[gull-annonces] Résumé SecurityFocus Newsletter #199

Marc SCHAEFER schaefer at alphanet.ch
Thu Jun 5 12:03:52 CEST 2003 

UML_NET Integer Mismanagement Code Execution Vulnerability
BugTraq ID: 7676
Remote: No
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7676
Summary:

uml_utilities is a collection of packages designed to be used in
conjunction with the User Mode Linux (UML) kernel patch. The uml_net
program can be used by an administrator to configure various network
devices and system networking parameters.

A vulnerability has been discovered in uml_net. The problem lies in the
uml_net.c source file and occurs while handling user-supplied version
information.

The 'v' variable is declared as a signed integer, however it is used to
store an unsigned integer value returned by a call to the 'strtoul()'
function. This will result in 'v' being interpreted as a negative value.
As 'v' is later used in various bounds checking calculations, specifically
'if (v > CURRENT_VERSION)', it is possible to trigger an unexpected
calculation and bypass the check.

If all necessary calculation checks are passed, an attacker may be capable
of indexing into a malformed location within an array of function
pointers. Specifically, the 'v' variable is used as an index into the
(*handlers[])() array. When this occurs the negative value stored in 'v'
will allow the attacker to reference a supplied address lower in process
memory.

Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary commands with the privileges of uml_net, possibly root.
It has been confirmed that uml_net is installed suid root on at least one
Linux distribution.

Encrypted Virtual Filesystem Local Heap Overrun Vulnerability
BugTraq ID: 7679
Remote: No
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7679
Summary:

Encrypted Virtual Filesystem (EVFS) is a virtual filesystem that runs on
top of the Linux VFS. It allows multiple users to each mount their own
encrypted filesystems using individual keys. It is available for the Linux
operating system.

A vulnerability has been discovered in the 'efs' utility used by EVFS. The
problem occurs during the 'do_mount()' function within the efs.c source
file. During a call to salloc(), the size calculation fails to take the
size of the 'to' argument into account. Data greater then that allocated
may subsequently be written into the buffer. As a result, it may be
possible for an attacker to corrupt sensitive memory management
information.

Successful exploitation of this vulnerability could allow a legitimate
EVFS user to execute arbitrary commands with root privileges.

This vulnerability affects EVFS v0.2, however earlier versions may also be
affected.

D-Link DI-704P Syslog.HTM Denial Of Service Vulnerability
BugTraq ID: 7686
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7686
Summary:

The D-Link DI-704P is an Internet Broadband Gateway device. The DI-704P
provides a method to share a single broadband Internet connection and
share a single printer among systems connected to the local network.

D-Link DI-704P has been reported prone to a remote denial of service
vulnerability.

The issue presents itself in the 'Syslog.htm' page, a part of the router's
web management interface. It has been reported that when excessive is data
passed URI parameter in a request for the vulnerable page, the router
firmware the device behaves in an unstable manner. Although unconfirmed
this may be due to an attempted name resolution of the malicious data.
Subsequent malicious requests may result in corruption of device logs or
in a complete denial of service condition requiring a device reboot.

Although unconfirmed, it should be noted that other D-Link devices that
use related firmware might also be affected.

[ hardware ]

ifenslave Argument Local Buffer Overflow Vulnerability
BugTraq ID: 7682
Remote: No
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7682
Summary:

ifenslave is a tool designed to attach and detach slave network interfaces
to a bonding device. The bonding device will act like an Ethernet network
device to the Linux kernel, but will send out packets using the bound
slave devices using a scheduler.

ifenslave for Linux has been reported prone to a buffer overflow
vulnerability.

The issue is reportedly due to a lack of sufficient bounds checking
performed on user-supplied data before it is copied into an internal
memory space.

Specifically, excessive data passed as the first command line argument to
the vulnerable ifenslave executable, when copied into internal memory, may
overrun the boundary of the assigned buffer and corrupt adjacent memory.
Memory adjacent to this buffer has been confirmed to contain values that
are crucial to controlling program execution flow. It is therefore
possible for a local attacker to seize control of the vulnerable
application and have malicious arbitrary code executed in the context of
ifenslave. ifenslave is not installed setUID or setGID by default.

It should be noted that although this vulnerability has been reported to
affect ifenslave version 0.07 previous versions might also be affected.

