[gull-annonces] Résumé SecurityFocus Newsletter #236

[Marc SCHAEFER]

Apache-SSL Client Certificate Forging Vulnerability
BugTraq ID: 9590
Remote: Yes
Date Published: Feb 06 2004
Relevant URL: http://www.securityfocus.com/bid/9590
Summary:
Apache-SSL is an implementation of SSL (Secure Socket Layer) for the
Apache webserver.

Apache-SSL has been reported to be prone to a vulnerability. The issue
exists when Apache-SSL is configured with SSLVerifyClient set to 1 or 3
and SSLFakeBasicAuth active. It has been reported that a server possessing
the aforementioned configuration may provide a conduit that will allow a
remote attacker to forge a valid client certificate.

The attacker may exploit this issue by connecting to the affected service
and supplying a one-line DN of a valid user along with the password
"password". This will result in the issue of a valid client certificate.

This issue is reported to affect Apache-SSL 1.3.28+1.52 and all earlier
versions.

[ les certificats clients sont rarement employés pour authentifier des
   sessions Apache
]

Linux VServer Project CHRoot Breakout Vulnerability
BugTraq ID: 9596
Remote: No
Date Published: Feb 06 2004
Relevant URL: http://www.securityfocus.com/bid/9596
Summary:
The Linux VServer Project is implemented with a linux kernel patch and a
group of tools that facilitate the partition of a single linux server into
multiple virtual servers.  It is implemented with a combination of
"security contexts", chroot, segmented routing, extended quotas and  other
standard tools.

It has been reported that VServer is prone to a breakout vulnerability
that would allow a malicious user to escape from the context of the
virtual server.  This issue is due to the VServer application failing to
secure itself against a "chroot-again" style vulnerability.  Successful
exploitation of this issue may allow an attacker to gain access to the
file system outside of the chrooted root directory.

This issue is leveraged when processes running in the context of the
virtual server utilize the chroot function. The process would change its
current directory to the root directory of the virtual server.  It would
then create a temporary directory and chroot itself to the temporary
directory.  The process, however still resides in the directory that is
outside of the one that it has chrooted itself to, and so, by making
multiple calls to chdir( ".." ) it is able to move to the true root
directory of the vulnerable system.

This problem makes it possible for a local user with superuser access in
the virtual server environment to execute commands outside of the VServer
context, and possibly gain unrestricted access to the system.

OpenJournal Authentication Bypassing Vulnerability
BugTraq ID: 9598
Remote: Yes
Date Published: Feb 06 2004
Relevant URL: http://www.securityfocus.com/bid/9598
Summary:
OpenJournal is a web-based application implemented using PERL that
features automated file creation, automated index updating, editing of
files through a Web-based interface and automated archiving.

It has been reported that OpenJournal is prone to an authentication bypass
vulnerability.  This issue is caused by the application failing to
properly sanitize URI specified parameters.  Successful exploitation of
this issue may lead to remote attackers gaining unauthorized access to
online journal files associated with the application, adding new users to
the database as well as a number of other possibilities.

The issue is due to the URI parameter 'uid'.  A malevolent user may gain
access to the OpenJournal control panel by assigning a specially crafted
value to the 'uid' parameter in a URI and submitting it to the
application.

Apache mod_php Global Variables Information Disclosure Weakn...
BugTraq ID: 9599
Remote: Yes
Date Published: Feb 07 2004
Relevant URL: http://www.securityfocus.com/bid/9599
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. Mod_PHP is an Apache
module which allows for PHP functionality in websites.

A weakness has been reported to exist in Apache mod_php module that may
allow remote attackers to disclose sensitive information via influencing
global variables.

The issue reportedly presents itself when the php.ini configuration file
has the parameter setting 'register_globals = on'.  If a request is made
to a virtual host which has the setting 'php_admin_flag register_globals
off' and another request is made to a different virtual host which does
not have "php_admin_flag register_globals off", the original setting may
continue to exist.  This issue could lead to other vulnerabilities such as
php file include, due to an attacker's ability to influence global
variables.  An attacker may also be able to disclose sensitive information
in order to gain unauthorized access.

