[gull-annonces] Résumé SecurityFocus Newsletter #222

Marc SCHAEFER schaefer at alphanet.ch
Wed Nov 12 08:21:01 CET 2003

Seyeon FlexWATCH Network Video Server Unauthorized Administr...
BugTraq ID: 8942
Remote: Yes
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8942
FlexWATCH Network Video Server is used to deliver real time video over a
network.  The server also allows users to use a web browser as a client.

A vulnerability has been reported to exist in the software that may allow
a remote attacker to gain administrative access to the system.  The
problem is reported to occur if an attacker attempts to access the
administrative interface using a specially crafter URL containing two
slash '/' characters.  This problem is due to improper validation of
user-supplied input.

Successful exploitation of this issue may allow a remote attacker to gain
administrator level privileges to the server.  This may lead to user
accounts and system configuration modifications.

FlexWATCH Network Video Server Model 132 has been reported to be prone to
this issue, however other versions may be affected as well.

[ hardware ]

Multiple Ethereal Protocol Dissector Vulnerabilities
BugTraq ID: 8951
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8951
Multiple Ethereal protocol dissectors are prone to remotely exploitable
vulnerabilities.  These issues have been addressed with the release of
Ethereal 0.9.16.

The following specific issues were reported:

A malformed GTP MSISDN string could cause a buffer overrun to occur.

Malformed ISAKMP or MEGACO packets could cause Ethereal or Tethereal to
crash, resulting in a denial of service.

The SOCKS dissector is reported to be prone to a heap overrun.

These issues may be exploited by causing Ethereal to process a malformed
packet, either while Ethereal is monitoring live network traffic or via a
packet trace.  Successful exploitation could lead to code execution or
denial of service attacks against Ethereal.

Cups Internet Printing Protocol Job Loop Denial Of Service V...
BugTraq ID: 8952
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8952
CUPS is a freely available, open source UNIX printing utility.  It is
freely available for the Unix and Linux platforms.

A problem has been identified in the handling of requests via CUPS
Internet Printing Protocol (IPP).  Because of this, it is possible for an
attacker to deny service to legitimate users.

The specifics of the problem are not currently available.  It is known
that an attacker must have the ability to connect to the vulnerable
service on the IPP port, and that submitting a specially-crafted request
can result in a busy loop of the software.  This issue may be related to
Bugtraq ID 7637, and will be further updated when additional details
become available.

Bugzilla Multiple Vulnerabilities
BugTraq ID: 8953
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8953
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Windows operating systems.

Multiple vulnerabilities has been reported to exist in the software.  The
issues include SQL injection, unauthorized privileges, and information

A SQL injection issue has been reported to be present in the nightly
statistics cron job called collectstats.pl.  A user with 'editproducts'
privileges which are usually granted to administrators may be to carry out
SQL injection attacks. This issue affects Bugzilla versions 2.16.3 and

Another SQL injection vulnerability has been reported that may allow a
user with 'editkeywords' privileges which are usually granted to
administrators.  An attacker may be able to inject arbitrary SQL code in
the underlying database through the URL used to edit an existing keyword.
This issue affects Bugzilla versions 2.16.3 and earlier and 2.17.1 through

A vulnerability has been reported that may allow users to retain
privileges that were previously granted.  This issue may occur when
products are being deleted.  If the 'usebuggroups' parameter was selected,
users may still be able to add others to the group that is being deleted.
If another group is created that reuses the group id from the group being
deleted, they may automatically inherit privileges granted to the group.
This vulnerability only allows users that had those privileges before to
retain them.  This issue affects Bugzilla versions 2.16.3 and earlier.

An information disclosure issue has been reported that may allow an
attacker to view restricted bugs stored in the database.  It has been
reported that if an attacker knows the e-mail address of a user who has
voted on a secure or restricted bug they may be able to view the summary
of the bug without having sufficient permissions.  This issue affects
Bugzilla versions 2.16.3 and earlier and 2.17.1 through 2.17.4.

Another information disclosure issue has been reported that may allow an
attacker to disclose component descriptions for a product without proper
authorization.  This issue affects Bugzilla versions 2.17.3 and 2.17.4.

OpenBSD isakmpd Multiple IKE Payload Handling Security Weakn...
BugTraq ID: 8964
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8964
isakmpd is the IKE key management dameon provided with OpenBSD. isakmpd is
used when negotiating security associations in authenticated or encrypted
network traffic and is normally used to facilitate VPN.

