[gull-annonces] Résumé SecurityFocus Newsletter #212

[Marc SCHAEFER]

Glibc Getgrouplist Function Buffer Overrun Vulnerability
BugTraq ID: 8477
Remote: Unknown
Date Published: Aug 23 2003
Relevant URL: http://www.securityfocus.com/bid/8477
Summary:
The GNU C library, glibc, contains standard C libraries called by various
applications.

The getgrouplist function in glibc does not perform adequate bounds
checking on data it retrieves, allowing a potential for the buffer to be
overrun.

When getgrouplist retrieves the group list for a user who is a member of
more groups than the group list can hold, the buffer is overrun.  This may
result in segmentation faults in user applications.

Consequences of this vulnerability are dependant on the application
calling the getgrouplist function.

Glibc Malloc Routine Race Condition Vulnerability
BugTraq ID: 8478
Remote: Unknown
Date Published: Aug 23 2003
Relevant URL: http://www.securityfocus.com/bid/8478
Summary:
The GNU C library, glibc, contains standard C libraries called by various
applications.

An unspecified race condition issue exists in the malloc function of
glibc.  This issue may result in memory corruption, possibly allowing
sensitive areas in memory to be overwritten.

Specific details of this issue are not currently known.  This record will
be updated when further information becomes available.

This issue was reported to only affect IA64 platforms.

WIDZ Remote Root Compromise Vulnerability
BugTraq ID: 8479
Remote: Yes
Date Published: Aug 23 2003
Relevant URL: http://www.securityfocus.com/bid/8479
Summary:
WIDZ is a wireless intrusion detection system that checks the identity of
wireless access points against a list of authorized access points in a
config file.  If an access point is not in the authorized list, an alert
message is generated.

The alert message generated by WIDZ passes untrusted data to system()
calls, possibly allowing for a compromise of the underlying operating
system.

If the essid of an access point is set to include commands, those commands
will be executed when they are passed to the system() call by WIDZ.
Commands would be executed with root privileges.

[ licence ? ]

Red Hat Linux IPTables Firewall Failure Vulnerability
BugTraq ID: 8481
Remote: No
Date Published: Aug 25 2003
Relevant URL: http://www.securityfocus.com/bid/8481
Summary:
iptables is a firewall infrastructure developed for the Linux kernel.

iptables on Red Hat Linux systems has been reported prone to a
vulnerability, which may prevent the iptables firewall from functioning
correctly.

The issue presents itself, due to recent Red Hat kernel updates. It has
been reported that a recent kernel update failed to update the iptables
utility thereby preventing iptables operations, for example owner match,
from functioning.

Ultimately this issue may prevent an iptables firewall from restarting
after a kernel-upgrade has been applied.

This issue may lead an administrator into a false sense of security, as
the administrator may believe that an effective firewall is running.

Whois Client Command Line Buffer Overrun Vulnerability
BugTraq ID: 8483
Remote: Yes
Date Published: Aug 22 2003
Relevant URL: http://www.securityfocus.com/bid/8483
Summary:
Whois is an enhanced whois client for Linux/Unix platforms.

Whois is prone to a buffer overrun vulnerability when handling command
line parameters of excessive length.  The cause of the issue is that
command line parameters are copied using an sprintf() operation without
sufficient bounds checking.  While the client is not setuid/setgid, it is
often invoked by external scripts.  This could present a security
vulnerability if the program is invoked with untrusted input.  In such a
case, successful exploitation would permit an attacker to execute
arbitrary code in the context of the program.

A typical scenario would be if a CGI script called the program with
parameters that could be controlled by a remote attacker.  This could
possibly the attacker to execute arbitrary code with the privileges of the
web server, which would be invoking the vulnerable program.

Sendmail DNS Maps Remote Denial of Service Vulnerability
BugTraq ID: 8485
Remote: Yes
Date Published: Aug 25 2003
Relevant URL: http://www.securityfocus.com/bid/8485
Summary:
A potential vulnerability has been discovered in Sendmail when
implementing the use of DNS Maps. This behavior can be enabled through the
sendmail.cf configuration file.

The problem lies in the sm_resolve.c source file, and is exclusive to
Sendmail 8.12.x releases, prior to 8.12.9 only. Specifically, it has been
discovered that the dns_parse_reply() function fails to initialize
RESOURCE_RECORD_T structures after allocation. These structures are used
in a chain, designed to keep track of varoius DNS data. Each structure
includes a 'rr_next' variable, which is a pointer to the next structure in
the list.

