[gull-annonces] SecurityFocus Newsletter #201

Marc SCHAEFER schaefer at alphanet.ch
Mon Jun 23 12:28:30 CEST 2003 

Nokia GGSN Kernel Panic Denial of Service Vulnerability
BugTraq ID: 7854
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7854
Summary:

The Nokia GGSN (Gateway GPRS Support Node) is used to bridge Gn and Gi
networks.  GPRS can allow for web browsing and email connectivity for
cellular phones.

The GGSN device is reported to be prone to a denial of service condition
triggered by malformed IP packets.

When the device receives a malformed IP packet with a TCP option of 0xFF
set, it will cause a kernel panic resulting in the device shutting down.
This will cause a failure in all data connectivity on the GPRS (General
Packet Radio Service) network.

[ hardware ]

GZip ZNew Insecure Temporary File Creation Symbolic Link Vulnerability
BugTraq ID: 7872
Remote: No
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7872
Summary:

gzip is a freely available, open source file compression utility.  It is
maintained by public domain, and available for the Unix, Linux, and
Microsoft operating systems.

A problem with the utility may make the local destruction of data
possible.

It has been reported that gzip does not securely handle temporary files in
the znew script.  Because of this, a local attacker may be able to launch
a symbolic link attack against sensitive files.

The problem is in the handling of checking for existing files.  When the
znew script executes, it does not sufficiently validate the value returned
when the program checks for the existence of a file in the temporary
directory.  Because of this, znew could potentially write to a symbolic
link that would destroy the data at the end of the symbolic link, provided
the user has sufficient privileges to write to the file.  This may also
potentially lead to elevated privileges, though this theory is
unconfirmed.

RPM Package Manager FTP NLST Data Integer Overflow Remote Memory Corruption Vulnerability
BugTraq ID: 7874
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7874
Summary:

The RPM Package Manager is a command line utility for creating, installing
and managing RPM packages. It is available for a wide range of Linux
distributions.

A vulnerability has been reported for the RPM Package Manager. The problem
occurs when using the application to access FTP listings on a remote
server. Specifically, RPM fails to sufficiently carry out sanity checks on
the size of data returned by an FTP NLST listing. The size value is
subsequently shifted 2 bits to the left, effectively increasing it's size
exponentially by 3, and is then used as a malloc() function parameter. The
NLST data is then copied into the buffer returned by malloc().

An attacker could exploit this issue by controlling a malicious FTP server
configured in such a way as to transmit NLST data in excess of 1 gigabyte.
If this were to occur, when the RPM application carried out the shift
procedure, the size value would overflow. As a result, an insufficient
memory buffer will be allocated to store the data.

The exploitability of this vulnerability to execute code is highly
implausible as copying data of this size will typically result in a page
fault. However, this issue could result in the exhaustion of available
system resources and would ultimately cause the RPM utility to crash.

Gnome FTP NLST Data Integer Overflow Memory Corruption Vulnerability
BugTraq ID: 7875
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7875
Summary:

A vulnerability has been reported for Gnome. It has been reported that
when processing NLST data from an FTP server, various Gnome functions or
utilities may fail to sufficiently handle the size of data returned. Due
to subsequent calculations, insufficient data may be allocated for storage
of the NLST data. This may result in excessive data being copied into
insufficient memory, effectively causing a denial of service.

It should be noted that this issue presents itself when a large amount of
NLST data in excess of 1 gigabyte is received. As such, exploitation of
this issue will inevitably result in the exhaustion of available
resources, followed by a segmentation violation. Also, due to the
excessive amount of data copied to memory, the exploitability of this
issue to execute code may not be plausible. Furthermore, it is said that
the exploitation of this issue may only be possible on architectures with
specific variable width characteristics, typically 64-bit systems.

It should be noted that the precise details regarding this vulnerability
are currently unknown. The problem may lie in specific Gnome utilities or
possibly in Gnome library string parsing functions linked to by other
applications.

SMC Wireless Router Malformed PPTP Packet Denial of Service Vulnerability
BugTraq ID: 7876
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7876
Summary:

SMC SMC7004VWBR is a wireless Cable/DSL broadband router with integrated
wireless access point and SPI firewall.

It has been discovered this device is prone to a denial of service attack.
The problem occurs when processing a sequence of malformed PPTP packets
transmitted to the router's internal interface.

The successful exploitation of this vulnerability will result in the
router no longer responding to internal wireless traffic. This will
effectively deny legitimate wireless users further network services.

It should be noted that the device would need to be physically reset to
restore typical functionality.

This vulnerability affects firmware versions earlier then 1.23.

[ hardware ]

Ethereal DCERPC Dissector Memory Allocation Vulnerability
BugTraq ID: 7878
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7878
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

The DCERPC dissector of Ethereal is prone to a condition whereby too much
memory may be allocated when decoding certain NDR strings.

The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.

This may result in the vulnerable Ethereal process allocating too much
memory. Repeated decoding of malformed NDR packets may result in the
consumption of all available memory resources which may lead to a denial
of service condition.

This vulnerability affects Ethereal 0.9.12 and earlier.

Ethereal SPNEGO Dissector Denial Of Service Vulnerability
BugTraq ID: 7879
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7879
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

The SPNEGO dissector of Ethereal, when parsing certain ASN.1 codes, may
cause a segmentation fault.

The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a
specially formed packet with an invalid ASN.1 value and sending it to a
system using the vulnerable dissector.

Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.

This vulnerability affects Ethereal 0.9.12 and earlier.

Ethereal OSI Dissector Buffer Overflow Vulnerability
BugTraq ID: 7880
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7880
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

The OSI dissector is prone to a buffer overflow condition when handling
bad IPv4 or IPv6 prefix lengths. This is likely due to insufficient bounds
checking.

