[gull-annonces] Résumé SecurityFocus Newsletter #196

Marc SCHAEFER schaefer at alphanet.ch
Wed May 14 19:02:58 CEST 2003

KDE Konqueror Malformed HTML Page Denial of Service Vulnerability
BugTraq ID: 7486
Remote: Yes
Date Published: May 02 2003 12:00AM
Relevant URL:

Konqueror is an Open Source web browser, shipped with the KDE desktop. It
is available on Linux platforms.

KDE Konqueror has been reported prone to a denial of service vulnerability
when rendering a HTML page that contains malformed data. Specifically when
the Konqueror browser attempts to render a page containing 30000 bytes of
repeating '\xFF\xFE\r\r\n' sequences, it will fail dumping a core file in
the process.

An attacker may exploit this vulnerability to trigger a denial of service
condition in a remote user's Konqueror web session.

Although unconfirmed, this vulnerability may be exploited to execute
attacker-supplied code.

The precise technical details of this vulnerability are currently unknown.
This BID will be updated, as further information is available.

Ethereal Multiple Dissector One Byte Buffer Overflow Vulnerabilities
BugTraq ID: 7493
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

Several dissectors included with Ethereal are vulnerable to buffer
overflow conditions. Specifically, the dissectors were using the
tvb_get_nstringz() and tvb_get_nstringz0() functions in an unsafe manner.
Exploitation of this issue will allow an attacker to overflow memory
buffers by one byte. The AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2,
Quake3, Rsync, SMB, SMPP, and TSP dissectors are vulnerable to this issue.

The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.

An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissectors or by convincing a victim user to use Ethereal to read a
malformed packet trace file.

Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.

This vulnerability affects Ethereal 0.9.11 and earlier.

[ aussi les `dissectors' Mount, PPP, 

Microsoft MN-500 Plaintext Password Disclosure Weakness
BugTraq ID: 7496
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:

The MN-500 Wireless Base Station provides a wireless networking solution
to home and business networks.

A weakness has been reported for the MN-500 device that may result in the
disclosure of administrative credentials to remote attackers. Reportedly,
the issue exists due to backup configuration files storing administrative
passwords in a plaintext format.

An attacker who is able to obtain the backup configuration file is able to
obtain the administrative password.

[ hardware ]

Mod_Survey SYSBASE Disk Resource Consumption Denial of Service Vulnerability
BugTraq ID: 7498
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:

Mod_Survey is an Apache module designed to process and display XML-based
questionnaires and surveys. It is available for the Linux, Unix, and
Microsoft Windows operating systems.

The SYSBASE variable is used by Mod_Survey when accessing requests survey
files. The value of SYSBASE is initialized to the location of the survey
file and is used to create a subdirectory for the storage of various
survey related files including cache files and questionnaire response
data. The subdirectory is placed within the central data repository,
typically /usr/local/mod_survey/data.

A vulnerability has been discovered in Mod_Survey when handling requests
for nonexistent surveys. Before verifying the existence of a requested
survey file the SYSBASE variable is initialized, triggering the creation
of an unneeded directory. The validity of the requested survey file is
subsequently verified.

Exploitation of this vulnerability may allow an attacker to carry out a
denial of service attack, designed to consume available hard disk space or
inodes. The consumption of resources may cause a target server to crash.

This vulnerability affects Mod_Survey versions prior to 3.0.15.

GNU Privacy Guard Insecure Trust Path To User ID Weakness
BugTraq ID: 7497
Remote: No
Date Published: May 05 2003 12:00AM
Relevant URL:

GNU Privacy Guard is a free opensource multi-platform replacement for PGP.

GNU Privacy Guard has been reported prone to a weakness involving the
validity of multiple user IDs. It has been reported that GNUPG does not
sufficiently differentiate between the validity given to individual IDs on
a public key that has multiple user IDs linked to it. The amount of
validity given is reportedly the same for all IDs as given to the most
valid ID on the key.

This may result in an untrusted user ID, linked to a key that contains a
trusted ID as the most valid ID, being accepted as valid. Data will be
encrypted to the untrusted ID without any warning. This may result in the
leakage of data presumed destined to a trusted user; other attacks may
also be possible.

MySQL Weak Password Encryption Vulnerability
BugTraq ID: 7500
Remote: No
Date Published: May 05 2003 12:00AM
Relevant URL:

MySQL is an open source relational database project. It is available for
the Microsoft Windows, Linux, and Unix operating systems.

MySQL has been reported prone to a weak password encryption algorithm. It
has been reported that the MySQL function used to encrypt MySQL passwords
makes just one pass over the password and employs a weak left shift based
cipher. The output of this function results in a password hash of low
entropy. Due to the base complexity of the algorithm used to create the
MySQL password hash, the hash may be cracked in little time using a
bruteforce method to create an identical hash and thereby guess the clear
text password.

An attacker may use information recovered in this way to aid in further
attacks launched against the underlying system.

Youbin HOME Buffer Overflow Vulnerability
BugTraq ID: 7503
Remote: No
Date Published: May 06 2003 12:00AM
Relevant URL:

youbin is a network based mail arrival notification service designed to
replace biff.

It has been reported that youbin is vulnerable to a locally exploitable
buffer overflow vulnerability. The vulnerability is related to the
handling of the HOME environment variable.

Specifically, an internal memory buffer may be overrun while handling a
HOME environment variable containing excessive data. This condition may be
exploited by attackers to corrupt memory adjacent to the affected buffer.

Because adjacent memory may contain values, which are crucial to the
control of program execution flow, an attacker may be capable of executing
arbitrary instructions with the privileges of the youbin process,
typically root.

It should be noted that although this vulnerability has been reported to
affect youbin version 3.4, previous versions might also be affected.

Leksbot Multiple Unspecified Vulnerabilities
BugTraq ID: 7505
Remote: No
Date Published: May 06 2003 12:00AM
Relevant URL:

Leksbot is a freely available dictionary of botanical terms. It is
available for a variety of platforms including Microsoft Windows and Linux

Multiple vulnerabilities have been reported for Leksbot. The precise
nature of these vulnerabilities are currently unknown however,
exploitation of this issue may result in an attacker obtaining elevated

Reportedly, in some installations of Leksbot, the /usr/bin/KATAXWR is
unnecessarily configured to be a setuid root binary. Systems configured in
this manner may be prone to a security risk, as an attacker may be capable
of gaining root privileges.

These vulnerabilities have been confirmed to affect Debian installations
of Leksbot. Although unconfirmed, Leksbot installations on other systems
may also be prone to this issue.

This BID will be updated as further information is available.

Siemens Mobile Phones %IMG_NAME Denial Of Service Vulnerability
BugTraq ID: 7507
Remote: Yes
Date Published: May 06 2003 12:00AM
Relevant URL:

Siemens Mobile Phones are prone to a denial of service when handling
malformed image attachments in SMS messages.  This is reportedly due to a
boundary condition error.

The correct syntax for image attachments is "%IMG_NAME", where IMG_NAME is
the name of the image to be attached.  This condition will occur if the
value for the IMG_NAME is 157 characters in length.  A denial of service
may occur when such the malformed SMS is received, causing the phone to
disconnect.  It has also been reported that the user will not be able to
access their INBOX.  It should be noted that this condition could also
occur if a user sends the malformed message from a vulnerable Siemens
mobile phone.

This vulnerability was reported in Siemens *45 Series phones, but other
phones may also be affected.

[ hardware ]

More information about the gull-annonces mailing list