When an invalid DNS reply is received by Sendmail, i.e. one with a reply
size differing from the announced reply size, the dns_free_data() function
is called. This function is designed to free allocated chains of
RESOURCE_RECORD_T structures, and traverses the chain until a 'rr_next'
variable points to NULL. Due to the failure to initialize these
structures, the last structure in the chain will not contain a NULL
'rr_next' variable. As such, the dns_free_data() function may traverse
into random memory by referencing this garbage 'rr_next' pointer, which
could potentially result in the free() function being called on random
memory.

This could potentially allow for a denial of service condition, as an
attacker may trigger a situation under which invalid memory will be
dereferenced. Theoretically, if this garbage data were to be controlled by
an attacker at some point during execution, it may be possible to exploit
this issue to execute arbitrary code. This however has not been confirmed.

It should be noted that the default configuration of Sendmail is not
affected by this issue.

GTKFTPD LIST Command Remote Buffer Overflow Vulnerability
BugTraq ID: 8486
Remote: Yes
Date Published: Aug 25 2003
Relevant URL: http://www.securityfocus.com/bid/8486
Summary:
GtkFtpd is a personal FTP server that includes a GTK graphical interface.

The GtkFtpd LIST command routine has been reported prone to a remotely
exploitable buffer overflow vulnerability.

The issue presents itself in the sys_cmd.c source file, and is due to a
lack of sufficient bounds checking that is performed on user-supplied
data. Specifically when a LIST command is invoked, a sprintf() call fails
to perform sufficient checks when appending  date/user/stat data to a
file/foldername string. When the concatenated data is copied into a
256-byte buffer to be later displayed on screen, 40 bytes of
attacker-controlled data may be written past the boundary of a reserved
buffer in memory. Ultimately this issue may be leveraged by a remote
attacker to influence GtkFtpd program execution flow and have arbitrary
supplied instructions executed in the context of the vulnerable daemon,
typically root.

It should be noted that this issue has been reported to affect GtkFtpd
version 1.0.4 and previous.

Pam_SMB Remote Buffer Overflow Vulnerability
BugTraq ID: 8491
Remote: Yes
Date Published: Aug 26 2003
Relevant URL: http://www.securityfocus.com/bid/8491
Summary:
pam_smb is a pluggable authentication module (PAM) that provides for
authentication of UNIX users to a Server Message Block (SMB) server.

pam_smb has been reported prone to a buffer overflow vulnerability. It has
been reported that systems using pam_smb to authenticate to a remotely
accessible service may be vulnerable to a condition that may allow a
remote attacker to supply and execute arbitrary code in the context of the
vulnerable module.

Specifically, insufficient bounds checking is carried out on user-supplied
passwords before being copied into internal memory space. As a result, an
attacker may be capable of overwriting sensitive locations in memory.

It has been reported that all versions of pam_smb prior to, and including
version 1.1.6 and 2.0.0-rc development versions are affected by this
vulnerability.

SLRN XRef Buffer Overflow Vulnerabilty
BugTraq ID: 8493
Remote: Yes
Date Published: Aug 26 2003
Relevant URL: http://www.securityfocus.com/bid/8493
Summary:
slrn is an open source, freely available newsreader. It is actively
maintained by the SLRN Development Team, distributed through Sourceforge,
and included with many distributions of Linux.

slrn has been reported prone to a remote buffer overflow condition.

The issue has been reported to present itself when handling malicious Xref
headers. It has been reported that, when handled, an Xref header value
sufficient to trigger this issue may overrun the bounds of a reserved
memory buffer, and corrupt adjacent memory within the slrn process.
Although unconfirmed, due to the nature of this vulnerability it has been
conjectured that a remote attacker may exploit this issue to influence the
execution flow of the affected slrn application. This could result in
arbitrary code execution in the context of the user running slrn.

This vulnerability has been reported to affect all versions of slrn prior
to slrn version 0.9.8.0.

akpop3d User Name SQL Injection Vulnerability
BugTraq ID: 8495
Remote: Yes
Date Published: Aug 26 2003
Relevant URL: http://www.securityfocus.com/bid/8495
Summary:
akpop3d is a stand alone POP3 daemon.  The product allows secure POP3
sessions based on POP3-over-SSL.

akpop3d may be prone to a vulnerability that may allow an attacker to
inject malicious SQL syntax into database queries. The source of this
issue is insufficient sanitization of user-supplied input before including
this input in database queries.  A remote attacker may exploit this issue
to influence SQL query logic.

