[gull-annonces] Résumé SecurityFocus Newsletter #246

[Marc SCHAEFER]

logcheck Insecure Temporary Directory Vulnerability
BugTraq ID: 10162
Remote: No
Date Published: Apr 17 2004
Relevant URL: http://www.securityfocus.com/bid/10162
Summary:
logcheck performs operations on temporary directories in the /var/tmp
directory in an insecure manner.

This issue may only be exploited when the program removes said
directories.  The issue could be exploited by a local attacker to
corrupt root owned files.  This will most likely result in destruction
of data and denial of service.

[ dans Debian stable, les répertoires concernés sont créés à
  l'installation de logcheck et donc le problème ne se pose pas, vu que
  /var/tmp n'est pas un symlink à /tmp et n'est donc pas effacé
  régulièrement. En testing il y a apparemment un bug ouvert à ce sujet.
]

SquirrelMail change_passwd Plug-in Buffer Overrun Vulnerabil...
BugTraq ID: 10166
Remote: Yes
Date Published: Apr 17 2004
Relevant URL: http://www.securityfocus.com/bid/10166
Summary:
The SquirrelMail change_passwd plug-in is prone to a stack-based
buffer overrun vulnerability.  The issue exists in the backend
chpasswd binary.

This vulnerability could potentially be exploited by a local user to
execute arbitrary code as root.

It should be noted that the local user may need to have additional
privileges to exploit this issue, such as being a member of a special
group on the system, such as webmasters or www or to have access to a
special user, depending on how the software is configured.

This issue may also be remotely exploitable via the CGI interface of
the software.

ssmtp Mail Transfer Agent Symbolic Link Vulnerability
BugTraq ID: 10171
Remote: Yes
Date Published: Apr 19 2004
Relevant URL: http://www.securityfocus.com/bid/10171
Summary:
It has been reported that ssmtp is prone to a symbolic link
vulnerability.  This issue is due to a design error that causes the
application to fail to validate files before writing to them.

This issue could be leveraged to corrupt arbitrary, attacker-specified
system files.  It may be possible for an attacker to gain escalated
privileges on the affected system; it is certainly possible to cause a
system wide denial of service condition.

KAME Racoon Malformed ISAKMP Packet Denial of Service Vulner...
BugTraq ID: 10172
Remote: Yes
Date Published: Apr 19 2004
Relevant URL: http://www.securityfocus.com/bid/10172
Summary:
It has been reported that racoon is prone to a denial of service
vulnerability when handling malformed ISAKMP packets.  This issue may
allow a remote attacker to cause the application to exhaust memory
resources leading to a crash or hang.

utempter Multiple Local Vulnerabilities
BugTraq ID: 10178
Remote: No
Date Published: Apr 19 2004
Relevant URL: http://www.securityfocus.com/bid/10178
Summary:
It has been reported that utempter is affected by multiple local
vulnerabilities.  The first issue is due to an input validation error
that causes the application to exit improperly; facilitating symbolic
link attacks.  The second issue is due to a failure of the application
to properly validate buffer boundaries.

The first issue results in a symbolic link vulnerability. Since
utempter runs with root privileges, this issue could be leveraged to
corrupt arbitrary, attacker-specified system files.

The second problem presents itself when utempter processes certain
strings.  These errors may cause the affected process to crash.  It
has been conjectured that this may be leveraged to execute arbitrary
code on the affected system, however this is currently unverified.

utempter is an utility to avoid the need for suid-root applications
when modifying data in the utmp file. Other distributions (such as
Debian) use setgid applications instead of of this wrapper and thus
are not vulnerable.

Linux Kernel setsockopt MCAST_MSFILTER Integer Overflow Vuln...
BugTraq ID: 10179
Remote: No
Date Published: Apr 20 2004
Relevant URL: http://www.securityfocus.com/bid/10179
Summary:
An integer overflow vulnerability has been reported in setsockopt(2).
This was introduced as of the 2.4.22/2.6.1 kernel releases.

The specific issue exists in the net/ipv4/ip_sockglue.c source file
and is present in the ip_setsockopt() subroutine of the setsockopt()
system call.  Within this subroutine there is an integer overflow
within the IP_MSFILTER_SIZE macro, which is used when setting the
MCAST_MSFILTER socket option.

This issue may be exploited by a local user to compromise the system.
Exploitation could also result in a denial of service.  It should be
noted that this type of vulnerability may provide a generic means of
privilege escalation across Linux distributions once a remote attacker
has gained unauthorized access as a lower privileged user.

