[gull-annonces] Résumé SecurityFocus Newsletter #217

Marc SCHAEFER schaefer at alphanet.ch
Tue Oct 7 13:11:01 CEST 2003


SMC Router Random UDP Packet Denial Of Service Vulnerability
BugTraq ID: 8711
Remote: Yes
Date Published: Sep 26 2003
Relevant URL: http://www.securityfocus.com/bid/8711
Summary:
The SMC SMC2404WBR BarricadeT Turbo 11/22 Mbps Wireless Cable/DSL
Broadband Router is routing hardware that is intended to be deployed in
home or small office networks.

A denial of service has been reported in the SMC SMC2404WBR BarricadeT
Turbo 11/22 Mbps Wireless Cable/DSL Broadband Router.  It is possible to
trigger this condition by sending UDP packets randomly to ports 0-65000.
The impact of the issues seems to vary, sometimes the router will need a
"soft reset" to regain normal functionality and sometimes a "hard reset"
will be required.  The time it takes for the router to recover after being
reset may also vary.  In any of these cases, the availability of a network
which depends on the router will be denied to legitimate users.

This condition was reportedly reproduced using one of the exploits for BID
8525.

The SMC7004VWBR router is also affected by this vulnerability.
SMC7004VWBR firmwares are reportedly affected even when security features
such as Stateful Packet Inspection, Anti-DoS and UDP sessions are enabled.
This may also be the case with other routers.

[ hardware ]

Webfs HTTP Server Information Disclosure Vulnerability
BugTraq ID: 8724
Remote: Yes
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8724
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.

An information disclosure vulnerability has been discovered in Webfs HTTP
server. The problem occurs due to insufficient sanitization of
user-supplied hostnames when accessing virtual hosts. Specifically,
placing dot-dot (..) sequences within a requested hostname can effectively
trigger this issue.

An attacker exploiting this issue may be capable of viewing the contents
of directories and files outside of the established web root.  This issue
may only exist if the server has been configured to use virtual hosting.

Apache2 MOD_CGI STDERR Denial Of Service Vulnerability
BugTraq ID: 8725
Remote: No
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8725
Summary:
Apache HTTP Server is an open-source web server designed to run on a
number of different platforms.

Apache2 has been reported prone to a denial-of-service vulnerability. The
issue has been reported to present itself when a CGI script outputs 4k or
greater of data to STDERR. If this condition occurs the execution of the
script will reportedly pause indefinitely due to a locked write() call in
mod_cgi. Because Apache2 is waiting for further input from the malicious
CGI application, the httpd process may hang. When the maximum connection
limit is reached, Apache will no longer service requests, effectively
denying service to legitimate users.

This issue has been reported to affect Apache 2.0.47. Previous versions
may also be affected.

WebFS Long Pathname Buffer Overrun Vulnerability
BugTraq ID: 8726
Remote: Yes
Date Published: Sep 29 2003
Relevant URL: http://www.securityfocus.com/bid/8726
Summary:
WebFS is a simple web server that serves static content. It is available
for Linux and Unix variant operating environments.

It has been discovered that WebFS is prone to a buffer overrun
vulnerability when handling path names of excessive length. As a result,
an attacker may be capable of triggering the condition and overwriting
sensitive memory with malicious data. This could ultimately allow for the
execution of arbitrary code with the privileges of the WebFS HTTP server.

It should be noted that for this condition to occur, an attacker must have
the ability to create directories on the affected system. This may be
accomplished by obtaining legitimate credentials, which allow for such
access, or possibly through the exploitation of another unrelated
vulnerability such as that described in BID 8724.

OpenSSL ASN.1 Parsing Vulnerabilities
BugTraq ID: 8732
Remote: Yes
Date Published: Sep 30 2003
Relevant URL: http://www.securityfocus.com/bid/8732
Summary:
Multiple vulnerabilities were reported in the ASN.1 parsing code in
OpenSSL.  OpenSSL does not directly implement ASN.1 but does use ASN.1
objects in X.509 certificates and various other cryptographic elements.
The following issues were reported:

Two flaws in the ASN.1 parser could lead to denial of service attacks.

The first bug may be exploited to cause an out of bounds read operation to
occur, most likely resulting in a denial of service.  This can be
triggered by a malformed or unusual ASN.1 tag value.  The second of the
described bugs occurs if an application is configured to ignore public key
decode errors (specifically the
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY error).  This is reportedly
not a common configuration in production setups but some applications may
ignore decode errors for debugging reasons.  As a result, the impact and
exposure will vary depending on the targeted application and some
applications may be more vulnerable to attacks than others.  Remote
attackers can exploit this issue with a maliciously crafted SSL client
certificate.  CAN-2003-0543 and CAN-2003-0544 correspond to these two
denial of service issues.  The issues are reported to exist in SSLeay and
OpenSSL versions prior to 0.9.7c or 0.9.6k.

Another vulnerability related to ASN.1 parsing was reported in OpenSSL
0.9.7.  ASN.1 encodings that are rejected by the parser due to being
invalid may potentially trigger a memory management error.  In particular,
a double free may result due to an ASN.1 structure (ASN1_TYPE) being
deallocated incorrectly.  This reportedly could be leveraged to corrupt
stack memory.  In this manner, sensitive stack variables such as
instruction pointers could be overwritten with attacker-supplied values.
The issue could be exploited by remote attacks via a maliciously crafted
SSL client certificate.  This issue has been assigned CVE name
CAN-2003-0545.

