[gull-annonces] Résumé SecurityFocus Newsletter #215

Marc SCHAEFER schaefer at alphanet.ch
Wed Sep 24 21:11:03 CEST 2003


Man Utility MANPL Environment Variable Buffer Overrun Vulner...
BugTraq ID: 8602
Remote: No
Date Published: Sep 12 2003
Relevant URL: http://www.securityfocus.com/bid/8602
Summary:
The man utility is used for formatting and displaying various system
manuals and documentation. It is possible to specify the length of lines
to display using the MANPL environment variables.

It has been reported that the man utility may be prone to a buffer overrun
conditon, when handling environment variable data. The problem is said to
specifically occur due to insufficient bounds checking when handling data
stored within the MANPL variable.

As a result of this issue, a local attacker may be capable of executing
arbitrary code with the privileges of man, typically setgid 'man'. This
could be accomplished by placing approximately 128 or more bytes of data,
within the affected environment variable, and invoking man.

It should be noted that some vendors are said to apply a patch to affected
man releases, however some systems may still deploy the vulnerable version
with setgid privileges.

vbPortal Authentication SQL Injection Vulnerability
BugTraq ID: 8613
Remote: Yes
Date Published: Sep 12 2003
Relevant URL: http://www.securityfocus.com/bid/8613
Summary:
vbPortal is a portal application which can be used in conjunction with
vbBulletin forums.

It has been reported that vbPortal is prone to SQL injection attacks when
authentication users. The problem occurs due to insufficient sanitization
of the $aid variable, used to store the name of the authenticating user.
Specifically, slashes are not placed into the value of $aid to terminate
any control characters after the data has been base64 decoded. The
exploitable SQL query can be seen below:

$result=mysql_query("SELECT password as pwd FROM user WHERE username =
'$aid'");

As a result, an attacker may supply data within the username designed to
prematurely terminate the string, and influence the logic of this SQL
query. This may be exploited to expose sensitive information, or
potentially to launch attacks against the underlying database.

This issue can be exploited by making a malicious HTTP request to the
auth.inc.php script, including a base64 encoded payload embedded within
the 'admin' URI parameter.

DSPAM Insecure Default Permissions Privilege Escalation Vuln...
BugTraq ID: 8623
Remote: No
Date Published: Sep 15 2003
Relevant URL: http://www.securityfocus.com/bid/8623
Summary:
DSPAM is an anti-spam application designed for use with most Unix mail
applications. Beginning with DSPAM 2.6.5, an option was included in the
program that allows a user to supply a delivery agent and quarantine agent
via the command-line.

A vulnerability has been reported for DSPAM that may allow an attacker to
execute arbitrary code with elevated privileges. The issue lies in the
fact that DSPAM is installed world-executable and setgid by default.

As a result, an unprivileged attacker may supply a malicious executable to
the application, as an argument when specifying a delivery or quarantine
agent. When invoked, the executable will be run with the group privileges
of DSPAM, typically mail.

This privilege escalation could assist in further attacks launched against
a target system.

ChatZilla Remote Denial of Service Attack
BugTraq ID: 8627
Remote: Yes
Date Published: Sep 15 2003
Relevant URL: http://www.securityfocus.com/bid/8627
Summary:
ChatZilla is an IRC-client for Linux operating systems.  ChatZilla is
based on JavaScript and XUL and it is shipped with Mozilla web browser.

A vulnerability has been reported to exist in the software, that may allow
a remote attacker to cause a denial of service condition in ChatZilla.
The issue presents itself when a remote attacker posing as an IRC server
sends specially crafted requests containing long string values to a
vulnerable system.  The attack may cause the software to behave in an
unstable manner leading to a crash.

Successful exploitation of this vulnerability may allow a remote attacker
to cause the vulnerable software to crash.

It is not known if this condition could also be exploited to execute
arbitrary code on the client.

ChatZilla versions 0.8.23 and prior are reported to be prone to this
issue.

OpenSSH Buffer Mismanagement Vulnerabilities
BugTraq ID: 8628
Remote: Yes
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8628
Summary:
A buffer mismanagement vulnerability has been reported in OpenSSH.  This
issue exists in the 'buffer.c' source file.