OpenBSD's isakmpd daemon is said to be prone to multiple weaknesses when
handling various IKE payloads. Specifically, four weaknesses have been
discovered in various implementations of the daemon. The problems include:

1) Fails to enforce encrypted Quick Mode messages despite RFC 2409
specification. This could lead to the unintentional exposure of sensitive
session initialization data.

2) isakmpd fails to encrypt Quick Mode payloads, when acting as the
responder, if the initiator has not implemented encryption on the payload.
The issue occurs due to a check by the message_recv() function, located
within the message.c source file. Specifically, an if statement within the
function determines the status by checking the ISAKMP_FLAGS_ENC flag of
the received packet, only if the flag is set will the responder enforce
payload encryption. This could also potentially lead to the exposure of
sensitive session initialization data.

3) Hash payloads are only enforced on Quick Mode exchanges, despite the
RFC 2409 and RFC 2407 specifications stating that Phase 2 messages
containing delete payloads and 'notify' status messages should also
contain hash payloads. This could result in isakmpd not having a mechanism
for verifying the sanity of specific payloads received. It has also been
reported that hash payloads received from an unexpected source are not

4) Phase 2 delete messages are not verified to ensure that the origin of
the request is the owner of the requested SA to be deleted. The check
occurs within the ipsec_handle_leftover_payload() function, located in the
ipsec.c source file. This does not violate RFC specification, however it
is an insecure security policy that could be exploited by an unauthorized
user to delete an arbitrary SA.

It should be noted that due to the isakmpd daemon being widely
distributed, other operating systems may also be affected by this issue.

As further analysis of these weaknesses are carried out, it is likely that
each issue will be given a separate BID. At this time, this BID will be
updated and subsequently retired.

OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne...
BugTraq ID: 8970
Remote: Yes
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8970
OpenSSL is a freely available, open source implementation of Secure Socket
Layer tools.  It is available for the Unix, Linux, and Microsoft

A problem has been identified in OpenSSL when handling specific types of
ASN.1 requests.  This may result in remote attackers creating a denial of
service condition.

The problem is in the handling of specific types of requests when handling
ASN.1 data that causes large recursion.  Though specifics of how this
occurs are not available, it has been reported that this can result in a
crash of OpenSSL.  This could potentially lead to an attacker crashing a
service that uses an implementation of the vulnerable software.

This issue is also known to affect numerous Cisco products.  It is
possible that other vendors will also be acknowledging this issue and
providing fixes.

OpenBSD Local Malformed Binary Execution Denial of Service V...
BugTraq ID: 8978
Remote: No
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8978
iBCS2 (Intel Binary Compatibility Specification 2) is a binary
compatibility format designed commonly used by SCO and ISC binaries. ELF
is the executable and linkable format which is the default binary format
used on Unix and Linux operating systems.

The OpenBSD has recently fixed a vulnerability in the OpenBSD kernel when
handling iBCS2 binaries. The problem occurs within the ibcs2_exec.c source
file and is due to insufficient sanity checks before allocating memory via
malloc(), using the xe_segsize binary parameter.

The precise technical details regarding this issue are currently unknown,
however it is believed that a segment table size (xe_segsize) value
greater than the maximum allowable number of segments (16) could
potentially cause malloc() to fail and under some circumstances return 0.

Because sufficient checks of the return value of malloc() are not carried
out, an unexpected value may be used in future calculations, effectively
triggering a kernel panic.

An additional issue was also addressed in exec_elf.c that could
potentially result in a kernel panic. This particular problem also
involved insufficient checks before calling malloc(), in this case with
the ELF program header size value as an argument. If a malicious binary
with a malformed size were handled, this may cause an unexpected
calculation in the code, effectively triggering a kernel panic.

The OpenBSD team has addressed this issue by verifying the size of the two
size values prior to calling the malloc() function.

An attacker could exploit this condition by constructing a malicious iBCS2
or ELF binary. It should be noted that, in the case of an iBCS2 binary,
support for the format would explicitly need to supported by the kernel

*** November 5, 2003 - New information discovered by the researcher
suggests that the implications of this vulnerability could in fact be
higher then initially anticipated. As such, it is believed that successful
exploitation of this issue under some conditions could potentially lead to
code execution within the context of the kernel. This has been conjectured
due to varying crashes observed when triggering the condition. Due to the
lack of details regarding this possiblity, the status of this BID will
remain the same until more information is available.