This issue may allow an attacker to gain access to sensitive data stored
in the database.  Other attacks on the underlying database are possible as
well.

It has been reported that a valid POP3 password is required in order to
exploit this issue.

GBrowse Help Parameter File Disclosure Vulnerability
BugTraq ID: 8496
Remote: Yes
Date Published: Aug 25 2003
Relevant URL: http://www.securityfocus.com/bid/8496
Summary:
GBrowse (Generic Genome Browser) is web-based genetics software.

GBrowse is prone to a file disclosure vulnerability.  Remote users may
gain access to files outside of the web root directory by passing
directory traversal sequences (../) via the 'help' URI parameter.

This vulnerability could be exploited to gain unauthorized access to files
that are readable by the web server that is hosting the vulnerable
software.  If successfully exploited, an attacker may gain access to
sensitive information that could assist in mounting further attacks
against system resources.

BProc Local Arbitrary File Deletion Vulnerability
BugTraq ID: 8509
Remote: No
Date Published: Aug 28 2003
Relevant URL: http://www.securityfocus.com/bid/8509
Summary:
BProc (Beowulf Distributed Process Space) is a set of kernel
modifications, utilities and library files that are designed to facilitate
the invocation and handling of processes on remote systems. BProc is
designed for use with the Linux kernel.

Bproc is prone to a vulnerability that could allow malicious local users
to delete arbitrary system files. The problem is said to be due to
incorrect permission checking when handling I/O redirection. As a result,
an attacker may be capable of gaining limited access to arbitrary system
files with elevated privileges. This issue could be exploited by an
attacker to delete arbitrary system files, potentially rendering the
system unusable.

The problem is believed to occur due to BProc failing to sufficiently
setup I/O prior to the execution of setuid programs from within another
program. This may make it possible for an attacker to access descriptors
used by the privileged program. This could possibly be accomplished by
creating a process under which file descriptors are shared with the
parent, and subsequently having the child invoke a setuid application.
This however, has not been confirmed.

It should be noted that the precise technical details regarding this issue
are currently unknown. As further information becomes available this BID
will be updated accordingly.

This vulnerability was reported for 3.2.5 however, earlier versions may
also be affected.

ISC INN Innfeed Config File Command Line Format String Vulne...
BugTraq ID: 8510
Remote: Yes
Date Published: Aug 28 2003
Relevant URL: http://www.securityfocus.com/bid/8510
Summary:
ISC INN (InterNetNews) is an NNTP implementation for Unix/Linux variants.

A format string vulnerability has been reported in ISC INN (InterNetNews).
The issue exists in the innfeed binary and may be triggered by including
format specifiers as an argument when specifying a config file via the -c
command line switch.  The innfeed program is a streaming NNTP feeder.

The source of the problem is that the program does not include format
specifiers when using logging functions, which will enable an attacker to
supply their own format specifiers.  This could be leveraged to overwrite
arbitrary locations in memory with attacker-supplied data, which will
allow for an attacker to control the execution flow of the program.

This vulnerability could be exploited by a user with a group ID of news to
execute arbitrary code in the context of the program, which may allow an
attacker to gain the user ID of news on some systems.  Further privilege
escalation may be possible if this issue is successfully exploited.

LinuxNode Remote Buffer Overflow Vulnerability
BugTraq ID: 8512
Remote: Yes
Date Published: Aug 29 2003
Relevant URL: http://www.securityfocus.com/bid/8512
Summary:
LinuxNode is an amateur packet radio node program.

It has been reported that LinuxNode is prone to a remote buffer overflow
condition.  The issue presents itself due to insufficient bounds checking.
A remote attacker may ultimately exploit this issue remotely and execute
arbitrary code in the context of the user who is running the vulnerable
software.  Successful exploitation may allow a attacker to gain
unauthorized access to the vulnerable host.

Explicit technical details regarding this vulnerability are not currently
available. This BID will be updated, as further details regarding this
issue are made public.

Although LinuxNode 0.3.0 has been reported to be vulnerable to this
problem, other versions may be affected as well.