[gull-annonces] SecurityFocus Newsletter #216
Marc SCHAEFER
schaefer at alphanet.ch
Tue Sep 30 09:51:02 CEST 2003
LSH Remote Buffer Overflow Vulnerability
BugTraq ID: 8655
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8655
Summary:
lsh is a free software implementation of the ssh version 2 protocol. It is
available for multiple platforms including Linux, Unix and Apple.
lsh has been reported prone to a remote buffer overflow vulnerability. The
condition is reported to present itself under fairly restrictive
circumstances; specifically the vulnerable server must receive malicious
exploit data before any other communications after it has been started.
The vulnerability has been reported to exist in read_line.c, inside an
error reporting function. It has been reported that the vulnerable
function does not return from a reporting procedure, and instead writes
arbitrary data past the end of a reserved buffer in heap-based memory.
This will eventually lead to the corruption of adjacent heap based
management structures.
This vulnerability has been reported to be exploitable pre-authentication,
resulting in the execution of arbitrary attacker supplied instructions in
the context of the affected daemon.
Although this issue has been reported to affect lsh versions 1.4.x, other
versions may also be affected.
Debian hztty Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 8656
Remote: No
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8656
Summary:
Debtian hztty is a program used to translate Chinese character encodings
in terminal sessions.
It has been reported that hztty is prone to multiple buffer overflow
issues that may allow an attacker to gain unauthroized access to a host
running the vulnerable software.
The conditions are present due to insufficient boundary checking. An
attacker may leverage the issues by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing the
affected procedures to return to an address of their choice. One of these
issues is due to insufficient bounds checking of data supplied via the
'-I' command line parameter.
It has also been reported that hztty is incorrectly installed as setuid
root by default instead of group utmp privileges.
Successful exploitation may allow an attacker to ultimately execute
arbitrary code in the context of the user who is running the vulnerable
software in order to gain unauthorized root access to a system.
hztty version 2.0-5.2 has been reported to be prone to these issue however
other versions may be affected as well.
Midnight Commander Virtual File System Symlink Buffer Overfl...
BugTraq ID: 8658
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8658
Summary:
Midnight Commander is a popular file management tool for Unix systems.
Among other features, Midnight Commander is provided with a code layer to
access the file system; this code layer is known as the virtual file
system(VFS).
Midnight Commander has been reported prone to a buffer overflow
vulnerability, when handling symlinks in VFS.
The issue presents itself in the vfs_s_resolve_symlink() function,
reportedly due to an un-initialized buffer being used when Midnight
Commander is handling symlinks in the virtual file system code layer,
specifically in tar and cpio VFS procedures.
An attacker may reportedly trigger this issue, using malicious tar
archives as an attack vector; to overflow the bounds of an un-initialized
reserved buffer in stack based memory. Although unconfirmed, it has been
conjectured that this condition may be leveraged to execute arbitrary
code, however a denial of service condition that causes the affected
Midnight Commander application to crash has been demonstrated.
ipmasq Incorrect Packet Forwarding Default Ruleset Vulnerabi...
BugTraq ID: 8664
Remote: Yes
Date Published: Sep 20 2003
Relevant URL: http://www.securityfocus.com/bid/8664
Summary:
ipmasq is a package that is used to initialize and simplify the
configuration of Linux IP Masquerade. IP Masquerade is a feature of linux
that allows multiple hosts to share a single IP address.
Debian has reported that the firewall rules configured by ipmasq may
result in incorrect (and potentially insecure) forwarding of traffic on
the gateway host. According to the report, any traffic destined for
internal hosts arriving at the external interface of the gateway will be
forwarded to the destination host on the internal network regardless of
whether the packet can be associated with an established connection or
not. This behavior is incorrect and may result in attackers gaining
unauthorized access to internal and potentially more vulnerable hosts.
ipmasq 3.5.10 has been reported to be prone to this vulnerability.
Wu-Ftpd SockPrintf() Remote Stack-based Buffer Overrun Vulne...
BugTraq ID: 8668
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8668
Summary:
Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by
Washington University. Wu-Ftpd includes an option 'MAIL_ADMIN', which
allows the administrator to be e-mailed when a specific event occurs on
the server. One such event may be the uploading of a remote file.
A remote vulnerability has been discovered in Wu-Ftpd, when configured
using the 'MAIL_ADMIN' option to report file uploads, that could allow for
the execution of arbitrary code. It should be noted that Wu-Ftpd servers
running the default configuration are not affected by this vulnerability.
