[gull-annonces] Résumé SecurityFocus Newsletter #221

Marc SCHAEFER schaefer at alphanet.ch
Tue Nov 4 18:11:02 CET 2003


Apache Cocoon Directory Traversal Vulnerability
BugTraq ID: 8883
Remote: Yes
Date Published: Oct 24 2003
Relevant URL: http://www.securityfocus.com/bid/8883
Summary:
Apache Cocoon is a XML Web development framework by Apache.

A vulnerability has been reported to exist in the software that may allow
a remote attacker to traverse outside the server root directory in order
to access sensitive server readable files.  The problem is reported to
exist in the sample "view-source" script.

The issue presents itself due to insufficient sanitization of
user-supplied input to the "filename" parameter and may allow an attacker
to access unauthorized information by issuing '../../../' character
sequences.

This vulnerability may be successfully exploited to gain sensitive
information about a vulnerable host that could be used to launch further
attacks against the system.

Apache Cocoon version 2.1 and 2.2 before 22 Oct 2003  have been reported
to be affected by this issue, however other versions may be affected as
well.

15. SH-HTTPD Character Filtering Remote Information Disclosure V...
BugTraq ID: 8897
Remote: Yes
Date Published: Oct 27 2003
Relevant URL: http://www.securityfocus.com/bid/8897
Summary:
sh-httpd is a freely available, open source web server written in shell.
It is available for the Unix and Linux platforms.

A problem has been identified in the handling of some characters by
sh-httpd.  Because of this, an attacker may be able to gain unauthorized
access to information.

The problem is in the handling of the asterisk character.  When a request
is made to the service for a directory listing using the asterisk
character (*), it is possible to see the contents of the entire directory
requested.  An attacker could use this issue to gather information about
host design, services enabled, and other potentially restricted
information.

[ well, don't do that ]

RedHat Apache Directory Index Default Configuration Error
BugTraq ID: 8898
Remote: Yes
Date Published: Oct 27 2003
Relevant URL: http://www.securityfocus.com/bid/8898
Summary:
A vulnerability has been reported to be present in the RedHat Apache
configuration that may allow remote attacker to view directory listings by
sending a specific HTTP GET request.

It has been reported that this issue exist even when autoindex for the
root directory has been disabled and a default welcome page is supposed to
be displayed.  A request for '//' reportedly evades a rule designed to
prevent Apache from displaying directory listings with a request for '/'.

Successful exploitation of this issue result in disclosure of sensitive
information which may be useful in further attacks against the system.

This problem has been reported to exist in Apache 2.0.40 shipped with
RedHat Linux 9.0.  It is possible that other versions are affected as
well.

Musicqueue SIGSEGV Signal Handler Insecure File Creation Vul...
BugTraq ID: 8899
Remote: No
Date Published: Oct 27 2003
Relevant URL: http://www.securityfocus.com/bid/8899
Summary:
Musicqueue is a CGI-based jukebox utility designed to invoke external
programs to carry out a variety of tasks. Musicqueue is available for the
Linux operating system. This program includes a make suid installation
option, which will install the utility with suid and sgid privileges of
the installing user.

When the Musicqueue utility is invoked, the crash() function is registered
as the handling procedure for any generated SIGSEGV signals. The functions
sole functionality is calling the gcgiSaveEnvVariables() library function,
which takes a single argument that is the name of a temporary file. The
CGI environment variable data of the program that encountered the
segmentation violation is then stored within this file.

It has been discovered that the crash() signal handler incorrectly passes
the aforementioned library function a predictable filename for the storage
of environment information, specifically "/tmp/musicqueue.crash". As a
result, when handling a SIGSEGV signals, Musicqueue may be prone to
symbolic link attacks.

Due to the potentially attacker-controllable data contained within
environment variables, it is believed to be trivial for an attacker to
elevated privileges to those of the owner or group of the executable. On
some installations, this may effectively result in root compromise.