It may be possible to construct an IPv4 or IPv6 packet that will, when
decoded by Ethereal, trigger the overflow condition. Successful
exploitation of this vulnerability may result in the attacker gaining
access to the Ethereal host via execution of attacker-supplied
instructions.

This BID will be updated when further technical details are disclosed.

This vulnerability affects Ethereal 0.9.12 and earlier.

Ethereal Multiple Dissector String Handling Vulnerabilities
BugTraq ID: 7881
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7881
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

Several dissectors included with Ethereal do not properly handle strings.
Exploitation of this issue may allow an attacker to cause Ethereal to
behave in an unpredictable manner. The BGP, WTP, DNS, 802.11, ISAKMP, WSP,
CLNP, ISIS, and RMI dissectors are vulnerable to this issue.

The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissectors or by convincing a victim user to use Ethereal to read a
malformed packet trace file.

Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.

This vulnerability affects Ethereal 0.9.12 and earlier.

Ethereal TVB_GET_NSTRINGZ0() Memory Handling Vulnerability
BugTraq ID: 7883
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7883
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

An Ethereal routine, tvb_get_nstringz0(), has been reported prone to a
memory handling vulnerability. Reportedly tvb_get_nstringz0() incorrectly
handles a zero-length buffer size. Although unconfirmed, it has been
conjectured that this issue may be due to an incorrect allocation of
memory, caused when an unsigned integer is used when calculating the size
of memory to be allocated.

Exploitation of this issue may allow an attacker to cause Ethereal to
behave in an unpredictable manner.

Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for either a remotely triggered
denial of service condition or ultimately in the execution of arbitrary
code with the privileges of the Ethereal process.

The precise technical details of this vulnerability are currently unknown.
This BID will be updated, as further information is available.

This vulnerability affects Ethereal 0.9.12 and earlier.

FakeBO Syslog Format String Vulnerability
BugTraq ID: 7882
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7882
Summary:

FakeBO is a utility to log common trojan attempts in an effort to possibly
emulate one. It may also be used in a honeypot setup to facilitate
security monitoring. It is available for Microsoft Windows, Linux, and
Unix variant operating systems.

A vulnerability has been reported for FakeBO that may result in an
attacker obtaining elevated privileges on a target system.

Due to a programming error, it may be possible to exploit a format string
vulnerability in the affected utility. Specifically, a logging function in
FakeBO contains insecure syslog() calls. This could result in the
execution of attacker-supplied code.

The vulnerability occurs when FakeBO resolves a carefully constructed
hostname that include malicious format string specifiers. In the event
that this vulnerability is exploited, an attacker could cause arbitrary
locations in memory to be corrupted with attacker-specified data and
execute code with elevated privileges.

This vulnerability was reported for FakeBO 0.4.1.

MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability
BugTraq ID: 7887
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7887
Summary:

MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.

MySQL contains a library called libmysqlclient. A problem exists in the
sql_real_connect() function of the libmysqlclient library that could
result in a buffer being overrun.

The problem likely occurs due to insufficient bounds checking of
user-supplied parameters and could allow an attacker to corrupt sensitive
process memory. It is possible to trigger this condition by supplying a
parameter containing approximately 350 or more bytes of data.

An attacker could potentially be capable of exploiting this issue to
execute arbitrary code on a remote system. It should be noted that this
issue would be required to be exploited in conjunction with an unrelated
remote SQL injection attack or possibly used on a system which allows for
the uploading of scripts.

Typespeed Remote Memory Corruption Vulnerability
BugTraq ID: 7891
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7891
Summary:

Typespeed is a game designed to test typing skills. It is available for
the Linux operating system. Typespeed is installed setgid 'games' by
default on the Debian Linux distribution.

A memory corruption vulnerability has been reported for Typespeed that may
result in code execution with elevated privileges. The vulnerability
exists in the net_swapscore() function of the 'network.c' source file.
Specifically, proper bounds checks are not performed prior to executing
the 'strncpy' function.

A remote attacker may be able to exploit this vulnerability to corrupt
sensitive with attacker-supplied code.

This vulnerability was reported for Typespeed 0.4.1 and earlier.

Cistron RADIUS Remote Signed NAS-Port Number Expansion Memory Corruption Vulnerability
BugTraq ID: 7892
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7892
Summary:

A vulnerability has been discovered in the Cistron RADIUS server. The
problem is due to the way the application processes user-supplied NAS-Port
values.

The issue occurs within the make_wtmp function when making a call to
sprintf(). Specifically, the '%03d' format specifier is used to interpret
the user-supplied nas_port variable. The problem lies in the fact that the
nas_port variable could hold a signed integer value. If the value were a
negative value greater then 1 billion (10 digits), the sprintf() function
would expand the integer up to 11 bytes. This is due to a minus '-' symbol
being prepended to the 10 byte value.

Due to this unexpected value expansion, the 'buf[32]' character array may
be overrun by 1 byte. This is due to the sprintf() call also appending a
semicolon ':', 20 bytes of data and a NUL byte to the buffer, after
interpreting the port value.

This issue could pose a security threat as the NUL byte could potentially
corrupt the LSB of the current frames saved frame pointer. This could
result in a situation under which an attacker-supplied memory address
could be popped as an instruction pointer, effectively resulting in the
execution of arbitrary code.

It should be noted that the exploitability of this issue is heavily
dependant on the layout of the process in memory, which is compiler
dependant. It has been reported however that under some circumstances this
issue may affect data stored from previously processed packets or possibly
other sensitive stack variables.

[ hardware/firmware ]

More information about the gull-annonces mailing list