The problem is present within the SockPrintf() function, located within
the ftpd.c source file, and occurs due to insufficient bounds checking.
When SockPrintf() is called, a number of formatted arguments are passed to
the svprintf() function and are stored within the local stack buffer. Due
to insufficient bounds checking prior to calling svprintf(), an attacker
capable of influencing data passed to SockPrintf() may be capable of
overrunning the 32768 byte buffer with malicious data.
This issue may be exploitable through the store() function defined in
ftpd.c, which invokes the SockPrintf() function using an uploaded filename
as the 'name' argument. If an attacker was somehow capable of influencing
the size of the path used to store the uploaded file, possibly by creating
nested directories, it may be possible to construct a 'name' argument
greater then 32768 bytes. This would effectively result in the allocated
stack buffer being overrun, and could ultimately allow for the corruption
of sensitive stack variables such as a saved frame pointer or a return
address.
It should be noted that specific operating systems place a limit on the
available size of filenames. For instance, Linux limits the size to 4096
bytes. Due to this limit, this bug may not be exploitable on certain
systems. However, if the aforementioned nested directory creation is
possible, exploitation may still be possible on systems that set smaller
size limits.
Successful exploitation of this vulnerability could result in the
execution of arbitrary code with the privileges of the Wu-Ftpd server,
typically root.
Man Utility Local Compression Program Privilege Elevation Vu...
BugTraq ID: 8675
Remote: No
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8675
Summary:
The man utility is used for formatting and displaying various system
manuals and documentation. The optional .manpath file is used by man to
locate various applications used by the user.
A vulnerability has been reported in man that may allow an attacker to
gain elevated privileges. The problem lies in man failing to carry out
sufficient sanity checks before executing a user-defined compression
program. As a result, it may be possible for an attacker to execute
arbitrary code with user 'man' privileges.
An attacker could exploit this issue by creating a malicious executable,
designed to spawn a shell, and specify it as the compression program.
Multiple Vendor VPN Implementation Vulnerabilities
BugTraq ID: 8676
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8676
Summary:
Multiple VPN implementations, including CIPE, vtun, and tinc are prone to
security vulnerabilities.
The CIPE implementation is prone to a number of cryptographic flaws. The
flaws include lack of data integrity assurance due to the use of CRC-32
checksums, no inherent measures to protect against message
insertion/deletion attacks and incompatibilities with recent 128-bit block
cipher implementations due to use of 3-bit padding lengths.
Follow-up information has been provided regarding these reported
implementation flaws in CIPE. It appears that the use of CRC-32 checksums
is a legitimate concern, which may be configurable in future versions of
CIPE. Incompatibilities with recent 128-bit block cipher implementations
such as AES do present a possibility for cryptographic attacks on inherent
weaknesses that may exist in algorithms that are supported by CIPE. Other
reported issues such as no inherent protection against message
insertion/deletion attacks are perceived as the result of limitations in
underlying network protocols and it is reported that some of these attacks
may be impractical.
vtun is prone to flaws including weak key generation and lack of inherent
message insertion/deletion protection mechanisms.
tinc is prone to minor cryptographic weaknesses that could expose the
first encrypted block of packets to attacks, potentially exposing
encrypted data. Additional flaws have been reported in the handshake
protocol that could expose VPN communications to man-in-the-middle attacks
and threaten the integrity of the VPN.
Exploitation of these issues could compromise the security of the VPN.
Replay and man-in-the-middle attacks may be possible, in addition to
attacks which allow adversaries to partially decrypt VPN communications or
abuse trust relationships. Many of these issues may be exploited in
combination.
These issues are pending further analysis. This BID will be divided into
individual BIDs when further analysis of the issues is complete.
Multiple Portable OpenSSH PAM Vulnerabilities
BugTraq ID: 8677
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8677
Summary:
Multiple vulnerabilities have been reported to affect Portable OpenSSH
with PAM support enabled. It has been reported that at least one of these
vulnerabilities may be exploitable, under a non-standard configuration
with privsep disabled, by a remote attacker.
Explicit technical details regarding this vulnerability is not currently
available, this BID will be updated, as further analysis of these
conditions is complete.
This vulnerability has been reported to affect Portable OpenSSH versions
3.7p1 and 3.7.1p1. OpenBSD releases of OpenSSH do not contain the
vulnerable code and so are not reported to be affected.
wzdftpd Login Remote Denial of Service Vulnerability
BugTraq ID: 8678
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8678
Summary:
wzdftpd is an FTP server implementation that is available for the Unix,
Linux, and Microsoft Windows platforms.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to cause a denial of service condition. The issue
presents itself when a remote attacker sends a single CRLF character to
the program during the login process. The attack may cause the software
to act in an unstable manner.
