[gull-annonces] Résumé SecurityFocus Newsletter #197

Marc SCHAEFER schaefer at alphanet.ch
Tue May 20 18:30:59 CEST 2003

Boa Webserver File Disclosure Vulnerability
BugTraq ID: 7544
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:

Boa is a single-tasking a high performance web server for Unix based

Boa webserver has been reported prone to a file disclosure vulnerability.
The issue presents itself due to a lack of sufficient sanitization
performed on user supplied HTTP requests.

Reportedly an attacker may exploit this vulnerability by submitting a HTTP
request that contains dot-dot (../..) directory traversal sequences
designed to break out of the web root and access a webserver readable file
on the vulnerable system. Reportedly the file contents will be displayed
in the attacker's browser.

It should be noted that Boa webserver version '0.92r' on the 'PowerLinkT
WAN Aggregator' appliance has been reported vulnerable. It is not yet
confirmed if other platforms are vulnerable; this issue was not
reproducible on Boa webserver version '0.92r' compiled and installed on
Red Hat Linux 6.2.

This issue may be related to the vulnerability reported in BID 1770.

Firebird GDS_Inet_Server Interbase Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 7546
Remote: No
Date Published: May 10 2003 12:00AM
Relevant URL:

Interbase is a database distributed and maintained by Borland. It is
available for Unix and Linux operating systems. As Firebird is based on
Borland/Inprise Interbase source code, it is very likely that Interbase is
prone to this issue also.

A problem with Firebird could make it possible for a local user to gain
elevated privileges.

A buffer overflow has been discovered in the setuid root program
gds_inet_server, packaged with Firebird.  This problem could allow a local
user to execute the program with strings of arbitrary length.  By using a
custom crafted string, the attacker could overwrite stack memory,
including the return address of a function, and potentially execute
arbitrary code as root.

The vulnerability occurs in the INTERBASE environment variable.  When the
gds_inet_server program is executed with a string of arbitrary length
(typically 500 or more bytes) in the INTERBASE environment variable, the
result in an exploitable buffer overflow.

This could make it possible for a local user to gain administrative

Info-ZIP UnZip Encoded Character Hostile Destination Path Vulnerability
BugTraq ID: 7550
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:

Info-ZIP UnZip contains a vulnerability during the handling of pathnames
for archived files. Specifically, when certain encoded characters are
inserted into '../' directory traversal sequences, the creator of the
archive can cause the file to be extracted to arbitrary locations on the
filesystem - including paths containing system binaries and other
sensitive or confidential information.

This will allow an attacker to create a file in a hostile archive to be
placed anywhere on the target system.

This can be used to create or overwrite binaries in any desired location.
Properly exploited, this may grant the archive creator an elevation of

This vulnerability was reported to affect Info-ZIP UnZip 5.50 and it is
likely that earlier versions may be affected. This issue is similar to the
vulnerability described in BID 5835.

BitchX Mode Change Denial Of Service Vulnerability
BugTraq ID: 7551
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:

BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.

A denial of service vulnerability has been reported for BitchX. It is
possible to cause BitchX to crash when certain mode changes are made.

The vulnerability exists in the names.c source file where a check is not
made for any arguments provided with a mode change.

The precise details of this vulnerability are currently unknown. This BID
will be updated as more information becomes available.

This vulnerability affects BitchX cvs versions prior to 05/09/2003.

Apple AirPort Administrative Password Encryption Weakness
BugTraq ID: 7554
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:

The Apple Airport device is a wireless access point which implements the
802.11b wireless protocol. It is possible to administer the Airport device
remotely by using a custom administration protocol. This protocol
functions using plaintext however, sensitive authentication credentials
are obfuscated before transmission.

A weakness has been discovered in the encoding mechanism used to obfuscate
administrative user credentials. Specifically, the administrator password
is XOR encoded against a 32-bit key.

An attacker capable of intercepting authentication-based network traffic
may trivially deduce the key. As a result, an unauthorized remote user may
gain administrative access to a target device.

[ hardware ]

Pi3Web Malformed GET Request Denial Of Service Vulnerability
BugTraq ID: 7555
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:

Pi3Web is a free, multi platform, configurable HTTP server and development

It has been reported that Pi3Web server is prone to a denial of service
vulnerability. Reportedly when a malicious GET request containing 354 '/'
characters is sent to the Pi3Web server the server will fail. It should be
noted that the Unix version has been reported vulnerable, it is not
currently known if other platforms are affected.