PalmVNC Insecure Password Storage Vulnerability
BugTraq ID: 7696
Remote: No
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7696
Summary:

PalmVNC is a VNC implementation for PalmOS.  It can be used to establish
VNC sessions with Windows or Unix/Linux systems.

PalmVNC stores password credentials in plaintext.  By default, the
database file (PalmVNCDB) that contains VNC passwords has the backup bit
set.  As a result, these credentials may be stored on a desktop system
when the Palm is "Hotsynced".  This could expose credentials to other
users of the system that the backup is stored on.

This issue was reported in PalmVNC 1.40.  Other versions are also likely
affected.

[ licence peu claire ]

BNC IRC Proxy Multiple Session Denial of Service Vulnerability
BugTraq ID: 7701
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7701
Summary:

BNC IRC Proxy is an open source IRC proxying server that allows a system
without direct Internet access to relay through the BNC server.

It has been reported that the BNC IRC Proxy is prone to a denial of
service vulnerability.

This vulnerability appears to occur when two legitimate users of the
service connect from the same IP address.  If the second connected user
disconnects before the first connected user, the service reportedly fails
when the first user disconnects.

Precise technical details of this vulnerability are not currently known.
This record will be updated when further details become available.

This vulnerability was reported to affect BNC IRC Proxy version 2.6.2 and
prior.

upclient Command Line Argument Buffer Overflow Vulnerability
BugTraq ID: 7703
Remote: No
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7703
Summary:

upclient is a multi-platform utility that is designed to extract and
publish system uptime statistics.

upclient has been reported prone to a buffer overflow vulnerability when
handling command line arguments of excessive length. Specifically when the
vulnerable upclient handles a '-p' command line argument of greater than
1022 bytes, the bounds of an internal buffer in memory is overrun and
memory adjacent to the buffer is corrupted with attacker-supplied data.

Memory adjacent to this buffer has been reported to contain values that
are crucial to controlling program execution flow. It is therefore
possible for a local attacker to seize control of the vulnerable
application and have malicious arbitrary code executed in the context of
upclient. It has been reported that upclient is installed on FreeBSD
systems as setuid kmem.

An attacker may harness elevated privileges obtained in this way to
manipulate arbitrary areas in system memory through /dev/mem or /dev/kmem
devices.

eterm PATH_ENV Buffer Overflow Vulnerability
BugTraq ID: 7708
Remote: No
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7708
Summary:

Eterm is terminal emulation software which is available for Unix and Linux
variants.

Eterm has been reported prone to a local buffer overflow vulnerability.
Code execution with elevated privileges has been confirmed possible.

The issue presents itself in the conf_parse_theme() function, and is due
to a lack of sufficient bounds checking performed on an environment
variable that is copied into an internal memory buffer. The buffer is
located in static memory space. This issue is further exaggerated because
adjacent memory contains 'rs-pixmap' char pointer data, this may be
manipulated by the attacker to point anywhere in system memory.

The function post_parse(), is later invoked. This function calls free() on
the location pointed to by rs_pixmaps. Since the attacker may have
corrupted 'rs-pixmap' data to point to a malicious crafted fake malloc
chunk on the heap, when malloc() is called arbitrary memory of the
attackers choice may be corrupted.

It has been reported that Eterm fails after it frees the malicious chunk,
an internal Eterm function dump_stack_trace(), intercepts SIGSEGV in the
process and performs a small memory dump before launching gdb,
dump_stack_trace() later generates a SIGALRM. It has been demonstrated,
however, that the delivery of this signal may be prevented and arbitrary
shell code executed with elevated privileges. Code execution will occur in
the context of the vulnerable Eterm, which may have setuid/setgid utmp or
possibly root on some Unix/Linux distributions.

Red Hat Linux up2date Unspecified Vulnerability
BugTraq ID: 7714
Remote: No
Date Published: May 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7714
Summary:

Red Hat Linux is a popular distribution of the Linux operating
environment.

A vulnerability has been reported for Red Hat Linux's up2date mechanism.
up2date is used by Red Hat Linux distributions to provide a way for users
to obtain system updates through the Red Hat Network.

up2date is prone to an issue that may result in a segmentation fault
during Migration. Although unconfirmed, due to the nature of this report,
it has been speculated that memory corruption may trigger this
vulnerability. It may be possible that, under the correct circumstances,
this situation may ultimately be exploitable.

The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information becomes available.

More information about the gull-annonces mailing list