An additional weakness was reported that may aid in exploitation of these
issues.  In some circumstances, a client may force a server to parse a
client certificate when one has not been specifically requested.  This
could even occur with server implementations that don't enable client
authentication.

Any applications which use the OpenSSL ASN.1 library to handle external
data may present an attack vector for these vulnerabilities.

These issues are pending further analysis and will be separated into
individual BIDs when analysis is complete.

OpenSSL SSLv2 Client_Master_Key Remote Denial Of Service Vul...
BugTraq ID: 8746
Remote: Yes
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8746
Summary:
OpenSSL is an open source implementation of the SSL protocol.

OpenSSL SSLv2 has been reported prone to a remotely triggered denial of
service when processing a specially crafted malicious CLIENT_MASTER_KEY
message.

It has been reported that a remote attacker may use a maliciously crafted
CLIENT_MASTER_KEY message to influence the execution flow of a vulnerable
service implementing SSLv2 into a die() procedure. This will effectively
cause the affected process to abort, denying service to legitimate users.

An attacker may flood an affected service with malicious CLIENT_MASTER_KEY
messages, persistently denying service for legitimate users. Other attacks
may also be possible. The impact and exposure may vary depending on the
particular applications that use vulnerable OpenSSL libraries.

This vulnerability is not reported to be present in OpenSSL versions
greater than 0.9.6f of the 0.9.6 series of releases, because the use of
the die() procedure is no longer implemented.  It is not known whether the
0.9.7 series is also affected.

FreeBSD Kernel ProcFS Handler UIO_Offset Integer Overflow Vu...
BugTraq ID: 8748
Remote: No
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8748
Summary:
All versions of the FreeBSD kernel have been reported prone to an integer
overflow vulnerability. The issue presents itself in the procfs handling
procedures, and has been reported to be due to a lack of sufficient sanity
checks performed on 'uio' offset parameters.

It has been reported that a local attacker may exploit this condition
because it is possible to indirectly influence the value for the 'uio'
offset. Ultimately an  attacker may trigger an integer overflow or
underflow condition. This may result in a read attempt from non-resident
kernel memory, triggering a kernel panic and effectively denying service
to legitimate users. A local attacker may also exploit this issue to
disclose potentially sensitive data stored in regions of memory that would
otherwise be restricted.

This issue has been reported to be exploitable on systems that have procfs
enabled.

FreeBSD Kernel Readv() Integer Overflow Vulnerability
BugTraq ID: 8749
Remote: No
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8749
Summary:
A local vulnerability has been discovered within the FreeBSD kernel. The
problem occurs within the readv() system call, which is used to read data
and scatter it into an arbitrary number of buffers specified by an
argument.

When a file is accessed by a system call in FreeBSD, such as open() or
dup2(), the reference counter (f_count) for that file is incremented using
the fhold() function and when access is complete the counter is
decremented by fdrop().

It has been discovered that the readv() system call fails to call the
fdrop() function after a specific procedure had previously triggered a
call to fhold(). As a result, by triggering a large number of calls to
fhold() in a call to readv(), it may be possible to cause the f_count
integer value to wrap.

It has been reported that this integer overflow can be triggered by
supplying an overly large iovcnt variable in a call to readv(). As a
result, an attacker may potentially be capable of trigger kernel memory
corruption. This could ultimately result in a system panic or could
possibly be leveraged to elevate local privileges to that of the root
user.

FortiGate Firewall Web Filter Logs HTML Injection Vulnerabil...
BugTraq ID: 8750
Remote: Yes
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8750
Summary:
FortiGate are a series of commercial firewall appliances which run an
embedded operating system entitled FortiOS.

The FortiGate web interface is prone to an HTML injection vulnerability.
Denied requests are logged into a web filter log which is viewable through
the web administrative interface.  HTML and script code will not be
sanitized when these requests are logged.  To exploit this issue, the
attacker must construct for a resource that will be denied by the
firewall, based on the defined policies of the  targeted firewall.
Malicious could then be embedded in the request, which will be logged as
part of the request.

An attacker could exploit this to cause hostile code to be rendered in the
browser of an administrative user who views the logs.  This could result
in theft of cookie-based authentication credentials from the firewall
administrator, potentially allowing for firewall compromise.  Since the
attacker can control how the logs will be rendered to the administrator,
it is also possible to spoof or conceal log entries.

This issue reportedly exists in FortiOS releases prior to 2.50MR4.

[ hardware ]

Inter7 VPopMail Configuration File Insecure Default Permissi...
BugTraq ID: 8751
Remote: No
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8751
Summary:
vpopmail is a freely available, open source virtual domain handling
software package.  It is available for the Unix and Linux operating
systems.

A problem has been identified in the default configuration of vpopmail.
Because of this, an attacker may be able to gain access to potentially
sensitive information.

The problem is in the creation of the configuration file.  When vpopmail
is compiled with MySQL support, authentication data is stored in the
/etc/vpopmail.conf file.  This file is created with world-readable
permissions, which may reveal sensitive information such as authentication
credentials for the database.  An attacker could use these credentials to
potentially gain access to the database as the vpopmail database user.

This problem has been reported on Gentoo Linux, but may affect other
operating systems.




More information about the gull-annonces mailing list