[gull-annonces] Résumé SecurityFocus Newsletter #224

[Marc SCHAEFER]

KDE 3.1 Global Configuration Files Insecure Default Permissi...
BugTraq ID: 9047
Remote: No
Date Published: Nov 14 2003
Relevant URL: http://www.securityfocus.com/bid/9047
Summary:
KDE is a graphical user interface (GUI) designed for the Linux operating
system. KDE implements the use of the QT graphical library.

The kdeglobals configuration file is referenced by KDE whenever a local
user attempts to invoke the interface. This file is used to define a
number of default directory and executable locations, as well as various
behavioral options.

It has been reported that this configuration file is stored with world
writeable permissions by default on SuSE 8.2 installations. The file is
stored in the /etc/opt/kde3/share/config directory, and due to it's
permissions may be modified by an arbitrary local user.

An attacker could take advantage of these permissions to place malicious
data within the configuration file, such as defining the location of
trojaned executable in place of legitimate ones. This new malformed data
will become part of the KDE environment when another system user invokes
KDE.

Ultimately this could be exploited to carry out actions with the
privileges of another use of KDE.

It should be noted that the following configuration files have also been
reported to be installed world writeable:
/etc/opt/kde3/share/config/kmailrc
/etc/opt/kde3/share/config/kioslaverc
/etc/opt/kde3/share/config/kdeglobals.SuSEconfig

The modification of these files could also potentially be used to gain
elevated privileges or carry out actions as another user.

Although unconfirmed, other versions of SuSE as well as other
distributions may also store these configuration files insecurely.

Minimalist Unspecified Remote Command Execution Vulnerabilit...
BugTraq ID: 9049
Remote: Yes
Date Published: Nov 17 2003
Relevant URL: http://www.securityfocus.com/bid/9049
Summary:
Minimalist is a mailing list manager available for Linux operating
systems.

It has been reported that Minimalist is vulnerable to an input validation
issue.  User-supplied input is not properly sanitized, which could allow a
remote user to execute arbitrary commands on the system running the
vulnerable software.  Commands would likely execute with the privileges of
Minimalist.

Specific details of this vulnerability are not currently known.  This BID
will be updated if and when more details about this vulnerability become
available.

SAP DB Privilege Escalation and Buffer Overrun Vulnerabiliti...
BugTraq ID: 9050
Remote: Yes
Date Published: Nov 17 2003
Relevant URL: http://www.securityfocus.com/bid/9050
Summary:
Multiple vulnerabilities have been reported in SAP DB.  The following
issues were reported:

A local privilege escalation issue (CAN-2003-0938) exists in SAP DB on
Windows platforms that may allow an attacker to load a malicious .DLL,
resulting in execution of arbitrary code with elevated privileges.  If a
local attacker has write permissions to the current working directory for
SAP DB, which is the case in default installations of the database, it is
possible to replace 'NETAPI32.DLL' with a malicious version.  When the
attacker-supplied library is loaded, code will be executed with elevated
privileges.  It is also reported that this issue may be exploited with the
'SQLAT' stored procedure included in SAP DB.

A buffer overrun (CAN-2003-0939) exists in SAP DB for multiple platforms
(Windows, Linux, HP-UX and Solaris).  The issue is present in the
'niserver' (on Unix-based systems) and 'serv.exe' (on Windows) and may
allow for remote attackers to execute code on a vulnerable host, resulting
in full system compromise.  In particular, the problem is due to
insufficient bounds checking while extracting strings from the
variable-sized segment of the connect packet.  As a result, it is possible
to corrupt adjacent regions of memory with attacker-supplied values,
allowing for control of program execution flow and execution of malicious
instructions.  The vulnerable service listens on TCP port 7269. (** It
should be noted that the @stake advisory reported an erroneous port number
for the service, the correct port number is 7269)

These issues are pending further analysis and will be divided into
individual BIDs when analysis is complete.

SAP DB web-tools Multiple Vulnerabilities
BugTraq ID: 9051
Remote: Yes
Date Published: Nov 17 2003
Relevant URL: http://www.securityfocus.com/bid/9051
Summary:
SAP DB is a free open source database server from SAP AG.  The product
also ships with a 'web-tools' component that may be integrated with an
existing web server or run with its own web server.