[ JAMAIS avoir register_globals = on !  C'est de toute manière un trou
  de sécurité énorme avec PHP.
]

Multiple Nokia Object Exchange Protocol Message Remote Denia...
BugTraq ID: 9603
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9603
Summary:
The 6310i phone is a multi-featured mobile phone distributed and
maintained by Nokia.

Several problems in the handling of Object Exchange (OBEX) protocol have
been identified in the Nokia 6310i that could cause the phone to become
unstable.  Because of this, it is possible for an attacker to potentially
deny service to legitimate users of affected phones.

The problem stems from the fact that an attacker can send arbitrary
requests to the phone through the transport means of Bluetooth.  By
sending invalid OBEX messages through this vector, the phone can be forced
into an unstable mode, resulting in the reboot of the phone.

Specific details concerning the OBEX issues are not available.  It is
conjectured that other Nokia phones may also be affected by this issue.

[ firmware ]

Shaun2k2 Palmhttpd Server Remote Denial of Service Vulnerabi...
BugTraq ID: 9608
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9608
Summary:
Shaun2k2 Palmhttpd is a web server for PalmOS.  The application is based
on the code base of 'httpd for PalmOS' server by Jim Rees.

A vulnerability has been reported to exist in the software that may allow
an attacker to cause a denial of service condition.  It has been reported
that PalmOS can only handle one client connection, however, palmhttpd
allows unlimited number of connections.  Due to this, attempting multiple
connections via palmhttpd will result in an error stating "Fatal Error,
NetStack1.c  overflowed accept queue", leading to a denial of service
condition in the server and PalmOS.

Shaun2k2 Palmhttpd versions 3.0 and prior may be prone to this issue.
Since the application is an extension of 'httpd for PalmOS' server by Jim
Rees, it is assumed that 'httpd for PalmOS' is vulnerable as well,
however, this product has been discontinued.

[ limite entre firmware et logiciel propriétaire ]

ClamAV Daemon Malformed UUEncoded Message Denial Of Service ...
BugTraq ID: 9610
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9610
Summary:
ClamAV is a freely available, open source virus scanning utility.  It is
available for the Unix and Linux platforms.

A problem in the handling of specially crafted UUEncoded messages has been
identified in ClamAV.  Because of this, an attacker may prevent the
delivery of e-mail to users.

The problem is in the handling of malformed UUEncoded messages.  When an
attacker sends an e-mail containing UUEncoded content and the line length
is a value that does not conform to UUEncoding conventions, the ClamAV
program terminates.  Because of this, mail delivered to the system  that
is routed through the scanner will not arrive at its destination,
resulting in a denial of service.

It should be noted that earlier versions of the software may also be
affected, though no information concerning the scope of the issue is
available.

[ à quand les bombes:
     dd if=/dev/zero bs=1024k count=9000 | gzip -9 > small_file.gz
]

Caucho Technology Resin Source Code Disclosure Vulnerability
BugTraq ID: 9614
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9614
Summary:
Caucho Resin is a XML application server that provides support for
servlets and JSP.  Apache is a freely available, open source web server
software package. It is distributed and maintained by the Apache Group.

A vulnerability has been reported to exist in Resin that may allow a
remote attacker to gain access to sensitive information that could be used
to launch further attacks against a system.  The issue has been reported
to present itself on Windows NT/2000 systems running Apache 1.3.29 and
Resin 2.1.12.  This issue may allow an attacker to disclose source code of
script files by passing malicious data via a URI parameter.  Although
unconfirmed, the cause of this issue may arise from Resin influencing the
behavior of Apache when the two applications are used simultaneously.

An attacker may exploit this condition to reveal information that may be
used to aid in further attacks against the target system.

[ difficile à dire si Resin est du logiciel libre. Pas clair. ]

Computer Associates eTrust InoculateIT For Linux Vulnerabili...
BugTraq ID: 9616
Remote: No
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9616
Summary:
Multiple vulnerabilities have been reported in eTrust InoculateIT for
Linux operating systems, including issues with temporary files that could
allow for symbolic link attacks and permissions problems that could permit
local attackers to modify sensitive information.