The source of a problem is that a buffer structure size value may be
expanded before the program attempts to reallocate the buffer using this
size.  If the expanded buffer size triggers a call to fatal(), a series of
cleanup functions registered by the daemon will be called prior to exiting
the program.  As one of these functions may then reference the data within
the buffer, including the unused expanded value, a miscalculation could
potentially occur.  Depending on how the cleanup functions reference this
data, it may be theoretically possible for heap-based memory to be
corrupted.  This condition can reportedly be triggered by an overly large
packet.

External sources, including the vendor, do not believe that this issue
could be exploited to execute arbitrary code though it may potentially be
used to cause a denial of service.

There are also unconfirmed rumors of an exploit for this vulnerability
circulating in the wild.  The impact may be reduced by the implementation
of privilege separation on affected versions of OpenSSH.

OpenSSH has revised their advisory, pointing out a similar issue in the
channels.c source file and an additional issue.   Solar Designer has also
reportedly pointed out additional instances of the problem that may also
present vulnerabilities.  Individual BIDs will be created for these
additional issues when further analysis is complete.

KDE KDM PAM Module PAM_SetCred Privilege Escalation Vulnerab...
BugTraq ID: 8635
Remote: Yes
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8635
Summary:
KDM is the KDE Display Manager, a component of the KDE Desktop
Environment.  It is available for Linux/Unix operating systems.  KDM
provides a graphical login interface for KDE.

A problem has been reported in the KDE Display Manager (KDM) when used in
combination with Pluggable Authentication Modules (PAM).  Because of this,
an attacker may be able to gain unauthorized access to systems.

The problem is in the handling of specific authentication requests passed
through pam_setcred.  Under some circumstances, the results of the
pam_setcred call is not checked.  An attacker could create a malicious
request that circumvents authentication checking to gain unauthorized
access to a system.

It should be noted that this problem occurs when KDM is used in
combination with the pam_krb5 module.

KDE KDM Session Cookie Generation Weakness
BugTraq ID: 8636
Remote: Yes
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8636
Summary:
KDM is the KDE Display Manager, a component of the KDE Desktop
Environment.  It is available for Linux/Unix operating systems.  KDM
provides a graphical login interface for KDE.

KDM uses a weak algorithm to generate session cookies.  In particular, the
session cookie generation algorithm is not sufficient for generating 128
bits of entropy.  This may potentially make brute-forcing of session
cookies a practical endeavor, inevitably enabling an adversary to hijack a
KDM user session.

For exploitation to be successful, the adversary must also be able to
bypass any host-based restrictions.  It is most likely that a malicious
local user could potentially exploit this to gain unauthorized access to
another user's existing session.

Sendmail Prescan() Variant Remote Buffer Overrun Vulnerabili...
BugTraq ID: 8641
Remote: Yes
Date Published: Sep 17 2003
Relevant URL: http://www.securityfocus.com/bid/8641
Summary:
Sendmail is prone to a buffer overrun vulnerability in the prescan()
function.  This issue is different than the vulnerability described in BID
7230.  The issue exists in the parseaddr.c source file and could allow for
corruption of stack or heap memory depending on where in the code the
function is called from.  One possible attack vector is if the function is
indirectly invoked via parseaddr(), though others may also exist.

This vulnerability could permit remote attackers to execute arbitrary code
via vulnerable versions of Sendmail.  This would occur with the privileges
of the server.

The vendor has reported that versions prior to version 8.12.10, are
vulnerable. Additionally it has been reported that commercial releases
including all versions of Sendmail Advanced Message Server, Sendmail Pro,
Sendmail Switch and Sendmail for NT are also vulnerable.

Lucent MAX TNT Universal Gateway Hang-Up Redial Administrati...
BugTraq ID: 8642
Remote: Yes
Date Published: Sep 17 2003
Relevant URL: http://www.securityfocus.com/bid/8642
Summary:
MAX TNT Universal Gateway is a router solution maintained and distributed
by Lucent.  The device was previously manufactured by Ascend.

A problem in the handling of hang-up and redial calls to the Lucent MAX
TNT Universal Gateway has been reported.  Allegedly, this may make it
possible for an attacker to gain unauthorized access to network resources.

It has been reported that callers connecting to the router, hanging up,
then immediately redialing gain an arbitrary administrative access.
Specific details of this issue are not currently available, and this BID
will be further updated when information becomes available.

It should be noted that it appears a valid user account is required to
launch an attack.