This issue occurs due to improper sanitizing of user-supplied input and a
successful attack may allow a remote attacker to cause the vulnerable
process to crash.
wzdftpd version 0.1rc5 has been reported to be prone to this
vulnerability, however other versions across various platforms may be
affected as well.
ProFTPD ASCII File Transfer Buffer Overrun Vulnerability
BugTraq ID: 8679
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8679
Summary:
ProFTPD is an FTP server implementation that is available for Unix and
Linux platforms.
A remotely exploitable buffer overrun vulnerability has been reported in
ProFTPD.
This issue could be triggered if a malicious file is transferred in ASCII
mode. Specifically, ASCII transfers are read in 1024 byte chunks and
checked for newlines (\n). Improper handling of newline characters in
ASCII files may potentially be abused to corrupt memory with
attacker-supplied values. If sensitive values in memory such as
instruction pointers can be overwritten with attacker-supplied data, it
will be possible to control execution flow of the process and execute
arbitrary code.
Successful exploitation will permit a malicious FTP user with upload
access to execute arbitrary code in the context of the FTP server. To
exploit the issue, the attacker must upload the malicious file and then
attempt to download it.
It is also reported that ProFTPD does not adequately drop privileges in
some circumstances, which may compound the risks associated with
exploitation.
This issue could also affect versions prior to 1.2.7, though this has not
been confirmed.
MPG123 Remote File Play Heap Corruption Vulnerability
BugTraq ID: 8680
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8680
Summary:
mpg123 is a freely available, open source audio file player. mpg123 is
available for the Linux and Unix platforms.
A problem in the handling of some types of remote files has been reported
in mpg123. Because of this, it may be possible for a remote attacker to
execute arbitrary code with the privileges of the mpg123 user.
The problem occurs in the readstring function implemented in the httpget.c
source file. When the program is used to connect to a remote streaming
server, it receives strings which is places onto the heap. However, the
readstring function does not sufficiently limit the data in some
instances, making it possible for an attacker to send an arbitrary amount
of data. An attacker can use this problem to overwrite sensitive process
memory, potentially executing arbitrary instructions.
Ingate Firewall/SIParator Packet Filter Rule Bypass Vulnerab...
BugTraq ID: 8681
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8681
Summary:
Ingate Firewall is a firewall appliance; SIParator is an appliance that
provides for the transmission of SIP-based communications and is designed
to operate with Ingate Firewall.
Ingate Firewall/SIParator products have been reported prone to a TCP
packet filter bypass vulnerability under some circumstances.
The issue presents itself if TCP packet filtering is being used in the
affected software. A malicious packet containing SYN and RST flags set
that passes through the firewall in the reply direction, may bypass
packet-filtering rules if the destination TCP stack implementation ignores
the RST flag and establishes a TCP connection based off the SYN flag.
Ultimately this issue may result in an established TCP connection, that
the affected TCP packet filtering rules were supposed to block.
It is likely that this vulnerability affects Ingate Firewall/SIParator
version 3.2 and prior.
[ hardware ]
XFree86 XLOCALEDIR Buffer Overflow Variant Vulnerability
BugTraq ID: 8682
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8682
Summary:
XFree86 utilities may be prone to a locally exploitable vulnerability due
to insufficient bounds checking of data supplied via the XLOCALEDIR
environment variable. This is a variant of the issue described in BID
7002, but is reported to affect XFree86 4.3.0 and the buffer required to
trigger the condition may also vary. This poses a security risk with
utilities that are setuid/setgid.
The researcher who reported this vulnerability tested the issue with
xscreensaver and it was reportedly possible to overwrite EIP with
attacker-supplied values, however, privilege escalation was not possible
due to the application dropping privileges. It is possible that some
other utilities may drop privileges before exploitation can occur. It has
not been established that this issue may be exploited to gain elevated
privileges.
BSD Kernel ARP Cache Flooding Denial of Service Vulnerabilit...
BugTraq ID: 8689
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8689
Summary:
The Address Resolution Protocol (ARP) is used to map Internet Protocol
(IP) addresses to MAC addresses. When an IP address is resolved to a MAC
address, it is stored in the ARP cache within the BSD kernel.
