[gull-annonces] Résumé SecurityFocus Newsletter #213

Marc SCHAEFER schaefer at alphanet.ch
Sat Sep 13 09:11:01 CEST 2003


LinuxNode Remote Buffer Overflow Vulnerability
BugTraq ID: 8512
Remote: Yes
Date Published: Aug 29 2003
Relevant URL: http://www.securityfocus.com/bid/8512
Summary:
LinuxNode is an amateur packet radio node program.

It has been reported that LinuxNode is prone to a remote buffer overflow
condition.  The issue presents itself due to insufficient bounds checking.
A remote attacker may ultimately exploit this issue remotely and execute
arbitrary code in the context of the user who is running the vulnerable
software.  Successful exploitation may allow a attacker to gain
unauthorized access to the vulnerable host.

Explicit technical details regarding this vulnerability are not currently
available. This BID will be updated, as further details regarding this
issue are made public.

Although LinuxNode 0.3.0 has been reported to be vulnerable to this
problem, other versions may be affected as well.

XFree86 Multiple Unspecified Integer Overflow Vulnerabilitie...
BugTraq ID: 8514
Remote: Yes
Date Published: Aug 30 2003
Relevant URL: http://www.securityfocus.com/bid/8514
Summary:
Multiple integer overflow vulnerabilities have been discovered in XFree86
4.3.0. The problem specifically occurs due to insufficient sanity checks
within font libraries. As a result, a malicious font server that transmits
font data to a target client may include a malformed integer value
designed to unexpectedly pass a bounds checking calculation and trigger a
buffer overrun. This could cause memory corruption within stack or heap
process space, ultimately allowing for the execution of arbitrary code
with the privileges of the client program.

It should be noted that under some non-default XFree86 configurations, it
has been reported that the Xserver and XFS daemons may act as a client to
the font server, making it possible for these services to be exploited
remotely.

Although unconfirmed, these integer overflow vulnerabilities may be
present in earlier versions of XFree86.

Precise technical details regarding these vulnerabilities are currently
unavailable, however as further information is released this BID will be
updated accordingly.

Exim EHLO/HELO Remote Heap Corruption Vulnerability
BugTraq ID: 8518
Remote: Yes
Date Published: Sep 01 2003
Relevant URL: http://www.securityfocus.com/bid/8518
Summary:
Exim is a message transfer agent (MTA) developed at the University of
Cambridge and available under the GNU Public License. It is available for
the Linux operating system.

A heap buffer overflow vulnerability has been discovered in Exim. The
problem is said to affect all Exim3 and Exim4 versions prior to Exim 4.21.
I

This issue occurs due to insufficient bounds checking performed when
handling user-supplied SMTP EHLO/HELO command data. The vulnerability
specifically occurs within the 'smtp_in.c' source file when handling
invalid EHLO/HELO arguments.  If EHLO/HELO arguments contain 506 leading
spaces followed by a NUL byte and a CRLF, a static string intended for a
syntax error message will be appended to the command argument data. The
interpolated string will now exceed the size of the reserved buffer in
heap-based memory. The entire string will be copied, without the spaces
being stripped, into the affected command buffer, this will result in heap
memory management structures adjacent to the affected buffer being
corrupted with superfluous data.

It has been reported that this vulnerability is unlikely to be exploitable
to execute arbitrary code. This is because a free() call is never made on
the attacker-controlled malloc chunk. Exploitation attempts will also be
hindered because the uncontrollable static string 'o argument given)\0' is
appended to attacker-supplied data, and will complicate the valid
corruption of the adjacent malloc header.

Multiple Vendor PC2Phone Software Remote Denial of Service V...
BugTraq ID: 8523
Remote: Yes
Date Published: Sep 01 2003
Relevant URL: http://www.securityfocus.com/bid/8523
Summary:
It has been reported that multiple PC2Phone products are prone to a remote
denial of service condition. The problem is said to occur when processing
excessive data passed to the programs via a UDP packet and could result in
the product crashing. This could result in an established conversation
prematurely ending, or potentially other attacks.

This vulnerability has been triggered by transmitting the UDP packet to
port 5000 on Go2Call Cash Calling, as well as Net2Phone Dialer. However,
to trigger the issue Yahoo! Messenger the packet must be sent via UDP port
6801.

It should be noted that reports indicate that the problem may in fact lie
within the Go2Call Cash Calling program, and other products derived from
its source code are also affected. However, this information has not yet
been confirmed.