[ hardware ]

NetBSD Sysctl Argument Handling Vulnerabilities
BugTraq ID: 8643
Remote: No
Date Published: Sep 18 2003
Relevant URL: http://www.securityfocus.com/bid/8643
Summary:
Multiple vulnerabilities have been reported in the sysctl system call for
NetBSD systems.

A kernel panic could be the result of some sysctl nodes attempting to
dereference a NULL pointer.  In particular, a pointer variable was
mistakenly used for pointing to a user-level and a kernel level address.
A NULL pointer could be set to the variable by a user, potentially causing
a kernel panic and denying service to legitimate users of the system.

If the process ID of a zombie process is passed to the system call, this
could cause a kernel panic.  This could occur if the proc.* sysctl tree is
invoked on a zombie process, which would have invalid or non-existent
process information.  This could potentially be exploited by a user to
cause a kernel panic, denying service to legitimate users of the system.

Some sysctl nodes do not implement sufficient range checking, potentially
allowing kernel memory to be read.  The proc.curproc.rlimit subtree has a
number of nodes that contain information about process limits.  sysctl
provides a helper that is used to manipulate these values, which does not
implement sufficient range checking, potentially allowing values outside
of the rlimit structure to be read.  This could permit a local user to
browse kernel memory, potentially gaining access to sensitive information
such as credentials.  This issue may be similar to the vulnerability
described in BID 2364, which affects the Linux kernel.

It is not known if other BSD derivatives are similarly affected by these
issues.

These issues will be separated into individual BIDs when further analysis
is complete.

Multiple Mambo Open Source 4.0.14  Server Vulnerabilities
BugTraq ID: 8647
Remote: Yes
Date Published: Sep 18 2003
Relevant URL: http://www.securityfocus.com/bid/8647
Summary:
Mambo Open Source is a web based content management system.

Several issues have been identified in Mambo Open Source Server.  Because
of these issues, an attacker may be able to gain unauthorized access to
sensitive data and/or send e-mail/spam to arbitrary recipients.  The
vulnerabilities are caused by insufficient sanitization of user-supplied
data.

The following problems have been reported to exist:

Multiple SQL injection vulnerabilities may exist in the banners.php and
emailfriend/emailarticle.php modules of the software allow a remote
attacker to inject malicious SQL syntax into database queries.  A remote
attacker may exploit the issues to influence SQL query logic.

These issues may allow an attacker to gain access to sensitive data stored
in the database. Other attacks on the underlying database are possible as
well.

An input validation issue has been reported in the sendmail function of
contact.php module of the software.  It is possible for a remote attacker
to exploit this lack of input validation to send anonymous e-mail to
arbitrary recipients, possibly in large volumes.  The may be accomplished
by passing URL arguments to the following parameters in order to send
email to recipients: $text, $from, $name, $email_to, and $sitename.

This issue may allow an attacker to conceal their identity and send
e-mail/spam to arbitrary recipients.

Mambo Open Source Server 4.0.14 has been reported to be prone to this
problem, however other versions may be affected as well.

This BID will be divided into individual BIDs when further analysis of the
issues is complete.

Sendmail Ruleset Parsing Buffer Overflow Vulnerability
BugTraq ID: 8649
Remote: Unknown
Date Published: Sep 17 2003
Relevant URL: http://www.securityfocus.com/bid/8649
Summary:
Sendmail is a widely used MTA for Unix and Microsoft Windows systems.

Sendmail has been reported prone to a buffer overflow condition when
parsing non-standard rulesets.

It has been reported that an attacker may trigger a buffer overflow
condition in Sendmail, when Sendmail parses specific rulesets.
Non-standard rulesets recipient(2), final(4) and mailer-specific envelope
recipient may be used as an attack vector to trigger this vulnerability.
It should be noted that Sendmail under a default configuration is not
vulnerable to this condition. It is not currently known, if this
vulnerability may potentially be exploited to execute arbitrary code.
However due to the nature of the condition, although unconfirmed, it has
been conjectured that ultimately an attacker may exploit this condition to
execute arbitrary code in the context of the affected Sendmail server.

It is not currently known if this vulnerability is restricted to local
exploitation or if the issue may also be exploited remotely.

Explicit technical details regarding this vulnerability are not currently
available; this BID will be updated as further details are disclosed.




More information about the gull-annonces mailing list