[linux-leman-annonces] SecurityFocus Newsletter #195

Marc SCHAEFER schaefer at alphanet.ch
Tue May 6 17:51:02 CEST 2003 

SonicWALL Pro Large HTTP POST Denial of Service Vulnerability
BugTraq ID: 7435
Remote: Yes
Date Published: Apr 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7435
Summary:

SonicWALL Pro is a hardware firewall that performs stateful packet
inspection.  The device can also provide VPN service and NAT.  It is
primarily for use in small office/home office (SOHO) environments.

SonicWALL Pro is reported to be prone to a denial of service condition.
This can be triggered by sending an unusually large HTTP POST to the
device's internal interface.  The device will reportedly enter a reset
cycle approximately 20 seconds after receiving the POST data, resulting in
a loss of device availability during this period.

This condition may be the result of a buffer in the device's firmware
being overrun, however, this has not been confirmed.

This vulnerability was reported to affect SonicWALL Pro devices running
firmware version 6.4.0.1 and ROM version 5.0.1.0.

It is important to note that a similar vulnerability was previously
reported on SonicWALL devices (BID 2013).  It is not known if this is the
same issue that has been reintroduced into the firmware or a separate
issue.

Linux-ATM LES Command Line Argument Buffer Overflow Vulnerability
BugTraq ID: 7437
Remote: No
Date Published: Apr 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7437
Summary:

Linux-atm is a set of drivers and tools designed to support ATM networking
under Linux.

The linux-atm 'les' executable has been reported prone to a buffer
overflow vulnerability.

This issue is due to a lack of sufficient bounds checking performed on
data supplied via the '-f' command line argument to the 'les' executable.
Excessive supplied data may overrun the bounds of an internal memory
buffer (of approximately 244 bytes in size) and corrupt adjacent memory.
Because adjacent memory may contain values that are crucial to the control
of execution flow, arbitrary code execution is possible.

Although this vulnerability reportedly affects linux-atm 2.4.0, previous
versions may also be affected.

It should be noted that it is not currently known whether this application
requires elevated privileges to run. No distributions are currently known
which install LES setuid.

Qualcomm Qpopper Poppassd Local Arbitrary Command Execution Vulnerability
BugTraq ID: 7447
Remote: No
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7447
Summary:

Qualcomm Qpopper poppassd is a daemon that facilitates the modification of
email account passwords.

Qualcomm Qpopper poppassd has been reported prone to a local arbitrary
command execution vulnerability.

poppassd is installed with setUID root permissions set by default and is
executable by all local system users. There has been an issue reported in
poppassd that may allow a local user to execute arbitrary commands in the
context of the root user. An attacker may specify a path to the
'smbpasswd' executable via the '-s' poppassd command line switch. A
malicious executable may be supplied via the path to 'smbpasswd' option,
for example '-s /tmp/smbpasswd' and the executable will be called as
poppassd is run.

An attacker may exploit this condition to elevate privileges on the local
system. Because poppassd is by default setUID root, privileges attained
may be root.

Apache Mod_Auth_Any Remote Command Execution Vulnerability
BugTraq ID: 7448
Remote: Yes
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7448
Summary:

mod_auth_any is an Apache module designed to carry out user authentication
using any program via the command-line.

A vulnerability has been discovered in the mod_auth_any Apache module.
When running commands which require user-supplied arguments, mod_auth_any
fails to sufficiently escape various user-supplied data. As a result, it
may be possible for a remote attacker to embed malicious shell
metacharacters, such as (`) or (;) within command-line arguments. These
metacharacters may result in the authentication procedure prematurely
ending and may cause attacker-supplied commands to be executed.

Successful exploitation of this vulnerability could allow an attacker to
gain access to a host using the vulnerable software with the privileges of
the Apache HTTPD server.

More information about the gull-annonces mailing list