The following specific vulnerabilities were reported:

The insecure temporary file issues are reported to exist in the following
scripts:
ino/scripts/inoregupdate
scripts/uniftest
scripts/unimove

Due to the way in which these scripts create temporary files, it will be
possible to for a remote attacker to create a symbolic link in the
location that temporary files will be created.  This will cause operations
that are intended to be performed on temporary files to be performed on
files pointed to by the malicious symbolic link.  The most likely
consequences will be destruction of sensitive files, though in some
circumstances, if the attacker can control the data written in the attack,
it may be possible to gain elevated privileges.

There are insecure permissions on the eTrustAE.lnx/tmp/.caipcs/.sem
directory, allowing local attackers to modify sensitive configuration
files for the software.

The software installs several registry files that contain various software
settings.  These registry files are included to simulate software settings
in the Windows Registry on Linux installations of the software.  Some of
these files are reported to allow modification by unprivileged local
users, which could be exploited to lower security settings for the
software, such as removing scanned file types from the current user's
registry setting.  Hard-coded search paths for executables may also be
embedded in user-modifiable registry files, allowing for execution of
arbitrary code with elevated privileges in some circumstances.

[ celui-là je le mets comme exemple que bien souvent les anti-virus
  créent plus de problèmes qu'ils n'en résolvent sur un système
  bien administré.
]

Multiple Red-M Red-Alert Remote Vulnerabilities
BugTraq ID: 9618
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9618
Summary:
Red-Alert is an airspace monitor for unauthorized wireless network
activity.  It is distributed and maintained by Red-M.

Problems in various features have been identified in the Red-M Red-Alert
network monitors.  Because of this issues, an attacker may be able to
crash a vulnerable device and eliminate logs, gain unauthorized access to
the administrative interface, or partially evade detection by an affected
device.

The first problem makes it possible for a remote attacker to crash the
device.  By requesting an URI from the device web server with a length of
1230 or greater bytes, an attacker could force the host to become unstable
and crash.  During the reboot process, the system is not able to log any
activity.  Additionally, the reboot results in the loss of any locally
stored logs.

The second problem makes it possible for an unauthorized user to gain
access to the Red-Alert administration interface.  Red-Alert does not
properly handle authentication, restricting administrative access solely
on the basis of IP address.  In circumstances where network address
translation is performed, a user behind the NAT interface could
potentially gain unauthorized access to the device.

The third problem is in the parsing of Server Set IDs (SSIDs).  Systems
with SSIDs that contain one or more space characters (ASCII character 32)
in the name are logged as a single space character.  This problem could
allow an attacker to evade location through misrepresentation in log
files.

[ firmware ]

Linux Kernel Samba Share Local Privilege Elevation Vulnerabi...
BugTraq ID: 9619
Remote: No
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9619
Summary:
A local privilege escalation vulnerability has been reported to affect the
2.6 Linux kernel.

The issue appears to exist due to a lack of sufficient sanity checks
performed when executing a file that is hosted on a remote Samba share.
This issue has been reported to occur when a setuid or setgid file is made
available as a shared network resource through the samba service. An
attacker, who has local interactive access to an affected host, may mount
the remote share and execute the remote setuid/setgid application. This
will reportedly result in elevated privileges, as the setuid/setgid bit of
the remote file is honored on the local system. The problem exist because
smb file system is not mounted using mount and ignores the setuid/setgid
permissions from smbmnt.

It should be noted that although this vulnerability has been reported to
affect 2.6 versions of the Linux kernel, other versions might also be
affected.

Conflicting reports suggest that this is expected behavior that results
from the smbmnt utility being setuid root.

It has been reported that the attacker does not have to mount the file
system as a local user.  The vulnerability still exists if root mounts the
file system and the attacker can execute a setuid binary on the server.
Unix extensions have to be enabled on both the client and the server for
this issue to occur.

[ smbfs a toujours été plein de problèmes ]

GNU Mailman Malformed Message Remote Denial Of Service Vulne...
BugTraq ID: 9620
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9620
Summary:
GNU Mailman is a web integrated software package used for managing
electronic mail discussion and e-newsletter lists.  It is freely
distributed under the GNU Public License.