This vulnerability is said to affect Musicqueue 1.2.0, however earlier
versions may also be affected.

IWConfig Local ARGV Command Line Buffer Overflow Vulnerabili...
BugTraq ID: 8901
Remote: No
Date Published: Oct 27 2003
Relevant URL: http://www.securityfocus.com/bid/8901
Summary:
iwconfig is a freely available, open source wireless connection management
tool for Linux.

A problem has been identified in the iwconfig program when handling
strings on the commandline.  Because of this, a local attacker may be able
to gain elevated privileges.

The problem is in bounds checking.  It is possible to produce an
exploitable stack overflow by passing an argument of 96 or more bytes of
data as an argument to the program.  This problem is likely an overflow in
a function to which the data from ARGV is passed.

It should be noted that the iwconfig program is typically installed as a
setuid executable by default.

Musicqueue Multiple Buffer Overrun Vulnerabilities
BugTraq ID: 8903
Remote: No
Date Published: Oct 27 2003
Relevant URL: http://www.securityfocus.com/bid/8903
Summary:
Musicqueue is a CGI-based jukebox utility designed to invoke external
programs to carry out a variety of tasks. Musicqueue is available for the
Linux operating system. This program includes a make suid installation
option, which will install the utility with suid and sgid privileges of
the installing user.

Multiple buffer overrun vulnerabilities have been discovered in
Musicqueue. Both issues stem from the lack of bounds checking when passing
user-supplied input to the sprintf() libc function. As a result, it may be
possible for an attacker to exploit arbitrary code with the privileges the
affected application, possibly installed suid or sgid.

The problems specifically occur within the openLang() and langExists()
functions, passed the user-controllable 'language' parameter. It has been
reported that the openLang() issue may not be exploitable to due the
malicious data being limited to a range of ascii characters from 'a' to
'z'. However, it may be possible to carry out a partial pointer overwrite
in such a way that execution flow can be controlled. The langExists()
overrun is said to be trivially exploitable.

It should be noted that due to the nature of both of these issues,
triggering the bugs will potentially cause a SIGSEGV signal to be
generated. As a result, these vulnerabilities may be used in conjunction
with the vulnerability described in BID 8899, to effectively allowing for
privilege elevation.

thttpd defang Remote Buffer Overflow Vulnerability
BugTraq ID: 8906
Remote: Yes
Date Published: Oct 27 2003
Relevant URL: http://www.securityfocus.com/bid/8906
Summary:
thttpd is a HTTP web server application.

A vulnerability has been reported to exist in thttpd that may allow a
remote attacker to gain unauthorized access by executing arbitrary code on
a vulnerable system. The condition is present due to insufficient boundary
checking.

The problem is reported to exist due to the defang() function in
libhttpd.c.  The issue presents itself due to insufficient bounds
checking. A remote attacker may ultimately exploit this issue remotely and
execute arbitrary code in the context of the user who is running the
vulnerable software. Successful exploitation may allow a attacker to gain
unauthorized access to the vulnerable host.

Successful exploitation of this issue may allow an attacker to execute
arbitrary code in the context of the web server in order to gain
unauthorized access to a vulnerable system.

thttpd versions 2.21 to 2.23b1 have been reported to be prone to this
issue, however other versions may be affected as well.

Apache Web Server Multiple Module Local Buffer Overflow Vuln...
BugTraq ID: 8911
Remote: No
Date Published: Oct 28 2003
Relevant URL: http://www.securityfocus.com/bid/8911
Summary:
A vulnerability has been reported to exist in Apache that may allow a
local attacker to gain unauthorized access by executing arbitrary code on
a vulnerable system. The condition is present due to insufficient boundary
checking.

The problem is reported to exist in mod_alias and mod_rewrite modules of
the software. It has been reported that the problems presents itself if a
regular expression is configured with more the 9 captures using
parenthesis.  It is reported that the vulnerability is in an Apache
wrapper function for the regex interface.

