[gull-annonces] Résumé SecurityFocus Newsletter #200

Marc SCHAEFER schaefer at alphanet.ch
Wed Jun 11 08:52:02 CEST 2003


Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability
BugTraq ID: 7760
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7760
Summary:

The /bin/mail utility is a mail processing system which can be used to
send and receive e-mail messages. It is available for the Unix and Linux
operating systems.

A vulnerability has been discovered in /bin/mail on the Linux operating
system. The problem occurs when processing the 'CC:' field within an
e-mail message. Due to insufficient bounds checking, handling
approximately 8824 bytes of data will trigger a buffer overrun.

Successful exploitation of this issue could allow an attacker to execute
arbitrary commands with the privileges of /bin/mail. It should be noted
that local exploitation of this vulnerability may be inconsequential.
However, a malicious e-mail message referenced by the vulnerability
utility or a remote CGI interface may both be sufficient conduits for
remote exploitation.

JBoss Null Byte Request JSP Source Disclosure Vulnerability
BugTraq ID: 7764
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7764
Summary:

JBoss is a freely available, open source Java Application server.  It is
distributed and maintained by JBoss Group.

A problem in the software may make it possible to gain unauthorized access
to potentially sensitive information.

A problem has been reported in the handling of unexpected characters by
the JBoss program.  Because of this, an attacker may gain access to
potentially sensitive information.

The problem is in the input of null characters with some requests.  By
placing a valid request, and appending a null byte to the end of the
request, it is possible to see the source of the Java Server Page (JSP)
requested from JBoss.  This could yield potentially sensitive information
such as passwords.

It should be noted that this problem occurs when JBoss is used with Jetty.
It is not known what affect this problem has on JBoss with other servers.

Apache Tomcat Insecure Directory Permissions Vulnerability
BugTraq ID: 7768
Remote: No
Date Published: Jun 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7768
Summary:

Tomcat is a web server and JSP/Servlet container that is developed by
Apache as part of the Jakarta project.

Apache Tomcat may be installed with world-readable permissions for the
/opt/tomcat/ directory.  Files in this directory may contain sensitive
information, such as authentication credentials.  Local users may
potentially gain unauthorized access to these files as a result.

This issue was reported for Apache Tomcat versions prior to 4.1.24 on
Gentoo Linux.  It is not known if other distributions are similarly
affected.

Multiple Mod_Gzip Debug Mode Vulnerabilities
BugTraq ID: 7769
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7769
Summary:

Mod_gzip is an Apache web server module that compresses web content before
sending it to the client.  Mod_gzip is not a standard module for Apache.

Multiple vulnerabilities were reported in Mod_gzip.  The following issues
exist when the software is run in debug mode:

Insufficient bounds checking of request data may lead to a stack overflow.
If a remote user passes an excessive request for a file type (such as
gzip) handled by the module, it may be possible to corrupt stack variables
with specific values.  This could lead to execution of malicious
attacker-supplied instructions.

Mod_gzip is prone to a format string vulnerability when Apache logging
facilities are used.  This is due to missing format specifiers in the code
responsible for logging requests for file types handled by the module.
Exploitation could permit a remote attacker to overwrite arbitrary
locations in memory with malicious data, potentially allowing for code
execution.

Mod_gzip logs debugging information in files using predictable names.
The following naming scheme is used when log files are created:

/tmp/t<PID>.log

By anticipating the value of the process ID, a local attacker could launch
symlink attacks against other system files.  It has been reported that
some debugging information is logged as the superuser.  This could allow
for corruption of arbitrary files.  If these files can be corrupted with
custom data, then it will be possible to gain elevated privileges.

Exploitation of these issues could result in execution of malicious
instructions or corruption of critical or sensitive files.

This record will be divided into multiple BIDs when further analysis of
these issues is complete.

myServer HTTP GET Argument Buffer Overflow Vulnerability
BugTraq ID: 7770
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7770
Summary:

myServer is an application and web server for Microsoft Windows and Linux
operating systems.

myServer has been reported prone to a remote buffer overflow
vulnerability. The vulnerability exists when the web server attempts to
process HTTP requests of excessive length. Specifically, when the web
server processes an argument passed to a malicious HTTP GET request that
consists of more than 4100+ bytes, the web server will crash. This will
result in a denial of service condition.

It is possible that this vulnerability may also allow the execution of
arbitrary instructions.  Any instructions carried out through this
vulnerability would be with the privileges of the web server process.
However, the possibility of code execution has not been confirmed.

This vulnerability was reported for myServer version 0.4.1 It is likely
that other versions are also affected.

[ licence incertaine ]

Pi3Web SortName Buffer Overflow Vulnerability
BugTraq ID: 7787
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7787
Summary:

Pi3Web is a free, multi platform, configurable HTTP server and development
environment.  It is available for Unix/Linux variants and Microsoft
Windows operating systems.

Pi3Web is prone to a buffer overflow vulnerability.  This is due to
insufficient bounds checking of URI parameters.  It is possible to trigger
this condition by specifying a 'SortName' URI parameter of excessive
length.  Excess data will overrun adjacent regions of memory.  This
condition could be exploited to cause a denial of service or possibly to
execute malicious instructions in the context of the server.