It has been reported that GNU Mailman is prone to a denial of service
vulnerability.  An attacker could send a carefully crafted message that
would cause the Mailman process to crash.

Successful exploitation of this issue could deny service to legitimate
users.

XFree86 Font Information File Buffer Overflow Vulnerability
BugTraq ID: 9636
Remote: No
Date Published: Feb 10 2004
Relevant URL: http://www.securityfocus.com/bid/9636
Summary:
XFree86 is a freely available open-source implementation of the X Window
System.

It has been reported that the XFree86 X Windows system is prone to a local
buffer overflow vulnerability.  The issue arises from improper bounds
checking when parsing the font.alias file.

The issue occurs in the 'ReadFontAlias()' function in the 'dirfile.c' file
and surrounds the 'alias[1024]' buffer.  The function reads arbitrary
length tokens from the 'font.alias' file without performing any bounds
checking.  The function stops reading the file once white spaces are
reached.  It then uses the 'strcpy()' function to copy the input into the
'alias[1024]' buffer.  An attacker may exploit this issue to execute
arbitrary code within the context of the XFree86 process, potentially
gaining root privileges on the affected system.

This issue has been reported to affect version 4.1.0 through 4.3.0
inclusive, it is likely however that this issue affects earlier versions
of the software as well.

Samba mksmbpasswd.sh Insecure User Account Creation Vulnerab...
BugTraq ID: 9637
Remote: Yes
Date Published: Feb 10 2004
Relevant URL: http://www.securityfocus.com/bid/9637
Summary:
Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. Samba ships with several helper scripts, one of these scripts
is mksmbpasswd.sh, which is used to aid in user account creation.

The mksmbpasswd.sh shell script is reported prone to a vulnerability. The
issue results in the creation of insecure user accounts. Specifically it
has been reported that a password initialization problem in the
mksmbpasswd.sh shell script results in user accounts being created with
insecure passwords.

The issue surrounds the passwords for disabled user accounts.  In some
cases the affected script may overwrite these passwords with uninitialized
memory.  If an attacker were able to ascertain the contents of memory used
to overwrite disabled account passwords they may be able to gain
unauthorized access.

A remote attacker may exploit this issue by accessing a Samba share using
an insecure account that was created using the affected script.

Mutt Menu Drawing Remote Buffer Overflow Vulnerability
BugTraq ID: 9641
Remote: Yes
Date Published: Feb 11 2004
Relevant URL: http://www.securityfocus.com/bid/9641
Summary:
Mutt is a freely available, open source mail user agent (MUA).  It is
available for the Unix and Linux platforms.

A problem in the handling of some types of input has been identified in
Mutt.  Because of this, a remote attacker may be able to crash a
vulnerable client.

The problem is in the handling of specially-crafted strings.  Upon
embedding particular strings of arbitrary length in an e-mail, a remote
user can force a buffer overflow in the menu drawing function of mutt.
This problem could potentially also be exploited to overwrite arbitrary
structures in process memory, and potentially execute code with the
privileges of the mutt user.

Specifics concerning the mechanics of this bug are not currently
available.

[ même un client mail texte peut faire l'objet d'attaques. ]

Monkey HTTP Daemon Missing Host Field Denial Of Service Vuln...
BugTraq ID: 9642
Remote: Yes
Date Published: Feb 11 2004
Relevant URL: http://www.securityfocus.com/bid/9642
Summary:
Monkey is an open source Web server written in C, based on the HTTP/1.1
protocol. It is available for Linux platforms.

Monkey HTTP Daemon is prone to a denial of service attacks. HTTP GET
requests, which do not include a ?Host? header field, will trigger this
condition. This issue is reportedly due a programming error in the
get_real_string() function.

The server will need to be restarted to regain normal functionality.

SandSurfer Unspecified User Authentication Vulnerability
BugTraq ID: 9647
Remote: Yes
Date Published: Feb 08 2004
Relevant URL: http://www.securityfocus.com/bid/9647
Summary:
SandSurfer is a web-based time keeping application.  It is available for
Unix/Linux variants.

