[gull-annonces] Résumé SecurityFocus Newsletter #220

Marc SCHAEFER schaefer at alphanet.ch
Mon Oct 27 23:31:02 CET 2003


Eric S. Raymond Fetchmail Unspecified Denial of Service Vuln...
BugTraq ID: 8843
Remote: Yes
Date Published: Oct 16 2003
Relevant URL: http://www.securityfocus.com/bid/8843
Summary:
Fetchmail is a freely available, open source mail retrieval utility. It is
maintained by Eric S. Raymond.

A vulnerability has been reported to be present in the software that may
allow an attacker to cause a denial of service condition in Fetchmail
6.2.4.  It has been reported that the problem presents itself when a
specially crafted e-mail message is sent to fetchmail.  The precise nature
of this vulnerability is not known at the moment due to a lack of details,
however exploitation of this issue may allow an attacker to cause the
software to crash.  Although unconfirmed, it may be possible to execute
arbitrary code on a vulnerable system.

This vulnerability may be related to known issues, however this has not
been confirmed by Symantec. This BID and any other applicable BIDs will be
updated, as further information is available.

Fetchmail 6.2.4 has been reported to be prone to this issue however other
versions may be vulnerable as well.

Multiple GDM Local Denial Of Service Vulnerabilities
BugTraq ID: 8846
Remote: No
Date Published: Oct 17 2003
Relevant URL: http://www.securityfocus.com/bid/8846
Summary:
Gnome Display Manager (GDM) is a utility harnessed by Gnome to manage
various functions when interfacing with X.

GDM has been reported prone to multiple denial of service vulnerabilities
that may be triggered by a local attacker.

It has been reported that GDM does not perform sufficient restrictions on
data that it receives. A local attacker may send excessive amounts of data
to GDM and cause memory resources to be exhausted until the kernel
terminates the process of the affected GDM.

Additionally a separate issue has been reported to affect GDM that may be
exploited by a local attacker to trigger a denial of service of the GDM
utility. The issue has been reported to present itself due to an error
while handling queries, for example version queries or authentication
responses. It has been reported that an attacker may invoke a query
request against GDM and not read the reply, thus triggering GDM into
filling its send buffer. This will have the affect of preventing GDM from
accepting new logins.

A local attacker may exploit these vulnerabilities to deny service to GDM
for legitimate users.

Explicit details regarding this vulnerability are not currently available,
this BID will be updated when further details are released or when more
exhaustive investigation into this condition has been completed.

Emule Web Control Panel HTTP Login Long Password Denial of S...
BugTraq ID: 8854
Remote: Yes
Date Published: Oct 20 2003
Relevant URL: http://www.securityfocus.com/bid/8854
Summary:
eMule is a freely available, open source peer-to-peer file sharing
application. eMule uses the eDonkey file sharing protocol. It is available
for the BSD, Linux, Microsoft Windows operating systems. eMule includes a
web control panel that allows users to login to the server over the web.

It has been reported that the eMule Web Control Panel HTTP login mechanism
may be prone to denial of service attacks. Reports indicate that the eMule
program expects that login credentials will be received only from the
trusted login form. Specifically, no more then 12 password characters are
expected to be received, and as such eMule does not carry out bounds
checking on this data. However, the eMule login mechanism is said to not
validate the origin of login form information received.

As a result, an attacker may be capable of constructing malicious HTML
form data to transmit excessive password data to the program. Due to
insufficient bounds checking, this will effectively cause memory
corruption and trigger a denial of service. Reports indicated that
password data in excess of 500 to 1000 bytes may be required to trigger
the issue.

It should be noted that, due to the nature of this vulnerability, this
could theoretically lead to arbitrary code execution. This has not been
confirmed however.

Origo ADSL Router Remote Administrative Interface Configurat...
BugTraq ID: 8855
Remote: Yes
Date Published: Oct 20 2003
Relevant URL: http://www.securityfocus.com/bid/8855
Summary:
Origo ADSL routers are a broadband connectivity solution distributed and
maintained by Origo.

A problem has been identified in some Origo ADSL routers.  Due to
insufficient access control, it may be possible for a remote user to gain
unauthorized administrative access to routers, potentially resulting in a
denial of service.