SAP DB has been prone to multiple vulnerabilities in the web server
provided with the software.  These issues may cumulatively allow an
attacker to gain access to sensitive information, bypass user and
administrative level authentication, and execute arbitrary code on a
vulnerable host in order to gain unauthorized access.

A directory traversal issue (CAN-2003-0940) has been reported to exist in
the 'web-tools' component.  The issue may allow a remote attacker to
traverse outside the server root directory by using '../' character
sequences.  The problem exists due to insufficient sanitization of
user-supplied data through a URI.  It has been reported that the SAP web
servers runs in Local SYSTEM context by default on Windows NT/2000/XP
Platforms which may allow an attacker to retrieve all files from a
vulnerable host.

Another issue (CAN-2003-0941) is reported to be present in the web
administration page of web-tools that may allow an attacker to gain
administrative access to a system without proper authentication.  The
problem occurs when a user with access to web-tools request a URL such as
'http://www.example.com/waadmin.wa'.  The software does not verify
authentication credentials allowing a user to access and modify
configuration of different services.

A buffer overflow vulnerability (CAN-2003-0942) has been reported to exist
in the web administration component of web-tools due to insufficient
bounds checking.  This issue occurs when a URL of excessive length is
requested.  This issue may allow an attacker to execute arbitrary code on
a system.  This issue may allow an attacker to execute arbitrary code on a
system, resulting in full system compromise.

The 'waecho' service of web-tools is also reported to be prone to a buffer
overflow vulnerability (CAN-2003-0944) due to insufficient bounds
checking.  This service is installed as part of the default installation.
The issue occurs if an attacker supplies a large number of characters to
the 'requestURI' parameter of a URI request to the service.  This issue
may allow an attacker to execute arbitrary code on a system, resulting in
full system compromise.

It has been reported that the 'websql' and 'webdbm' default services may
allow an attacker to gain unauthorized access to a database which are not
intended to be publicly accessible via web applications.  CAN-2003-0943
has been assigned to the default services issues.

Web Database Manager has been reported to a weakness (CAN-2003-0945) due
to a improper generation of sessions IDs.  It has been reported that
sessions IDs are stored in the URL and may not be randomly generated
therefore allowing an attacker to gain unauthorized access to sessions.

These issues are currently undergoing further analysis. Where appropriate,
individual BIDs will be created to represent new issues and existing BIDs
will be updated for previously known issues.

SqWebMail Session Hijacking Vulnerability
BugTraq ID: 9058
Remote: Yes
Date Published: Nov 17 2003
Relevant URL: http://www.securityfocus.com/bid/9058
Summary:
SqWebMail is a web-based e-mail application.

SqWebMail is prone to a vulnerability that may allow remote attackers to
hijack webmail sessions.  This vulnerability occurs if the victim user
follows a malicious link provided by an attacker via an e-mail that is
viewed from the webmail system.  This will permit an attacker to gain
unauthorized access to the user's session ID, which may be then used to
hijack the user's session, if it hasn't timed out.  It should be noted
that the session will time out after approximately 20-30 minutes.  The
source of the problem is likely that the session ID is being sent in the
HTTP REFERER to the malicious website when a link is visited from within
an e-mail, though this has not been confirmed.

SqWebMail is included in the Courier mail server, but is also available as
a stand-alone CGI application.

OpenBSD IBCS2 Binary Length Parameter Kernel-Based Buffer Ov...
BugTraq ID: 9061
Remote: No
Date Published: Nov 17 2003
Relevant URL: http://www.securityfocus.com/bid/9061
Summary:
iBCS2 (Intel Binary Compatibility Specification 2) is a binary
compatibility format design commonly used by SCO and ISC binaries. The
iBCS2 kernel code is used to handle a variety of binaries, including the
COFF format. The COFF file header includes a number of fields including
the 's_scnptr' and 's_size' values, which are respectively a pointer to
section data and the size of that data.

A vulnerability has been discovered in the OpenBSD kernel code designed to
invoke iBCS2 binaries. The problem occurs within the ibcs2_exec.c source
file, specifically when reading in COFF section data.

