[gull-annonces] Résumé SecurityFocus Newsletter #219

Marc SCHAEFER schaefer at alphanet.ch
Thu Oct 23 18:11:02 CEST 2003 

IRCnet IRCD Local Buffer Overflow Vulnerability
BugTraq ID: 8817
Remote: Yes
Date Published: Oct 13 2003
Relevant URL: http://www.securityfocus.com/bid/8817
Summary:
IRCnet IRCD is an IRC implementation that is available for a number of
platforms including Linux/Unix variants.

IRCnet IRCD has been reported prone to a buffer overflow vulnerability
that may be exploited by local users. The issue likely presents itself due
to a lack of sufficient bounds checking performed on user-supplied data
before it is copied into a reserved buffer in memory. Supplied data that
exceeds the size of the affected buffer may overrun its bounds and corrupt
adjacent memory. This issue may be exploited to crash the affected server.
Although unconfirmed, due to the nature of this vulnerability it has been
conjectured that a local attacker may also leverage this condition to
potentially have arbitrary instructions executed in the context of the
affected server.

This vulnerability has been reported to affect all versions of IRCnet IRCD
in the 2.10 development tree up to and including 2.10.3p3.

mIRC DCC SEND Buffer Overflow Vulnerability
BugTraq ID: 8818
Remote: Yes
Date Published: Oct 13 2003
Relevant URL: http://www.securityfocus.com/bid/8818
Summary:
mIRC is a chat client for the IRC protocol, designed for Microsoft Windows
based operating systems.

A vulnerability has been reported to exist in mIRC that may allow a remote
attacker to crash a vulnerable mIRC client. The condition is most likely
present due to insufficient boundary checking performed on 'DCC SEND'
requests.

It has been reported that when received, a malicious 'DDC SEND' request
can trigger a fatal error and cause an affected mIRC client to crash. The
'DCC SEND' request can be sent to a channel or a specific targeted user.
Although unconfirmed, due to the nature of this vulnerability it has been
conjectured that a remote attacker may potentially lever this issue to
have arbitrary code executed in the context of the affected mIRC client.

mIRC versions 6.1 and 6.11 have been reported to be prone to this issue,
however other versions may be affected as well.

mIRC IRC URL Buffer Overflow Vulnerability
BugTraq ID: 8819
Remote: Yes
Date Published: Oct 13 2003
Relevant URL: http://www.securityfocus.com/bid/8819
Summary:
mIRC is a chat client for the IRC protocol, designed for Microsoft Windows
based operating systems. When mIRC is installed it registers a handler for
a 'irc://' type of URL. Through these means, mIRC is invoked when a 'IRC
URL' is followed.

mIRC has been reported prone to a buffer overflow vulnerability when
handling malicious 'IRC URLs'. Specifically when a IRC URL of >998 bytes
is clicked by a user running a vulnerable version of mIRC.

The issue likely presents itself due to a lack of sufficient boundary
checks performed when IRC URL data is being copied into an insufficient
buffer in memory. Data that exceeds the size of the reserved buffer will
overrun its bounds and corrupt adjacent memory. Because memory adjacent to
the affected buffer is used to store a saved instruction pointer, an
attacker may influence execution flow of the affected client into attacker
controlled memory. This may ultimately allow the attacker to execute
arbitrary instructions in the context of the user running the affected
client.

mIRC version 6.1 has been reported to be prone to this issue, however
other versions may be affected as well.

Apache Mod_Throttle Module Local Shared Memory Corruption Vu...
BugTraq ID: 8822
Remote: No
Date Published: Oct 14 2003
Relevant URL: http://www.securityfocus.com/bid/8822
Summary:
The mod_throttle Apache module is an application developed by sert.com. It
is designed to reduce the load used when handling specified server
requests. mod_throttle is available for the BSD, Linux, and Solaris
operating systems.

The mod_throttle Apache module is said to be prone to a vulnerability that
could allow for local privilege elevation. The problem occurs due to the
mod_throttle module incorrectly storing critical data within shared memory
that is accessible by a user with 'apache' privileges. As a result, an
attacker may be capable of corrupting memory pointers and a data file
located in a shared memory segment. These pointers may have previously
pointed to internal module procedures or may point to critical data
required to unload the module while Apache is terminating.

This could ultimately lead to privilege elevation during the startup or
shutdown procedures of Apache, ultimately allowing for an attacker to gain
root privileges.

To successfully exploit this issue, it has been reported that an attacker
must somehow cause Apache to reload its configuration file. As a result,
this vulnerability may be exploited in conjunction with the issue
described in BID 5884. Other methods of loading the configuration file may
also be used.

Apache Tomcat Non-HTTP Request Denial Of Service Vulnerabili...
BugTraq ID: 8824
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8824
Summary:
Tomcat is a web server and JSP/Servlet container that is developed by
Apache as part of the Jakarta project.

Apache Tomcat 4 has been reported prone to a remotely triggered denial of
service vulnerability when handling undisclosed non-HTTP request types.

It has been reported that when certain specific non-HTTP request types are
handled by the Tomcat HTTP connector the Tomcat server will reject
subsequent requests on the affected port until the service is restarted.

A remote attacker may exploit this condition to deliberately prevent the
affected server from handling requests, effectively denying service to
legitimate users.

It should be noted that this vulnerability has been reported for Tomcat
4.0.x versions.

DBMail IMAP Service SQL Injection Vulnerability
BugTraq ID: 8829
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8829
Summary:
dbmail is a set of applications used for storing and retrieving e-mail
messages from a database.  dbmail supports MySQL or PostgreSQL databases.

A vulnerability has been reported to exist in dbmail IMAP service that may
allow a remote attacker to inject malicious SQL syntax into database
queries. The source of this issue is insufficient sanitization of
user-supplied input.

The problem is reported to exist in various parameters such as username
and password. It has been reported that the vulnerable parameters are not
sanitized for user-supplied input before it is included in the database. A
remote attacker may exploit this issue to influence SQL query logic while
attempting to authenticate to the server.

A malicious user may influence database queries in order to view or modify
sensitive information, potentially compromising the software or the
database.

dbmail versions 1.1 and prior have been reported to be prone to this
issue, however other versions may be affected as well.

Linksys BEFSX41 EtherFast Router Log Viewer Denial Of Servic...
BugTraq ID: 8834
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8834
Summary:
Linksys Instant Broadband EtherFast Cable/DSL Firewall Router with 4-Port
Switch/VPN Endpoint is a hardware router targeted at home and small office
users.

Linksys BEFSX41 EtherFast Routers are prone to a denial of service.  This
issue is exposed via the log viewer in the web administrative interface.
By submitting an invalid value for the "Log_Page_Num" parameter, it is
possible to trigger this condition, causing the router to be unresponsive.
The log viewer is implemented via Group.cgi.  The following example was
provided to demonstrate the issue:

http://192.168.1.1/Group.cgi?Log_Page_Num=1111111111&LogClear=0

While exploitation does require a logged in administrative user to submit
a request to the log viewer with malformed parameters, it is possible that
the admin could be tricked into visiting a malicious URI that exploits the
issue.  The URI could be embedded in an image tag in a web page that the
administrative user visits.  Due to the router being at a predictable
address and many router commands being submitted via HTTP GET requests, it
may also be possible to use this type of attack to trick a logged
administrative user into executing other router commands.  This has not
been confirmed.

[ hardware ]

More information about the gull-annonces mailing list