[gull-annonces] Résumé SecurityFocus Newsletter #202

Marc SCHAEFER schaefer at alphanet.ch
Wed Jun 25 15:35:50 CEST 2003 

IKE-Scan Local Logging Format String Vulnerability
BugTraq ID: 7897
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7897
Summary:

ike-scan is a utility designed to discover IPsec VPN hosts running IKE
(Internet Key Exchange). It is maintained by NTA and is available for Unix
variant operating systems.

A vulnerability has been discovered in ike-scan. The problem is said to
occur due to insufficient format specifiers being supplied to the syslog()
function. As a result, by passing a command-line argument to ike-scan it
may be possible for a malicious local user to corrupt process memory.

Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary code with the privileges of ike-scan. It should be noted
that ike-scan is not installed suid by default.

ATFTP Timeout Command Line Argument Local Buffer Overflow Vulnerability
BugTraq ID: 7902
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7902
Summary:

atftp is a TFTP client/server implementation for Linux and Unix variants.

atftp is prone to a locally exploitable buffer overflow condition. This
issue is due to insufficient bounds checking performed on input supplied
to the command line parameter (-t) for "timeout". By providing a string of
excessive length (9000 bytes) as a value for the command line parameter,
it is possible to trigger this condition to corrupt stack variables. Local
attackers may leverage the resulting memory corruption to execute
arbitrary instructions.

If atftp is installed setuid/setgid, an attacker may potentially exploit
this condition to execute arbitrary instructions with elevated privileges.

It should be noted that although this vulnerability has been reported to
affect atftp version 0.7cvs, other versions might also be vulnerable.

ATFTP Blocksize Command Line Argument Local Buffer Overflow Vulnerability
BugTraq ID: 7907
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7907
Summary:

atftp is a TFTP client/server implementation for Linux and Unix variants.

atftp is prone to a locally exploitable buffer overflow condition. This
issue is due to insufficient bounds checking performed on input supplied
to the command line parameter (-b) for "blocksize". By providing a string
of excessive length as a value for the command line parameter, it is
possible to trigger this condition to corrupt stack variables. Local
attackers may leverage the resulting memory corruption to execute
arbitrary instructions.

If atftp is installed setuid/setgid, an attacker may potentially exploit
this condition to execute arbitrary instructions with elevated privileges.

It should be noted that although this vulnerability has been reported to
affect atftp version 0.7cvs, other versions might also be vulnerable.

It should also be noted that atftp is not installed setuid/setgid by
default.

ATFTP TFTP-Timeout Command Line Argument Local Buffer Overflow Vulnerability
BugTraq ID: 7906
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7906
Summary:

atftp is a TFTP client/server implementation for Linux and Unix variants.

atftp is prone to a locally exploitable buffer overflow condition. This
issue is due to insufficient bounds checking performed on input supplied
to the command line parameter (-T) for "tftp-timeout". By providing a
string of excessive length as a value for the command line parameter, it
is possible to trigger this condition to corrupt stack variables. Local
attackers may leverage the resulting memory corruption to execute
arbitrary instructions.

If atftp is installed setuid/setgid, an attacker may potentially exploit
this condition to execute arbitrary instructions with elevated privileges.

It should be noted that although this vulnerability has been reported to
affect atftp version 0.7cvs, other versions might also be vulnerable.

It should also be noted that atftp is not installed setuid/setgid by
default.

Multiple Vendor PDF Hyperlinks Arbitrary Command Execution Vulnerability
BugTraq ID: 7912
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7912
Summary:

A vulnerability has been reported for multiple viewers for Unix variant
operating systems. Both Adobe Acrobat Reader and Xpdf are said to be
affected.

The vulnerability allegedly occurs when following a malicious hyperlink.
When the hyperlink is followed the PDF viewer externally calls the 'sh -c'
command to invoke a utility to handle the request. Supposedly, when the
link is followed it is possible to execute arbitrary code by placing shell
metacharacters designed to escape the command. This can be accomplished by
placing (`) characters within the hyperlink.