Although unconfirmed, due to the nature of this vulnerability, it may be
possible for an attacker to exploit this issue to corrupt sensitive Pi3Web
memory. If this is possible, an attacker may have the ability to supply
and execute arbitrary code.

Precise technical details regarding this vulnerability are not currently
known. This BID will be updated as further details are disclosed.

CDRTools CDRecord Devname Format String Vulnerability
BugTraq ID: 7565
Remote: No
Date Published: May 13 2003 12:00AM
Relevant URL:

CDRecord is a component of the CDRTools package. CDRecord is a CD-Burning
application developed for UNIX and Win32 platforms.

CDRecord has been reported prone to format string vulnerability. The issue
presents itself due to a programming error that occurs when calling a
printf-like function. Specifically, insufficient format specifiers are
supplied when calling the js_sprintf() function in the 'scsiopen.c' source

It has been reported that by harnessing an unsupported feature of the
CDRecord utility, an attacker may supply format string specifiers as a
'dev' argument passed to the vulnerable utility.

When the device name is processed the malicious format string specifiers
may be interpreted. As a result, by supplying specifiers designed to write
to memory it may be possible for sensitive locations in memory to be
corrupted. This may ultimately result in the execution of
attacker-supplied code in the context of the CDRecord utility.

It should be noted that reports indicate CDRecord as being installed
setUID root on several distributions.

It should be noted that although this vulnerability has been reported to
affect CDRecord version 2.0 previous versions might also be affected.

Intel Itanium 2 Processor Denial of Service Vulnerability
BugTraq ID: 7585
Remote: No
Date Published: May 13 2003 12:00AM
Relevant URL:

A vulnerability has been discovered in the Intel Itanium 2 processor. The
problem occurs when a specially construct procedure is encountered. When
the operation is carried out, the processor may become unstable and cease
to function.

The details regarding the specific operations which will trigger this
condition are currently unknown. However, if an attacker were somehow
capable of executing these instructions on a target user's system, it may
be possible to trigger the condition.

A reboot may be required to return to typical functionality, although it
is not currently known whether this crash will permantely affect the

It should be noted that this BID will be updated as further information is
made available.

[ hardware ]

Poptop PPTP BCRELAY fscanf() Buffer Overflow Vulnerability
BugTraq ID: 7590
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:

PoPToP is a PPTP server available for a variety of operating systems.

A vulnerability has been discovered in PoPToP PPTP which may be exploited
by a local attacker to execute arbitrary code with elevated privileges.

The launch_bcrelay() function, located in the pptpctrl.c source file,
attempts to open a process file from within the /var/run directory. Data
is later copied from the file into a 64 byte memory buffer (pid_string).
It has been discovered that launch_bcrelay() fails to carry out sufficient
bounds checking before calling the fscanf() function to copy the file data
into pid_string. As a result, if excessive data were situated within the
file the pid_string buffer would be overrun.

An attacker could exploit this vulnerability by creating a malicious
poptop process file within the /var/run directory. The file must contain
65 or more bytes of data, including a payload containing embedded machine
instructions and replacement addresses.

Successful exploitation of this issue would result in the execution of
arbitrary instructions with the privileges of PoPToP, possibly root.

It should be noted that this issue may only present itself when the
BCRELAY option has been enabled. This option is not enabled by default.

3Com OfficeConnect ADSL Router DHCP Response Information Disclosure Vulnerability
BugTraq ID: 7592
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:

OfficeConnect ADSL routers are hardware and switch solutions distributed
by 3Com.

A problem with the OfficeConnect routers may make it possible for
attackers to view potentially sensitive information. The vulnerability
exists due to a flaw in the way memory is initialized when responding to
certain requests. Specifically, when DHCP requests are initiated by
clients, the router fails to properly initialize memory buffers which may
result in the leakage of potentially sensitive information.

An attacker can exploit this vulnerability by making a DHCP request to a
vulnerable router. This will result in the router answering the DHCP query
without first properly initializing memory buffers. Successful
exploitation may result in the attacker being able to view the contents of
previous HTTP requests to the device.

This vulnerability was reported to affect 3Com OfficeConnect DSL Router
812 with firmware 1.1.7.  Additional reports indicate that the 1.1.9
firmware is also affected.

[ hardware ]

Il y a aussi des problèmes avec Netscape et d'autres logiciels
propriétaires, ainsi qu'avec plein de scripts PHP comme phpnuke.

More information about the gull-annonces mailing list