The problem occurs during a call to the vn_rdwr() function, which copies
section data pointed to by 's_scnptr' into the 128 byte 'buf' array. The
problem lies in the fact that the 's_size' value, specified in the binary
is used as the size argument to the vn_rdwr() function call. Because no
sanity checks are carried out on this size value, data greater then that
of 'buf' may be copied into memory.

On OpenBSD 2.x-3.3 systems, it is possible to exploit this condition to
manipulate kernel control structures which can be leveraged to escalate
local privileges. However, it is said that exploitation of this condition
will cause a kernel panic on OpenBSD 3.4 systems. Although unconfirmed,
this may be due to the various memory protection schemes deployed in the
release of OpenBSD 3.4.

PostgreSQL 7.4 Release To Fix Several Security Vulnerabiliti...
BugTraq ID: 9066
Remote: Yes
Date Published: Nov 18 2003
Relevant URL: http://www.securityfocus.com/bid/9066
Summary:
PostgreSQL is a freely distributed Object-Relational DBMS.  It is
available for a number of platforms including Unix and Linux variants and
Microsoft Windows operating systems.

The PostgreSQL development group has reported the release of PostgreSQL
version 7.4.  This release contains feature and security enhancements.
The release also contains fixes for several potential security
vulnerabilities.  Issues fixed in this release include a contributed fix
for a condition where an ampersand character in an XML document could
trigger a violation in the PostgreSQL server and cause it to crash.  This
issue may be exploited to deny service to legitimate PostgreSQL users.

Additionally, a fix has been implemented that is designed to address a
condition where users without sufficient privileges may potentially
disable server log variables/logging that were added or enabled by the
administrator.  An attacker may potentially exploit this condition to hide
malicious activity.

This BID will be updated as further details regarding these
vulnerabilities are disclosed.

OpenBSD sysctl Local Denial of Service Vulnerability
BugTraq ID: 9073
Remote: No
Date Published: Nov 19 2003
Relevant URL: http://www.securityfocus.com/bid/9073
Summary:
Sysctl is used to set and retrieve the state of the kernel.

A denial of service vulnerability has been reported for OpenBSD,
specifically when handling malformed calls to sysctl. By invoking systcl
and including a malformed 'old' parameter it is said to be possible to
trigger a kernel panic. This could be exploited by a malicious
unprivileged local user to crash a target system.

New information suggests that the condition occurs within the
uvm_vsunlock() function, which is called via sysctl. The problem appears
to occur when calling the trunc_page() function on the invalid pointer.
This new information also suggested that the CTL_KERN flag may not
explicitly be required to trigger the condition, however this has not yet
been confirmed.

The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated as further information is made
available.

FreeRADIUS Tag Field Heap Corruption Vulnerability
BugTraq ID: 9079
Remote: Yes
Date Published: Nov 20 2003
Relevant URL: http://www.securityfocus.com/bid/9079
Summary:
FreeRADIUS is a freely available, open source implementation of the RADIUS
protocol.  It is available for the Unix and Linux platforms.

A problem has been identified in the handling of tag field input by
FreeRADIUS.  Because of this, an attacker may be able to deny service to
legitimate users of a vulnerable FreeRADIUS server.

The problem is in the handling of tag field input when supplied with
specific constructs.  By supplying a malicious tag field to the server, an
attacker could force the invocation of the memcpy function with a negative
value.  This could potentially cause an error, resulting in the
overwriting of heap structures with roughly 3840 bytes of
attacker-supplied data.

Due to the method in which memcpy can be invoked, this vulnerability is
likely limited to resulting in a remote denial of service against
vulnerable servers.  This is because of the casting of the length
parameter of the memcpy function, which will interpret the negative value
as an overly large unsigned integer. As a result, an attempt to access an
excessive amount of heap memory will occur, likely resulting in the
dereferencing of invalid memory.  However, the possibility exists that
this issue could be exploited to execute code with the privileges of the
FreeRADIUS server process.

This issue was initially reported as a vulnerability in how the
"Tunnel-Password" attribute in Access-Request packets is handled.  The
issue turned out to have wider scope, affecting tag field input in
general.

This vulnerability affects version 0.4.0 through 0.9.2.