This issue was reported for Pi3Web 2.0.2 Beta 1 on Windows platforms.

It was originally believed that this condition only existed with certain
indexing configurations but additional reports indicate that this is not
the case.

[ licence incertaine ]

Multiple Vendor kon2 Local Buffer Overflow Vulnerability
BugTraq ID: 7790
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7790
Summary:

kon2 is a Kanji emulator for the Linux console.

A buffer overflow vulnerability has been reported for the kon2 utility
shipped with various Linux distributions. Exploitation of this
vulnerability may result in a local attacker obtaining elevated privileges
on a vulnerable system.

The vulnerability exists due to insufficient bounds checking performed on
some commandline options passed to the vulnerable utility.

A local attacker can exploit this vulnerability by invoking kon2 with
overly long commandline options. This will trigger the overflow condition
and may result in an attacker obtaining root privileges.

This vulnerability was reported for kon2 0.3.9b and earlier.

Red Hat Linux TTY Layer Kernel Panic Denial Of Service Vulnerability
BugTraq ID: 7791
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7791
Summary:

The TTY layer is used to process input and output supplied to and from the
console.

A vulnerability has been reported in the TTY layer that may result in a
kernel panic.

The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.

[ concerne probablement d'autres distributions, voyez les erratas
  et mises à jours qui vous concernent.
]

Red Hat Linux Kernel MXCSR Handler Unspecified Vulnerability
BugTraq ID: 7793
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7793
Summary:

The Intel MXCSR register contains control/status information for the SSE
registers.

The Red Hat Linux Kernel MXCSR handler code has been reported prone to an
unspecified vulnerability.

The issue presents itself when low-level MXCSR kernel code encounters a
malformed address. It has been reported that the MXCSR code fails to
sufficiently handle malformed address data and will leave garbage in the
CPU state registers.

Although speculative, it has been conjectured that this issue may allow an
attacker to corrupt CPU state registers and trigger a denial of service
condition if the kernel relies on current register contents. Although
unconfirmed other attacks may also be possible.

It should be noted that this vulnerability will only affect systems
running on the Intel architectures.

This BID will be updated as further technical details are released.

Red Hat Linux EXT3 Filesystem Data Corruption Vulnerability
BugTraq ID: 7795
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7795
Summary:

A potential data corruption vulnerability has been identified in the Red
Hat Linux kernel.

The potential issue may be exploitable under very restrictive
circumstances. In an ext3 file-system environment where the system is
processing heavy complex memory mapped file I/O loads, if the mapped
writes are to a partial page at the end of a file, a file may be
simultaneously unlinked and the corresponding mapped file blocks
reallocated. This action may potentially cause the corruption of arbitrary
files.

If an attacker can recreate the necessary environment, it may be possible
to create a condition where arbitrary files are corrupted.

[ idem, il manque les informations nécessaires pour identifier si ce
  problème est ancien ou nouveau, et concerne uniquement des kernels
  patchés par Red Hat. Consultez les informations de votre distribution.
]

Linux Kernel Fragment Reassembly Remote Denial Of Service Vulnerability
BugTraq ID: 7797
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7797
Summary:

The Linux kernel is the core of all Linux operating systems. It is
community-maintained.

A problem in the kernel network code could make a remote denial of service
possible.

It has been reported that the Linux kernel does not properly handle some
specific types of network traffic. Because of this, an attacker may be
able to cause excessive consumption of resources with malicious TCP/IP
packets, resulting in a denial of service.

The problem is in the handling packet reassembly.  By sending maliciously
crafted packet fragments to a system using the vulnerable kernel, it would
be possible to consume an excessive amount of resources during the packet
reassembly phase. This could cause the system to become unstable.

PHP Transparent Session ID Cross Site Scripting Vulnerability
BugTraq ID: 7761
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7761
Summary:

PHP is a freely available, open source web scripting language package.
It is available for Microsoft Windows, Linux, and Unix operating systems.

PHP contains an option known as transparent session IDs. This feature
allows session IDs to be embedded with a URL.

A cross-site scripting vulnerability has been discovered in PHP version
4.3.1 and earlier. The problem occurs when the 'session.use_trans_sid'
global parameter has been enabled.

Due to insufficient sanitization of the PHPSESSID URI parameter, it is
possible for an attacker to embed malicious script code within a link.
By embedding malicious code in such a way that an HTML tag will be
possible for an attacker to embed malicious script code within a link.
By embedding malicious code in such a way that an HTML tag will be
prematurely terminated, it may be possible to execute arbitrary script
code.

Successful exploitation of this issue would allow an attacker to execute
arbitrary script code in a victim's browser within the context of the
visited website. This may allow for the theft of sensitive information,
such as session ID's, or possibly other attacks.

It should be noted that PHP versions prior to release 4.2.0 do not
support transparent session IDs by default. Support must be specified during
initial compilation.

[ + divers problèmes avec PHP Nuke et des scripts PHP Nuke ]



More information about the gull-annonces mailing list