A local attacker may ultimately exploit this issue locally and execute
arbitrary code in the context of the user who is running the vulnerable
software. Successful exploitation may allow a attacker to gain
unauthorized access to the vulnerable host.  It has also been reported
that to exploit this issue an attacker would need to locally create a
specially crafted configuration file (.htaccess or httpd.conf).

Successful exploitation of this issue may allow an attacker to execute
arbitrary code in the context of the web server in order to gain
unauthorized access to a vulnerable system.

kpopup Privileged Command Execution Vulnerability
BugTraq ID: 8915
Remote: No
Date Published: Oct 28 2003
Relevant URL: http://www.securityfocus.com/bid/8915
Summary:
kpopup is a KDE utility designed to allow hosts to transmit and receive
"WinPopup" messages.

It has been alleged that it is possible for local attackers to gain root
privileges through kpopup, which is installed setuid root by default.
According to the report, kpopup uses the system(3) C-library function
insecurely to run other utilities on the system.  In at least one
instance, system(3) is called to invoke the binary killall(1) in a manner
relying on the PATH environment variable.  As the environment can be set
by the unprivileged user when kpopup is executed, an arbitrary executable
with the filename killall(1) can be executed.

On typical UNIX and UNIX-like systems, the system(3) library call invokes
fork(2) and the child executes "/bin/sh" with the function parameter as
it's argument.  Many modern shells anticipate insecure use of this
function by setuid/setgid processes and drop effective privileges if they
do not match the real userid/gid of the process.  This typically prevents
exploitation of these issues.  This particular vulnerability may be
different.  It may be the case that kpopup first sets its real uid and gid
to 0 before calling system, making this vulnerability exploitable.  This
has not been confirmed by Symantec.

kpopup Local Arguments Format String Vulnerability
BugTraq ID: 8918
Remote: No
Date Published: Oct 28 2003
Relevant URL: http://www.securityfocus.com/bid/8918
Summary:
kpopup is a KDE utility designed to allow hosts to transmit and receive
"WinPopup" messages.  It is available for Unix and Linux platforms.

It has been alleged that it is possible for local attackers to take
advantage of format string vulnerabilities in kpopup, which is installed
setuid root by default. According to the report, kpopup does not correctly
handle format strings when passed to the program as arguments.

Preliminary reports indicate that this issue can be used to cause the
program to crash with a segmentation violation error.  This is usually
indicative of memory management issues that typically can be exploited to
execute attacker-supplied instructions.

Apache Mod_Security Module Heap Corruption Vulnerability
BugTraq ID: 8919
Remote: Yes
Date Published: Oct 28 2003
Relevant URL: http://www.securityfocus.com/bid/8919
Summary:
The Apache 2 mod_security module is designed to act as an web-based
intrusion detection system. It is also designed to prevent certain types
of attacks by handling and parsing data.

A vulnerability has been discovered in the mod_security module when
handling specific data transmitted by the Apache server. The problem
occurs within sec_filter_out() function located in the mod_security.c
source file.

When this function is used to handle data transmitted from a server-side
script, it incorrectly assumes that the data is broken into 4 or 8
kilobyte chunks before being transmitted. As a result, when expanding the
size of the data's storage buffer it explicitly reallocates the size to be
2 times as large. However, because the data is not the expected chunk
sizes, the size of the data copied into the data could in fact be larger
then expected. When finally copied into the buffer, sensitive heap
variables such as malloc chunk pointers may be overwritten.

An attacker could ultimately exploit this condition to execute arbitrary
code with the privileges of the Apache server. It should be emphasized
however, that an attacker would be required to carry this attack out
locally or on a server that allows the uploading of malicious scripts
(which may be possible via exploitation of other vulnerabilities). The
vulnerability cannot be triggered by sending a request with excessive data
to the affected module.

This issue is said to affect release 1.7 and 1.7.1 of mod_security.

