[gull-annonces] Résumé SecurityFocus Newsletter #235

Marc SCHAEFER schaefer at alphanet.ch
Wed Feb 11 20:11:04 CET 2004


GNU LibTool Local Insecure Temporary Directory Creation Vuln...
BugTraq ID: 9530
Remote: No
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9530
Summary:
libtool is a freely available, open source library management script.  It
is available for the Unix and Linux platforms.

A problem has been identified in the creation of temporary directories by
the libtool script.  Because of this, an attacker may be able to corrupt
arbitrary files on a system.

libtool does not securely create temporary directories.  When the script
is executed during compilation of a program, it creates a situation where
an attacker can potentially overwrite target files using predicted
symbolic links, potentially destroying data.

It should be noted that this issue only affects programs that use libtool
during compilation time.  Additionally, resolution of this issue only
limits scope to programs that use the system libtool, and does not resolve
the issue in programs that package their own version of libtool.

FreeBSD mksnap_ffs File System Option Reset Vulnerability
BugTraq ID: 9533
Remote: No
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9533
Summary:
FreeBSD 5.0-RELEASE and later includes a tool called mksnap_ffs to
facilitate taking snapsnots of file systems.  This utility is only
accessible to administrative users by default.

A vulnerability has been reported in the FreeBSD mksnap_ffs utility that
could cause file system security properties to be reset.  When the utility
is run, it does not preserve various file system flags.  If the file
system is restored from the snapshot, these settings will have their
default values, which may impact security if file system security settings
were enabled on the file system prior to the utility being run to take a
snapsnot of the file system.

This could impact any extended access control lists that are enabled on
the file system or re-enable the use of setuid executables.  The exact
consequences will depend on the security configuration that was in place
prior to the snapshot being taken and the file system being restored from
the snapshot.

SqWebMail Authentication Response Information Leakage Weakne...
BugTraq ID: 9541
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9541
Summary:
SqWebMail is a web-based e-mail application.

SqWebMail leaks sensitive information in authentication responses that may
permit aid an attacker in brute forcing the root password on the
underlying operating system.  The software reportedly issues different
responses when the user authenticates successfully as the root user then
when a failed attempt occurs.

For example, when an authentication attempt fails, the web interface will
issue the following response:
"invalid user or password"

When authentication succeeds for the root user, the interface reportedly
issues this response instead:
"maildir doesn't exist or has incorrect ownership or permission"

It should be noted that this may depend on there not being a Maildir for
the root user on the underlying operating system.  This type of response
could also be issued for other users on the system that do not have a
Maildir.

This vulnerability may provide a covert means of brute-forcing the root
password via the SqWebMail interface.

This issue reportedly exists when SqWebMail is run with qmail, qmailadmin,
vpopmail with vchkpw-auth. Other reports specify that this issue exists
solely in SqWebMail.

[ langage ? impact réel ? ]

Suidperl Unspecified Information Disclosure Vulnerability
BugTraq ID: 9543
Remote: No
Date Published: Feb 01 2004
Relevant URL: http://www.securityfocus.com/bid/9543
Summary:
SuidPerl is the Perl interpreter for setuid Perl scripts. It is included
with distributions of the Perl package and is available for Linux and Unix
variant operating environments.

A vulnerability has been reported in Suidperl that may cause sensitive
information to be disclosed to unauthorized users.  This could potentially
permit users to enumerate the existence of files or determine other
attributes that should not be accessible to unprivileged users.

This issue may be exploited by a malicious local user.

Util-Linux Login Program Information Leakage Vulnerability
BugTraq ID: 9558
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9558
Summary:
Login is a component of the util-linux package.  It is available for the
Linux platform.

A problem has been identified in the handling of information by the login
component of the util-linux package.  Because of this, an attacker may be
able to gain access to sensitive information.

The problem is an issue in the handling of pointers within the program.
In some situations, a function within the program may attempt to use a
pointer in system memory that has already been freed and reallocated by
another function.  Under these circumstances, it would be possible for an
attacker to gain access to potentially sensitive information.

It is conjectured that this issue requires specific circumstances and
numerous attempts to glean useful information.  However, no proof of
proof-of-concept exists upon which further analysis can be made.

Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu...
BugTraq ID: 9562
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9562
Summary:
IOS is the device operating system available for the Cisco hardware
platform.  It is maintained and distributed by Cisco.

A problem has been identified in the handling of specific types of traffic
by Cisco 6000, 6500, and 7600 routers with the MSFC2 device.  Because of
this, an attacker could potentially crash a vulnerable system.

The problem is in the handling of malformed layer 2 frames.  When a layer
2 frame encapsulating a layer 3 frame is sent to a Cisco device using an
affected version of IOS and the layer 2 frame length is inconsistent with
the encapsulated layer 3 packet.  When an affected device receives such a
packet, it becomes unstable and crashes.

It should be noted that this vulnerability presents a risk under very
specific circumstances.  The first circumstance is that a system on a
network segment local to the affected router can send a packet directly to
the router without intermediary hops that remove the layers 1 and 2
frames.  The other is the circumstance that a tunnel to carry layer 2
frames between segments of networks exists, and a system on one segment of
network can send a malicious packet through the tunnel to a vulnerable
router on another segment of network.