The precise technical details regarding this issue are currently unknown,
however as further information is made available this bid will be updated
accordingly.

[ hardware ]

PADL Software PAM_LDAP PAM Filter Access Restriction Failure...
BugTraq ID: 8535
Remote: Yes
Date Published: Sep 03 2003
Relevant URL: http://www.securityfocus.com/bid/8535
Summary:
PAM_LDAP is the PAM module package designed to allow authentication with
LDAP servers via PAM-compliant authentication mechanisms.  It is available
for the Unix and Linux platforms.

A problem in the PAM filter portion of PAM_LDAP has been identified that
may fail to restrict access to certain systems.  This may allow
unauthorized access to network resources.

The problem is in the handling of values supplied to PAM filter.  When PAM
filter is used to restrict the ability of users logging in from
unauthorized hosts, PAM filter may fail to restrict access by the user.
This could result in a user gaining access to a system from an
unauthorized host.  This will also create a false sense of security, as
the PAM filter has been configured to restrict access and is not
performing as expected.

Stunnel Leaked File Descriptor Vulnerability
BugTraq ID: 8537
Remote: No
Date Published: Sep 03 2003
Relevant URL: http://www.securityfocus.com/bid/8537
Summary:
Stunnel is a freely available, open source cryptography wrapper. It is
designed to wrap arbitrary protocols that may or may not support
cryptography. It is maintained by the Stunnel project.

Stunnel has been reported prone to a file descriptor leakage
vulnerability. The issue reportedly presents itself due to an fcntl() call
made without a CLOEXEC flag in the source of Stunnel. It has been reported
that because of this, file descriptors returned by a listen() call are
made available to unprivileged processes.

If Stunnel is used to tunnel an application or service that provides shell
access, such as telnet, the shell will have the affected file descriptor
leaked to it. As a result, an unprivileged attacker may exploit this issue
to hijack the Stunnel Server.

Other file descriptors are also reportedly leaked, which may also be
potentially exploited in a similar manner.

It should be noted that this issue has been reported to affect Stunnel
versions 3.24, 4.00 and previous.

Leafnode fetchnews Remote Denial of Service Vulnerability
BugTraq ID: 8541
Remote: Yes
Date Published: Sep 04 2003
Relevant URL: http://www.securityfocus.com/bid/8541
Summary:
Leafnode is a Usenet news proxy.  It allows online news readers to read
news offline.  Fetchnews is a NNTP client software used with Leafnode.

Fetchnews is reported to be prone to a remote denial of service
vulnerability that may allow a remote attacker to cause the software to
hang.

The vulnerability may occur if an attacker sends certain non-RFC-1036
compliant Usenet news articles to the server.  As fetchnews attempts to
retrieve the articles it may cause the software to wait for input that
never arrives.  It has been reported that only one fetchnews process is
allowed to run at a time, therefore any fetchnews processes started
afterwards would fail immediately.  This issue does not exhaust CPU
resources but limits the availability of the client while the condition is
occurring.

Successful exploitation of this issue may allow an attacker to cause a
denial of service attack on a vulnerable version of the software by
posting malformed news articles.  This problem would result in news bases
not being updated.

This vulnerability affects Leafnode 1.9.3 to 1.9.41. The default
installation of Leafnode is also affected by this vulnerability.  The
vendor has advised that versions 1.9.42 and newer are not vulnerable to
this issue.

Asterisk SIP Request Buffer Overrun Vulnerability
BugTraq ID: 8546
Remote: Yes
Date Published: Sep 04 2003
Relevant URL: http://www.securityfocus.com/bid/8546
Summary:
Asterisk is a software-based PBX system, which is available for Linux
operating systems.  Asterisk includes support for the SIP (Session
Initiation Protocol).

Asterisk is prone to a remote exploitable buffer overrun.  This is due to
insufficient bounds checking of SIP MESSAGE and INFO requests.

In particular, due to a programming error in the chan_sip.c source file,
data supplied via either of these requests is used as a size argument for
a strncat() operation.  By passing 1024 bytes in the request body,
strncat() will be invoked with a negative number for the size argument,
causing memory to be corrupted.  A null is included in the affected page
of memory, limiting the amount of memory that is corrupted in the
operation and preventing a page fault, which will permit the saved return
address to be overwritten with attacker-supplied data.  As a result, it
will be possible to control execution flow of the program and execute
arbitrary code.

This issue may be exploited by an unauthenticated remote attacker to
execute arbitrary code in the context of the software.




More information about the gull-annonces mailing list