A vulnerability has been discovered in the BSD kernel. The problem lies in
the method in which BSD handles and caches information stored in ARP
requests. Specifically, if an ARP request is received and the IP cannot be
resolved, if a default route exists the MAC address will be given an entry
within the ARP cache regardless. As a result, especially on systems with a
default ipv4 route, an attacker may be capable of filling up the available
ARP cache space and triggering a system panic.
A successful attack can be accomplished by sending a high volume of ARP
requests, each with a unique spoofed IP address, to a target system.
The issue is reported to exist in FreeBSD and MacOS X. Other systems
which use a BSD-derived kernel may also be prone to the issue.
CFEngine CFServD Transaction Packet Buffer Overrun Vulnerabi...
BugTraq ID: 8699
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8699
Summary:
GNU cfengine is software for automating administration and maintenance of
large networks. It is available for Unix and Linux variants.
cfengine is prone to a stack-based buffer overrun vulnerability. This
issue may be exploited by remote attackers who are able to send malicious
transaction packets to cfservd. cfservd is typically configured to run on
a central master server, which may have some degree of authority over
other systems in the network.
This issue is due to insufficient bounds checking of data that is read in
during a transaction with a remote user. In particular, the
BusyWithConnection() function in the cfservd.c source file passes
externally supplied data in a 4096 byte stack-based buffer to the
ReceiveTransaction() function in net.c. A value for the message length is
then read from the socket by ReceiveTransaction(). The message length and
buffer are then passed to the RecvSocketStream() function. If the message
length is more than 4096 bytes, then adjacent regions of memory will be
corrupted with the superfluous data. In this manner it is possible to
corrupt stack variables such as an instruction pointer with
attacker-supplied values, allowing for control of execution flow and
execution of malicious instructions embedded in memory by the attacker.
The vulnerability may be exploited to execute arbitrary code with the
privileges of cfservd. A denial of service may also be the result of
exploitation attempts as cfservd is multi-threaded and may not be
configured to restart itself via a super-server such as inetd.
MPlayer Streaming ASX Header Parsing Buffer Overrun Vulnerab...
BugTraq ID: 8702
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8702
Summary:
MPlayer is a multimedia program designed for the Linux and BSD operating
systems. It supports are wide variety of video files, including the ASX
format.
A vulnerability has been discovered in MPlayer when handling malformed
streaming ASX file headers. The issue has been reported to present itself
within the ASX stream handler of MPlayer, and has been reported to be due
to a lack of sufficient boundary checks performed within the
asf_http_request() function.
An attacker may create a malicious ASX file and host it on a server that
responds to a connecting client with new line data that is sufficient to
subvert boundary checks. When the malicious ASX file stream is
interpreted, excessive data contained as an http_proxy value in the ASX
file header may overrun the bounds of a reserved stack-based buffer in
memory and corrupt adjacent memory.
A remote attacker may leverage this condition to corrupt a saved
instruction pointer and thereby influence execution flow of the vulnerable
application into attacker controlled memory. Ultimately an attacker may
execute embedded instructions in the context of the user running MPlayer.
Apache htpasswd Password Entropy Weakness
BugTraq ID: 8707
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8707
Summary:
A weakness has been discovered in the way that the Apache htpasswd
generates salts. Specifically, the salt is generated based of the current
system time using the following procedure:
(void) srand((int) time((time_t *) NULL));
ap_to64(&salt[0], rand(), 8);
If this procedure were used twice or more within the same second, the
generated salts would be identical. As a result, if the affected system
were implementing the use of default auto-generated passwords, multiple
passwords may have the same salt. Having a static value across multiple
passwords will make it easier for an attacker to compromise credentials
and gain access to resources protected via htpasswd that they wouldn't
normally have access to.
This may pose a security weakness if an attacker were capable of gain
access to the contents of htpasswd.
This weakness is said to affect Apache 1.3.27 and 1.3.28, however, other
versions may also be affected.
Athttpd Remote GET Request Buffer Overrun Vulnerability
BugTraq ID: 8709
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8709
Summary:
Athttpd is a web server available for the Linux operating system.
A vulnerability has been reported for Athttpd. The problem occurs due to
insufficient bounds checking when handling GET requests. Specifically,
making a GET request including approximately 820 bytes of data will
effectively overrun the bounds of the internal memory buffer used for its
storage.
As a result, an attacker may be capable of corrupting sensitive data such
as a return address, and effectively control the execution flow of the
program. This would ultimately allow for the execution of arbitrary code.
This vulnerability is said to affect atphttpd 0.4b, however, earlier
versions may also be affected.
[ licence?]
More information about the gull-annonces
mailing list