[ firmware ]

Linux Kernel R128 Device Driver Unspecified Privilege Escala...
BugTraq ID: 9570
Remote: No
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9570
Summary:
The Linux Kernel supports numerous driver modules; one such is the R128
ATI Rage 128 bit video card driver module.

It has been reported that the Linux Kernel is prone to an unspecified
local privilege escalation vulnerability.  The issue is reportedly due to
an R128 DRI limits checking issue and may lead to privilege escalation on
affected systems.

This BID will be updated with further technical details if more
information is made available.

Apache mod_digest Client-Supplied Nonce Verification Vulnera...
BugTraq ID: 9571
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9571
Summary:
mod_digest is a digest authentication module that is included in Apache
HTTPD.

Patches have been released for the Apache mod_digest module to include
digest replay protection.  The module reportedly did not adequately verify
client-supplied nonces against the server issued nonce.  The nonce is a
random server generated value that is sent for session verification
purposes during digest authentication.  This vulnerability could permit a
remote attacker to replay the response of another website or section of
the same website under some circumstances, potentially allowing
unauthorized access to sessions.

It should be noted that this issue does not exist in mod_auth_digest
module.

FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se...
BugTraq ID: 9572
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9572
Summary:
The FreeBSD netinet implementation has been reported prone to a
vulnerability that may allow remote attackers to deny service to affected
servers.

The issue presents itself, due to a lack of restrictions placed on TCP MSS
(Maximum Segment Size) values. When a TCP connection is negotiated the MSS
values are exchanged between the connected hosts. This may provide a
remote attacker an opportunity to set the Maximum Segment Size to a low
value (>64 octets). This will result in data transmission that consists of
large amounts of small packets. As the server attempts to commit to the
transmission, processing and receiving of this malicious traffic,
resources may be exhausted. Ultimately the affected server may cease to
serve legitimate traffic.

A remote attacker may exploit this condition to deny service to legitimate
users.

OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu...
BugTraq ID: 9577
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9577
Summary:
OpenBSD has been reported prone to a remote denial of service attack when
configured to process IPV6 traffic. The issue occurs when an affected host
handles ICMPV6 traffic that is configured with an arbitrarily low MTU
size. It has been reported that when traffic of the aforementioned type is
handled an unspecified kernel error occurs, denying service to the
affected system.

A remote attacker may exploit this vulnerability to deny service to
legitimate users.

FreeBSD does not appear to be affected.  It is undetermined if NetBSD is
similarly affected.  This BID will be updated as further information
relating to this issue is disclosed.

GNU Radius Remote Denial Of Service Vulnerability
BugTraq ID: 9578
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9578
Summary:
GNU Radius is a server used primarily by Internet service providers as a
solution for authentication and accounting.

GNU Radius has been reported prone to a remote denial of service
vulnerability. The issue presents itself when a single UDP datagram is
processed that contains an Acct-Status-Type attribute without any other
data. When the affected server handles this datagram, the server will
segfault due to a NULL Pointer dereference.

Specifically, when the Acct-Status-Type attribute is encountered the
following operation is processed:
avl_find(req->request, DA_ACCT_STATUS_TYPE);

Because the datagram contains no other data the following operation will
result in a null value for the *sid_pair pointer:
VALUE_PAIR *sid_pair = avl_find(req->request, DA_ACCT_SESSION_ID);

Finally when a member is referenced in the sid_pair structure, via the
following operation:
snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
The NULL pointer dereference operation will cause the service process to
fail.

It should be noted that although this issue has been reported to affect
GNU Radius version 1.1, pervious versions might also be affected.

BSD Kernel SHMAT System Call Privilege Escalation Vulnerabil...
BugTraq ID: 9586
Remote: No
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9586
Summary:
A vulnerability has been reported to exist in the shmat system call used
in the BSD kernel.  This may allow a local attacker to inject instructions
into the memory of a privileged process.

BSD systems support the System V Shared Memory interface that provides
primitives for sharing memory segments between separate processes.  The
shmat(2) system call allows a shared memory segment that is created with
the the shmget(2) function to be mapped to the calling process's address
space.  The issue presents itself due to an error in the shmat(2) system
call which is included with the System V Shared Memory interface.
shmat(2) is implemented in the sysv_shm.c file.

The vulnerability occurs when shmat(2) does not decrement the reference
count of a shared memory segment when an error occurs.  Reportedly,
shmat(2) increments a count prior to attempting to reference a virtual
memory object, but fails to decrement the count when an error occurs.  An
attacker could create two shared memory segments, then abuse the shmat
system call with invalid calls (the reported amount is 2^32-2 calls, or
4,294,967,294) to force a wrapping of the count in memory.  Upon
deferencing one of the shared memory segments and executing a privileged
program, the attacker could force the privileged program to reuse the
section of shared memory still under control of the attacker.

The attacker could use this as a means of modifying the memory of the
running process, executing arbitrary attacker-supplied instructions
injected into the running process memory, granting privilege escalation to
the attacker.



More information about the gull-annonces mailing list