Successful exploitation of this vulnerability could potentially allow an
attacker to execute arbitrary commands on a target system with the
privileges of the user invoking the PDF document. This would occur
externally to the program and the utility invoked to handle the link would
still be called.

The exploitability of this issue is said to vary between PDF viewers, as
some do not support the use of external hyperlinks. If a viewer is
currently invoked within a browser, the call to 'sh -c' may not be made.

This vulnerability is said to affect Adobe Acrobat Reader 5.06 and Xpdf
1.01, however, other versions may also be affected.

It should be noted that this vulnerability may be similar to that
described in BID 1624. If it is concluded that this is in fact the case,
the older BID will be updated and this BID will be retired.

MikMod Long File Name Local Buffer Overflow Vulnerability
BugTraq ID: 7914
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7914
Summary:

mikmod is a freely available, open source sound library and module player.
It is available for Unix, Linux, and Microsoft platforms.

A problem with the program may make it possible for users to gain
unauthorized privileges.

It has been reported that mikmod does not properly handle some types of
input.  Because of this, an attacker may be able to gain unauthorized
privileges on a system using the program.

mikmod does not properly handle file names of arbitrary length.  Long file
names inside archive files can cause the corruption of sensitive process
memory that may potentially be exploited to execute code with the
privileges of the process.

FreeWnn JServer Logging Option Data Corruption Vulnerability
BugTraq ID: 7918
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7918
Summary:

FreeWnn 1.1.0 is a kana-kanji (japanese) translation system. This software
is a client-server type application, with the jserver portion acting as a
server and performing translations for clients.

A vulnerability has been reported for FreeWnn that may result in an
attacker obtaining elevated privileges. Specifically, when
/usr/bin/Wnn4/jserver is invoked with the '-s' commandline option to
indicate a log file, it does not perform proper file existence checks. Due
to this, an attacker may be able to overwrite system files, and
potentially gain elevated privileges.

If the jserver process is executed as a user with elevated privileges,
this could allow an attacker to gain privileges equal to the jserver user.

It should be noted that this program might also be installed with setuid
or setgid privileges on some systems. This would allow an attacker to
execute and exploit the program at will.

LedNews Post Script Code Injection Vulnerability
BugTraq ID: 7920
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7920
Summary:

LedNews is a freely available, open source news posting script.  It is
available for the Unix and Linux platforms.

A problem with the software may make script injection attacks possible.

It has been reported that LedNews does not properly filter input from news
posts.  Because of this, it may be possible for an attacker to steal
authentication cookies or perform other nefarious activities.

The problem is in filtering of input.  The program does not properly
sanitize input, allowing HTML and script code to be posted as news.  This
could be abused to execute code in the browser of site users.

It should be noted that it may also be possible to execute arbitrary
commands through server-side includes on a host using the vulnerable
software.

Linux-PAM Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability
BugTraq ID: 7929
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7929
Summary:

Linux-PAM (Pluggable Authentication Modules for Linux) is an
authentication system used to enforce various access restrictions and
security mechanisms. The pam_wheel module can be used to enforce access
restrictions to various utilities, such as 'su', using the 'wheel' group.

When the "trust" configuration option is implemented, users of the trusted
group are not required to supply a password when running the 'su' utility.
A configuration option "use_uid" is also available which specifies whether
a user of the trusted group should be verified using the login name or
user id.

A vulnerability has been discovered in the pam_wheel module when running a
configuration with the "trust" option enabled and the "use_uid" option
disabled. The vulnerability occurs due to the insecure use of the
getlogin() function when verifying user login names against a list of
trusted users. It should be noted that the said configuration is not used
by default.