The problem is in the listening of a command line-based administrative
service on port 254.  This service is enabled by default, and is not
protected with a password.  An attacker could access this interface to
change the router configuration, resulting in a denial of service until
the router is reconfigured.  Other attacks against network resources, such
as man-in-the-middle attacks, may also be possible.

This issue is known to affect the ASR-8100 router, though ASR-8400 routers
may also be affected.

[ hardware ]

PSCS VPOP3 Email Server WebAdmin Cross-Site Scripting Vulner...
BugTraq ID: 8869
Remote: Yes
Date Published: Oct 22 2003
Relevant URL: http://www.securityfocus.com/bid/8869
Summary:
PSCS VPOP3 Email Server is an e-mail server and gateway.

A cross-site scripting vulnerability has been reported to exist in PSCS
VPOP3.

The problem has been reported to exist in the WebAdmin utility of the
software.  The issue presents itself due to improper handling of
user-supplied data in certain parameters, which will permit remote
attackers to embed HTML and script code in links.  HTML and script code
could then be rendered in the browser of the user visiting the link.  This
attack would occur in the security context of the vulnerable site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information.  Since the issue affects the
WebAdmin utility, it is likely that a successful attack of this nature
would permit an attacker to hijack an administrative account.

PSCS VPOP3 versions 2.0.0e and 2.0.0f have been reported to be prone to
this vulnerability, however other versions may be affected as well.

Coreutils LS Width Argument Integer Overflow Vulnerability
BugTraq ID: 8875
Remote: Yes
Date Published: Oct 22 2003
Relevant URL: http://www.securityfocus.com/bid/8875
Summary:
Coreutils 'ls' utility is a binary application that is used to list
directory contents.

Coreutils 'ls' has been reported prone to an integer overflow
vulnerability. The issue reportedly presents itself when handling '-w'
(width) and '-C' (output column display) command line arguments passed to
the vulnerable application. It has been reported that excessive values
passed as a '-w' argument to 'ls' may cause an internal integer value to
be misrepresented. Further arithmetic performed based off this
misrepresented value may have unintentional results.

For example, if this value is used when assigning memory, huge amounts of
system memory may be allocated resulting in a denial of service condition
as resource starvation occurs.

Additionally it has been reported that this vulnerability may be exploited
in software that implements and invokes the vulnerable 'ls' utility to
trigger a denial of service in the affected software. It has been
conjectured that this issue may present itself when affected software
invokes 'ls' and expects a return of data. When 'ls' hangs the invoking
software may also subsequently hang.

The integer overflow vulnerability in 'ls' has not been reported to be
exploitable to execute arbitrary instructions.

[ license ? ]

Sylpheed-Claws Mail Client SMTP Error Reporting Format Strin...
BugTraq ID: 8877
Remote: Yes
Date Published: Oct 22 2003
Relevant URL: http://www.securityfocus.com/bid/8877
Summary:
Sylpheed-Claws is a branch of the Sylpheed mail client, designed to
implement and test less stable features. Both code bases are regularly
updated to match each others behavior. Sylpheed-Claws is available for the
Linux operating system.

It has been reported that Sylpheed-Claws is prone to a format string bug
when handling error messages received from an SMTP server. These errors
are typically generated when an action cannot be carried out correctly or
an incorrect command has been received, however an attacker may be capable
of transmitting an error message immediately upon connection.

The problem specifically occurs within the 'send_message.c' source file,
which includes a call to the 'alertpanel_error_log' function when handling
error messages. This function takes formatted arguments and reports the
error message; however when an error message is encountered the function
is incorrectly called without a format specifier, but is passed the SMTP
server-supplied error data. As a result, a malformed SMTP server may be
capable of having arbitrary format specifiers interpreted by the
Sylpheed-Claws mail client, ultimately allowing for code execution.

All code executed in this manner would be run with the privileges of the
user invoking the affected mail client program.

It has been confirmed that the Sylpheed mail client is also affected by
this vulnerability. This issue has been addressed in version 0.9.7.




More information about the gull-annonces mailing list