[ kernel <= 2.4.21, pas atteint par ce problème, mais assurez-vous que
vous avez les patches nécessaires pour les autres vulnérabilités locales
comme mremap ]

NcFTP Local Information Disclosure Vulnerability
BugTraq ID: 10182
Remote: No
Date Published: Apr 20 2004
Relevant URL: http://www.securityfocus.com/bid/10182
Summary:
NcFTP has been reported prone to a local information disclosure
vulnerability. The issue presents itself because the NcFTP client does
not correctly obfuscate arguments that are passed to the client
software. If NcFTP client has been launched with an ftp site URI as an
argument, this argument will be visible in the 'ps -aux' process list.

Well, I personnally think that if the user types:

   ncftp ftp://user:password@ftp-server/

he is the faulty part of the equation, not the client software.

Multiple Vendor TCP Sequence Number Approximation Vulnerabil...
BugTraq ID: 10183
Remote: Yes
Date Published: Apr 20 2004
Relevant URL: http://www.securityfocus.com/bid/10183
Summary:
A vulnerability in TCP implementations has been reported that may
permit unauthorized remote users to reset TCP sessions.  This issue
affects products released by multiple vendors.  This issue may permit
TCP sequence numbers to be more easily approximated by remote
attackers.

The cause of the vulnerability is that affected implementations will
accept TCP sequence numbers within a certain range of the expected
sequence number for a packet in the session.  This will permit a
remote attacker to inject a SYN or RST packet into the session,
causing it to be reset and effectively allowing for denial of service
attacks.  An attacker would exploit this issue by sending a packet to
a receiving implementation with an approximated sequence number and a
forged source IP and TCP port.

There are a few factors that may present viable target
implementations, such as those which depend on long-lived TCP
connections, those which have known or easily guessed IP address
endpoints and those implementations with known or easily guessed TCP
source ports.  It has been noted that Border Gateway Protocol (BGP) is
reported to be particularly vulnerable to this type of attack.  As a
result, this issue is likely to affect a number of routing platforms.

It should be noted that while a number of vendors have confirmed this
issue in various products, investigations are ongoing and it is likely
that many other vendors and products will turn out to be vulnerable as
the issue is investigated further.

Other consequences may also result from this issue, such as injecting
specific data in TCP sessions, though this has not been confirmed.

[ problème général, une solution partielle est en développement, attaque DoS,
  voir http://www.osvdb.org/4030 ]

Cisco Internet Operating System SNMP Message Processing Deni...
BugTraq ID: 10186
Remote: Yes
Date Published: Apr 20 2004
Relevant URL: http://www.securityfocus.com/bid/10186
Summary:
It has been reported that the Cisco Internet Operating System (IOS) is
affected by a remote SNMP message processing denial of service
vulnerability.  This is caused by a design error that causes memory
corruption in the affected system under certain circumstances.

This issue may be leveraged to cause a denial of service condition in
the affected device.  The denial of service is due to a corruption of
memory in the affected device.  As a result, there may be other
consequences, such as code execution.  This has not been confirmed by
Cisco.

[ firmware ]

Sun Fire/Netra Remote TOS IP Packet Denial Of Service Vulner...
BugTraq ID: 10189
Remote: Yes
Date Published: Apr 21 2004
Relevant URL: http://www.securityfocus.com/bid/10189
Summary:

A denial of service vulnerability has been reported to affect Sun Fire
and Netra products. The issue is reported to present itself when the
affected server handles an IP packet that has certain flags set. It is
reported that when this occurs the System Controller may hang, thereby
effectively denying service to legitimate users.

[ firmware (?) ]

Michael Bacarella ident2 Daemon Child_Service Remote Buffer ...
BugTraq ID: 10192
Remote: Yes
Date Published: Apr 16 2004
Relevant URL: http://www.securityfocus.com/bid/10192
Summary:
A remote buffer overflow vulnerability has been reported to affect the
Michael Bacarella ident2 daemon. The issue is reported to present
itself due to a lack of sufficient boundary checks performed on
user-supplied data, before it is copied into a reserved buffer in
process memory.

It is possible for a remote attacker to overrun the bounds of the
affected buffer and corrupt a restricted region of adjacent
memory. Because this data may potentially hold values that are crucial
to controlling process execution flow, it may be possible for a remote
attacker to exploit this issue to have arbitrary instructions
executed.

xine And xine-lib Multiple Remote File Overwrite Vulnerabili...
BugTraq ID: 10193
Remote: Yes
Date Published: Apr 22 2004
Relevant URL: http://www.securityfocus.com/bid/10193
Summary:
It has been reported that the xine media player and the xine media
library are affected by multiple remote file overwrite
vulnerabilities.  This is due to a design error that allows various
media resource file configurations to write to arbitrary files.

It is possible to set these configuration parameters to write to
arbitrary files on the affected system.  It should be noted that this
issue, as it is currently known, only affects Sun based systems as
well as those using the DXR3 or Hollywood+ MPEG decoder audio card.
It has been conjectured however that similar configuration parameters
exists that affect other systems.