interface. No access control is enforced on these
files, and as a result, remote users may view them without supplying any
credentials. It may be possible to retrieve information such as usernames,
unencrypted passwords, SNMP information and other configuration details.
To exploit this ability, attackers may request the sensitive files from
the root path of the web interface.

[ hardware ]

Citadel/UX Configuration Buffer Overrun Vulnerability
BugTraq ID: 8191
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8191
Summary:

Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other
Unix systems.

Citadel/UX provides a means for clients to execute commands as an internal
program and access IPC (Inter-process Communications).  To use this
feature, clients must supply an internal program password via the IPGM
command.

Citadel/UX is prone to a buffer overrun when importing configuration data
supplied by IPGM authenticated users.  If excessive data is supplied
during an import, it is possible to corrupt sensitive regions of stack
memory with specific values.  This may be exploited to execute arbitrary
code in the context of the server.

Citadel/UX Unlimited Biography Data Denial Of Service Vulnerability
BugTraq ID: 8192
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8192
Summary:

Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other
Unix systems.

Citadel/UX allows users to add biographical data to their profile.  This
is facilitated via the EBIO command.

Citadel/UX does not limit the amount of Biography data that clients can
supply.  This data is written to a file on the system hosting the BBS.  A
malicious user of the BBS could exploit this to cause a denial of service
by supplying excessive data, potentially using up disk space available to
the system user that the BBS is running as.

Citadel/UX Weak Internal Program Authentication Key Vulnerability
BugTraq ID: 8193
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8193
Summary:

Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other
Unix systems.

Citadel/UX uses an authentication key exchange process, normally used to
authenticate to the Citadel/UX as an internal trusted program (IPGM).

A vulnerability has been reported for Citadel/UX, the issue presents
itself in the procedure used by Citadel/UX to generate the internal
program authentication key. The affected server derives the key using an
srand() call, the current process ID is used as the seed for srand(). This
method results in a low entropy key that can be replicated, if the current
PID for the affected Citadel/UX server is known.

A remote attacker may exploit this vulnerability, by iterating through
possible process IDs in a sequential manner. If successful the attacker
may authenticate with the affected server as a trusted program, and
consequently attain elevated privileges.

QMail-SMTPD-Auth True Program Remote E-Mail Vulnerability
BugTraq ID: 8196
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8196
Summary:

qmail-smtpd-auth is a freely available, open source program to add support
for the AUTH extension to QMail.  It is available for the Unix and Linux
platforms.

A vulnerability in qmail-smtpd-auth has been reported when malformed
authentication requests are received.  This may result in an attacker
circumventing authentication to send e-mail.

The problem is in the handling of requests that do not contain all the
correct parameters.  By submitting a request for authentication to a qmail
daemon patched with the vulnerable code, and omitting the hostname
component of a request to authenticate against the server when attempting
to relay e-mail through a specific server, an attacker may bypass
authentication.

This problem requires the site be configured to use /bin/true as the dummy
program.  It should be noted that this is the default configuration.

Deutsche Telekom Teledat DSL Router Portscan Remote Denial Of Service Vulnerability
BugTraq ID: 8199
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8199
Summary:

Teledat is the DSL router solution distributed and maintained by Deutsche
Telekom.

A problem has been reported in the handling of portscans by Deutsche
Telekom Teledat DSL routers.  Because of this, an attacker may be able to
deny service to legitimate users.

It has been reported that Teledat routers become unstable when
portscanned.  This vulnerability was originally reported as the result of
running the Symantec Security Check tools against a system behind the
router.  It is likely that a remote attacker could reproduce this issue
through one of several free, publicly available utilities.

The problem has been reported in the 530 series router, and may exist in
other models.

[ hardware ]

More information about the gull-annonces mailing list