Due to the insecure use of getlogin() a local attacker may be capable of
gaining unauthorized 'root' privileges without supplying a password. This
can be accomplished by spoofing the 'logname' return value, effectively
making the getlogin() function to return a value of another logged in
user. The spoofed user would have to be logged in to the system and also
be part of the trusted group for this to attack take place.

Successful exploitation of this issue would allow an attacker to invoke
the 'su' utility and gain unauthorized superuser privileges.

Noweb/Noroff Insecure Temporary File Creation Vulnerability
BugTraq ID: 7937
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7937
Summary:

noweb is an application designed to automate the process of preparing the
source of a program for human readers.

noroff is a tool that is shipped as part of noweb, noroff is designed to
format documents in a specific manner that have been partially processed
by noweb.

noroff has been reported prone to an insecure temporary file creation
vulnerability. As a result, it may be possible for local attackers to
corrupt files owned by the user who is invoking the noroff application.

An attacker could potentially exploit this issue by creating a symbolic
link in place of the temporary file which is created. Any actions
performed by noroff when it is executed will be performed on the linked
file.

It should be noted that although this vulnerability has been reported to
affect noweb version 2.9a, other versions might also be affected.

Portmon Host File Option Sensitive File Arbitrary Content Display Vulnerability
BugTraq ID: 7941
Remote: No
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7941
Summary:

Portmon is a freely available, open source network service monitoring
utility.  It is available for Unix and Linux operating systems.

A vulnerability in the software may give local users unauthorized access
to sensitive information.

Portmon is typically installed with elevated privileges, as it requires
these privileges to use raw sockets.  When the program is executed, and a
file with restricted privileges is supplied as an argument to the hosts
command line argument (-c), the contents of the file are displayed to the
user executing portmon.  This could reveal sensitive information to a
malicious local user.

Portmon Log File Option File Overwrite Vulnerability
BugTraq ID: 7943
Remote: No
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7943
Summary:

Portmon is a freely available, open source network service monitoring
utility.  It is available for Unix and Linux operating systems.

A problem with the software may give local users the ability to overwrite
information.

Portmon is typically installed with elevated privileges, as it requires
these privileges to use raw sockets.  When the program is executed, and a
file with restricted privileges is supplied as an argument to the log file
command line argument, the contents of the file will be corrupted by
portmon.  This could result in a denial of service if critical files are
corrupted.

It is not known if files can be corrupted with custom data, though if this
is possible, an attacker may potentially exploit this issue to elevate
privileges.

42. Dune HTTP Get Remote Buffer Overrun Vulnerability
BugTraq ID: 7945
Remote: Yes
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7945
Summary:

Dune is a freely available, open source HTTP server for the Unix and Linux
platforms.

A problem with the program may make it possible for an attacker to gain
unauthorized access.

It has been reported that Dune is vulnerable to a remote boundary
condition error when handling long requests.  This could allow a remote
attacker to execute arbitrary code on a vulnerable system.

The problem is insufficient bounds checking of HTTP GET requests.  By
placing an HTTP GET request of 48 or more bytes, an attacker can cause the
overwriting of sensitive process memory.  This could be exploited to
execute code with the privileges of the web server process.

It should be noted that the Dune project is no longer maintained.

Avaya Cajun Network Switch Connection Stalling Denial Of Service Vulnerability
BugTraq ID: 7961
Remote: Yes
Date Published: Jun 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7961
Summary:

Cajun Network Switch is the range of network switches distributed by
Avaya.

A problem with the switches may make it possible to deny service to
network users.

It has been reported that Cajun switches do not properly handle traffic to
port 4000.  Because of this, an attacker may be able to cause the switch
to stall for period of time.

The problem is in the handling of strings at least five bytes.  When a
string, such as \x80dupa, is sent to the switch on this port, the device
stalls then reboots.  This can be continued when the switch reboots to
result in a prolonged denial of service.

[ hardware ]

+ usual PHP / postnuke, etc.

More information about the gull-annonces mailing list