[gull-annonces] Résumé SecurityFocus Newsletter #198

Marc SCHAEFER schaefer at alphanet.ch
Wed May 28 14:45:30 CEST 2003 

SLocate Path Malloc Integer Signing Heap Overflow Vulnerability
BugTraq ID: 7629
Remote: No
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7629
Summary:

slocate is the Secure Locate program.  It is available for various UNIX
operating systems, and is maintained by public domain.

A problem with slocate may make it possible for a local user to gain
unauthorized privileges.

It has been reported that slocate is vulnerable to a signed integer
overflow issue when handling data in the environment variable
SLOCATE_PATH.  Because of this problem, it may be possible for a local
attacker to cause a heap corruption issue, potentially executing code.

The problem is in the handling of large amounts of data in the
SLOCATE_PATH variable.  By placing a specially crafted string in the
environment variable, it could be possible for an attacker to cause the
wrapping of a signed bit in an integer value, resulting in an insufficient
amount of malloc'd memory.  This could potentially be exploited by the
attacker to execute code with the privileges of the slocate program.

 Snort Spoofed Packet TCP State Evasion Vulnerability
BugTraq ID: 7635
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7635
Summary:

Snort is a freely available, open source intrusion detection system. It is
available for Unix, Linux, and Microsoft Windows platforms.

A vulnerability has been reported within the spp_stream4.c source file.
The problem is said to occur while maintaining the state of an established
session.

Specifically, Snort is said to call UpdateState before verifying the
legitimacy of a packet received from a client partaking in a legitimate
session. As a result, it may be possible to corrupt stateful inspection
carried out by Snort.

This issue can be triggered by forging a packet to a server containing the
legitimate client source IP and port.  When encountered by Snort, the
state of the session is updated before verifying that the packet is a
legitimate part of the established session. However when the packet is
received by the server, due to invalid sequence and acknowledgement data,
the packet will be dropped.

An attacker could exploit this vulnerability to trigger a situation under
which legitimate session traffic transmitted would no longer be detected
by Snort.

This vulnerability has been reported to affected Snort 2.0.0rc2, however
other versions may also be affected.

It should be noted that this is a theoretical issue and has not yet been
officially confirmed.

CUPS Cupsd Request Method Denial Of Service Vulnerability
BugTraq ID: 7637
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7637
Summary:

CUPS, Common Unix Printing System, is a widely used set of printing
utilities for Unix based systems.

The cupsd has been reported prone to a denial of service vulnerability.

The issue presents itself when a remote attacker invokes an incomplete
HTTP POST request. The cupsd does not adequately apply a time-out process
for the operation and service is denied to subsequent cupsd requests.

This issue may be exploited by remote attackers to deny cupsd service to
legitimate users.

WSMP3 Remote Information Disclosure Vulnerability
BugTraq ID: 7642
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7642
Summary:

WsMp3 is a web server designed to stream MP3 files over the internet. It
is available for the Linux operating system.

A vulnerability has been reported for WsMp3. The problem is said to occur
due to insufficient sanitization of HTTP GET requests. Specifically, WsMp3
fails to strip directory traversal sequences (../) from requests. As a
result, an attacker may be capable of accessing the contents of sensitive
system resources. Information obtained in this manner may aid an attacker
in launching further attacks against the target system.

All files accessed in this manner will be done so with the privileges of
WsMp3d, typically root.

This vulnerability is said to affect WsMp3 0.0.10 and earlier.

[ licence peu claire ]

WSMP3 Remote Command Execution Vulnerability
BugTraq ID: 7645
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7645
Summary:

WsMp3 is a web server designed to stream MP3 files over the internet. It
is available for the Linux operating system.

A vulnerability has been reported for WsMp3. The problem is said to occur
due to insufficient sanitization of HTTP POST requests. Specifically,
WsMp3 fails to strip directory traversal sequences (../) from requests. As
a result, an attacker may be capable of running arbitrary executables.
This may lead to the complete compromise of a target system.

All files executed in this manner would be invoked with the privileges of
WsMp3d, typically root.

This vulnerability is said to affect WsMp3 0.0.10 and earlier.

WSMP3 Request Data Heap Overflow Vulnerability
BugTraq ID: 7643
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7643
Summary:

WSMP3 is a freely available server that allows users to stream MP3 files.

WSMP3 is prone to a remotely exploitable heap overflow.  Request data,
which will be stored in dynamically allocated memory, is not sufficiently
checked for a bounds violation before being freed.  This lack of bounds
checking occurs in multiple places in the 'req_descriptor.c' source file.
An attacker may leverage this condition to corrupt malloc headers with
custom data.

It is possible to exploit this issue to execute malicious instructions
with the privileges of the WSMP3 server.

Slackware rc.M Runlevel Script Unexpected Partition Remounting Weakness
BugTraq ID: 7654
Remote: No
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7654
Summary:

The rc.M runlevel script used by Slackware is invoked when a system is
entering multi-user mode. During the execution of rc.M the
'/sbin/quotacheck' file is invoked, which is used to analyze the usage of
files and directories on a target filesystem.

A weakness has been discovered in the rc.M runlevel script when invoking
quotacheck. The problem lies in the use of the '-M' command-line switch,
in place of the intended '-m' switch. As a result, the '-M' will cause the
filesystem and thus corresponding partition to be remounted. When this
occurs any normally enforced mount options, such as 'noexec', 'nosuid',
etc may not be used.

This may result in an administrator having a false sense of security.
Furthermore, access to less restrictive partitions may aid a local
attacker in launching unrelated attacks successful.

This vulnerability is said to affect the Slackware 9.0 rc.M script,
however earlier releases of Slackware may also be affected.

OpenLDAP LDBM_Back_Exop_Passwd Denial Of Service Vulnerability
BugTraq ID: 7656
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7656
Summary:

OpenLDAP is an open-source implementation of the LDAP protocol.

OpenLDAP is prone to a remotely exploitable denial of service.  Under some
circumstances, the server may attempt to free an uninitialized structure
during authentication.  This issue exists in the 'password.c' source file.
According to the vendor, this issue can occur when 'struct berval' is
uninitialized and freed by the ldbm_back_exop_passwd() function (which
handles LDAP Modify Password Extended Operations).

This could deny availability of LDAP services to legitimate users.

Nessus LibNASL Arbitrary Code Execution Vulnerability
BugTraq ID: 7664
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7664
Summary:

Nessus is a vulnerability scanning utility available for the Unix and
Microsoft Windows operating systems. libnasl is a library used by Nessus
to process NASL scripts.

Nessus has reported that various flaws have been discovered in the libnasl
library. Amongst other functions, scanner_add_port(), insstr() and
ftp_log_in() fail to sufficiently handle malformed parameters and may
allow a script to break out of the established sandbox environment. As a
result, it may be possible for a malicious Nessus plugin to execute
arbitrary system commands with the privileges of Nessus the application,
possibly root.

It should be noted that this malicious script must be a legitimate plugin
which has been uploaded to the Nessus server. Furthermore, the affected
Nessus application must have enabled the 'plugins_upload' option which is
disabled by default.

The precise details regarding this vulnerability are currently unknown.
This BID will be updated as further information becomes available.

Although unconfirmed, these vulnerabilities may be exploited to execute
arbitrary attacker-supplied code.

This issue affects Nessus version 2.05 and earlier.

[ + les problèmes hebdomadaires de phpnuke et d'autres logiciels. ]

More information about the gull-annonces mailing list