An unspecified vulnerability related to user authentication was reported
in SandSurfer that may allow remote attackers to gain unauthorized access
to the software.

There are no further technical details at the time of writing.

[ langage ?  licence ? ]

XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulne...
BugTraq ID: 9652
Remote: No
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9652
Summary:
XFree86 is a freely available open-source implementation of the X Window
System.

It has been reported that the XFree86 X Windows system is prone to a local
buffer overflow vulnerability.  The issue arises from improper bounds
checking performed in the CopyISOLatin1Lowered() function on data before
it is copied into a 1024 byte buffer. Specifically, the size of data that
is permitted to be copied is taken from the size of the user-supplied
string, rather than the size of the intended buffer.

It has been reported that excessive data (2048 bytes) read from the
font.alias file, as a value for the lexToken argument of
CopyISOLatin1Lowered(), will overrun the bounds of the font_name buffer.
An attacker may exploit this issue to execute arbitrary code within the
context of the XFree86 process, potentially gaining root privileges on the
affected system.

This issue has been reported to affect version 4.1.0 through 4.3.0
inclusive; it is likely however that this issue affects earlier versions
of the software as well.

AIM Sniff Temporary File Symlink Attack Vulnerability
BugTraq ID: 9653
Remote: No
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9653
Summary:
AIM Sniff is a network reconnaissance tool that is used to specifically
target AIM traffic.

AIM Sniff has been reported prone to a Symbolic link vulnerability. The
issue presents itself, because the aimSniff.pl script creates temporary
files in an insecure manner. Specifically, when the aimSniff.pl script is
invoked (And debugging mode is enabled) a temporary file "/tmp/AS.log" is
created. To exploit this issue, a local attacker may create a symbolic
link in the "tmp" directory in place of the "/tmp/AS.log" file. The link
will point to an arbitrary file that the attacker wishes to target. When
the vulnerable script is invoked, operations that were supposed for the
temporary file will be carried out on the file that is linked by the
malicious symbolic link.

An attacker may exploit this issue to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in a
system wide denial of service.

It has been reported that a user will require root privileges to invoke
the affected script; this may magnify the impact of this vulnerability.

Mailmgr Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 9654
Remote: No
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9654
Summary:
Mailmgr is an application for analyzing Sendmail logs and generating
reports in HTML.  It is available for Unix/Linux variants.

Mailmgr is reportedly to be prone to a vulnerability related to temporary
file handling.  The specific issue is that a number of temporary files are
created in an insecure manner, potentially providing malicious local users
with an opportunity to launch symbolic link attacks and cause files to be
corrupted.

The following temporary files are created in an insecure manner:
/tmp/mailmgr.unsort
/tmp/mailmgr.tmp
/tmp/mailmgr.sort

It is possible to create a symbolic link that is named after one of these
files.  When the program is run by another user, any operations that were
intended to be performed on these files (such as creating them or
appending to them), would actually be performed on the file pointed to by
the symbolic link.  The only caveat is that the user running the
application must have permission to write to the file pointed to by the
symbolic link.  This would most likely result in a denial of service or
destruction of data as critical or sensitive files may be corrupted, but
under some circumstances this type of vulnerability could lead to elevated
privileges.  The possibility of exploiting these particular issues to gain
elevated privileges has not been confirmed.

This issue was reported to exist in Mailmgr 1.2.3.  Other versions are
also likely affected.

XFree86 Unspecified Vulnerability
BugTraq ID: 9655
Remote: Unknown
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9655
Summary:
XFree86 is a freely available open-source implementation of the X Window
System.

XFree86 has been reported prone to an unspecified vulnerability
(CAN-2004-0106). It is likely that this issue is related to BID 9652
(XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulnerability) and
BID  9636 (XFree86 Font Information File Buffer Overflow Vulnerability),
although this has not been confirmed. The issue is reported to present
itself due to programming flaws in procedures used to parse or read font
files.

It is believed that this issue affects version 4.1.0 through 4.3.0
inclusive, just like BIDs 9652 and 9636; it is likely however that this
issue also affects earlier versions of the software as well.

This BID will be updated as further details regarding this issue are
disclosed.