Multiple Vendor S/MIME ASN.1 Parsing Denial of Service Vulne...
BugTraq ID: 8981
Remote: Yes
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8981
Multiple vulnerabilities have been reported to be present in various
implementations of S/MIME protocol.  S/MIME is used to send binary data
and attachments across e-mail in a secure fashion.  S/MIME is also used to
package ASN.1.

It has been reported that various products may be affected by denial of
service issues resulting from improperly handling of exceptional ASN.1
elements.  An attacker may exploit this issue by sending an exceptional
ASN.1 element to a vulnerable system in order to cause a denial of service

Successful exploitation of this issue may allow an attacker cause the
software to behave in an unstable manner leading to a crash or hang.

Theses issues are reported to affect ASN.1 parsing routines, however
cryptographic libraries that implement S/MIME may affected as well due to
sharing of ASN.1 code between the cryptographic functions and S/MIME.

Currently Hitachi PKI Runtime Library and Hitachi Hitachi Groupmax Mail -
Security Option version 6 and possibly prior have reported to be
vulnerable, however this BID will be updated as more information becomes

X-CD-Roast Local Insecure File Creation Symlink Vulnerabilit...
BugTraq ID: 8983
Remote: No
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8983
X-CD-Roast is a freely available CD burning utility available for Linux
and Unix based systems.

X-CD-Roast has been reported prone to an insecure file creation
vulnerability that may be exploited to corrupt arbitrary files. The issue
has been reported to present itself because X-CD-Roast will follow
symbolic links when writing certain specific files. The problem is also
conjectured to be exaggerated as a result of a lack of sufficient access
controls set by X-CD-Roast on the files that it creates and employs.

Ultimately a local user may exploit this condition by creating a symbolic
link in the place of the vulnerable X-CD-Roast file. The malicious
symbolic link will point to an arbitrary file on the system. When an
unsuspecting user invokes X-CD-Roast the file linked by the symbolic link
will be corrupted, the file corruption will occur only if the user
invoking X-CD-Roast has sufficient privileges to write to the target file.
A local user may leverage this condition to corrupt arbitrary files
triggering a system wide denial of service or potentially elevating their
system privileges.

Linux Kernel Trojan Horse Vulnerability
BugTraq ID: 8987
Remote: No
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8987
It has been announced that a file 'kernel/exit.c' was modified on the
kernel.bkbits.net Linux Kernel CVS tree by a malicious party. The file
'kernel/exit.c' was modified to include trojan horse code that would
potentially allow a local user to elevate privileges.

Specifically, when '__WCLONE|__WALL' is passed to the sys_wait4() function
in a sufficient manner a malicious procedure in the trojaned kernel
'current->uid = 0' is performed to elevate the malicious user to uid '0'
or root system privileges.

It is not currently known what version of the Linux kernel is affected by
this issue. This BID will be updated as further information regarding this
issue is disclosed.

Ganglia gmond Malformed Packet Remote Denial of Service Vuln...
BugTraq ID: 8988
Remote: Yes
Date Published: Nov 06 2003
Relevant URL: http://www.securityfocus.com/bid/8988
Ganglia Monitoring Daemon (gmond) is cluster monitoring software available
for a wide variety of Unix-based operating systems, as well as Linux.

When a user transmits a packet to the gmond service, advertising a metric,
a hashing function handles the packet. The advertisement packet, when
transmitted from an official client, will include a name string that will
be a minimum of 2 bytes; 1 character followed by a NULL byte. The hashval
function, located within the lib/hash.c source file, parses the string
name and attempts to calculate the hash value within a for loop. The
calculated value is then used as an index into a specific array of hashes.

A vulnerability has been discovered in this procedure that could
potentially result in a denial of service condition. The problem occurs
when a malformed packet from a modified client or custom program is
transmitted with a 1 byte name string. When the hashval function handles
this packet, due to the unexpected name string size, the calculated value
will not be run through a modulus operation designed to ensure the value
is a legitimate index. As a result, a 1 byte number of greater size than a
valid index could potentially cause an unexpected calculation or invalid
pointer dereference.

It has been reported that due to this miscalculation, the gmond service
will crash when attempting to lock access to the hash entry by locking the
data at the calculated pointer. This would effectively result in a denial
of service condition.

This vulnerability is said to affected gmond version 2.5.3 however, other
versions may also be affected.

[ licence ? ]

More information about the gull-annonces mailing list