Apache Web Server mod_cgid Module CGI Data Redirection Vulne...
BugTraq ID: 8926
Remote: Yes
Date Published: Oct 29 2003
Relevant URL: http://www.securityfocus.com/bid/8926
Summary:
Apache has reported a potential vulnerability in the mod_cgid module when
the threaded MPM (Multi-Processing Module) is used. The problem is said to
be due to mishandling of CGI redirect paths. Reportedly, the module will
incorrectly redirect the CGI output data to a seperate, unrelated thread.
Apache has stated that the specific problem is related to mishandling of
the AF_UNIX socket that is used to pass communications between the cgid
daemon and a CGI script. It seems likely that this issue could occur
inadvertently and it is not currently known if a remote attacker could
deliberately trigger the condition.

Depending on the context of the CGI data in question, this could
potentially result in sensitive information, such as banking or login
information, being exposed to a user of a seperate thread. This could also
potentially result in another user incorrectly being granted authorization
to a sensitive page.

The precise technical details regarding this condition are currently
unknown. This bid will be updated as further information is made
available. It should also be noted that although unconfirmed, this
condition may in some ways be similar to the condition described in bid
8725.

Multiple Vendor HTTP Server IPv6 Socket IPv4 Mapped Address ...
BugTraq ID: 8927
Remote: Yes
Date Published: Oct 29 2003
Relevant URL: http://www.securityfocus.com/bid/8927
Summary:
IPv6 is a protocol designed to replace IPv4. IPv6 allows for the
encapsulation of IPv4 addresses, in order to facilitate transition between
the two standards, and allow the usage of IPv4 legacy applications under
IPv6 networking.

Additionally, many systems are expected to support both IPv4 and IPv6
traffic, in order to allow a transition period between the two standards.

A problem may exist in some web servers that may result in vulnerabilities
in web applications.  When a mapped IPv4 address is passed to a system
through an IPv6 interface, it may be possible confuse or even take
advantage of functions in web applications.  A scenario could occur when
such an address is passed to the $REMOTE_ADDR server environment variable,
for example.  If the $REMOTE_ADDR variable were then used for
authentication or access control in this situation, unexpected behavior
could result, potentially introducing a security vulnerability.

This problem could permit an attacker to bypass access restrictions, or
potentially obscure the origins of a request.

Cisco IOS OSPF Potential Routing Table Corruption Vulnerabil...
BugTraq ID: 8935
Remote: Yes
Date Published: Oct 30 2003
Relevant URL: http://www.securityfocus.com/bid/8935
Summary:
A bug has been discovered in specifically configured Cisco IOS routers
when handling the OSPF (Open Shortest Path First) protocol. It has not yet
been confirmed if this issue is an explicit security vulnerability,
however it has been conjectured by a reliable source that the problem
could potentially lead to the corruption of routing tables.

The bug is said to exist on Cisco IOS release 12.3(1a), when running on an
AS5350 device. This issue may reportedly occur when the following
configuration is used:

router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map ospf
 redistribute static subnets route-map ospf
 network 192.168.100.0 0.0.1.255 area 1

As a result, the device may incorrectly multicast OSPF Hello packets to
all peers, regardless of the host's address. This could potentially allow
for a malicious system to issue a response containing false information,
designed to corrupt routing table entries. This condition has not yet been
confirmed.

If this bug does prove to be a vulnerability, an attacker could exploit
this condition to re-route traffic through controlled systems or could
potentially pose as a trusted host. This could lead to a number of attacks
including man-in-the-middle attacks, connection hijacking, modifying data
streams, exposing sensitive information, etc.

This issue is reportedly not present in Cisco IOS 12.2(3).

*** October 31, 2003 - Cisco has issued a response regarding this issue
and has stated that the behaviour of the device is as expected. OSPF will
be enabled on any interface that has an IP address bound to it, and as
such Hello packets will typically be transmitted over these interfaces.
This BID has been flagged as Conflicting Reports, and will be updated as
further details have been released.

[ hardware ]




More information about the gull-annonces mailing list