[gull-annonces] Résumé SecurityFocus Newsletter #237

[Marc SCHAEFER]

Paul Daniels SignatureDB sdbscan Local Buffer Overflow Vulne...
BugTraq ID: 9661
Remote: No
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9661
Summary:
SignatureDB is a signature database used to provide
signatures/fingerprints of common annoying emails/files, not specifically
viruses.  SignatureDB is composed of two components, a signature database
and a signatureID (sdbscan) program, used to scan files.

SignatureDB 'sdbscan' program has been reported to be prone to a local
buffer overflow vulnerability. The condition is present due to
insufficient boundary checking.  The issue may be exploited by supplying
an excessive value for the 'key' parameter of 'ringsearch.c' file.  It has
been reported that an attacker can specify a configuration file containing
an excessively long path for the database file to be used by the 'sdbscan'
program.  This path to the file is used by 'ringsearch.c' file via the
'key' parameter.  Immediate consequences of an attack may result in a
denial of service condition.

A local attacker may leverage the issue by exploiting an unbounded memory
copy operation to overwrite the saved return address/base pointer, causing
the affected procedures to return to an address of their choice.
Successful exploitation may allow an attacker to ultimately execute
arbitrary code in the context of the affected application.

mnoGoSearch UdmDocToTextBuf Buffer Overflow Vulnerability
BugTraq ID: 9667
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9667
Summary:
mnoGoSearch is multi-platform web search engine software for Intranet and
Internet servers. mnoGoSearch stores every document that is indexed, by
splitting the document into four sections and storing these sections in a
database. When this content is retrieved, a function concatenates all of
the sections and presents it to the client.

The function UdmDocToTextBuf() used to concatenate the sections has been
reported prone to a buffer overflow condition. The issue exists due to a
lack of sufficient boundary checks performed before copying concatenated
data into a reserved stack based buffer.

A remote attacker may exploit this condition by indexing a malicious large
document that is sufficient to trigger this issue, and then making a
request for that same document. When the sections of this document are
processed, data that exceeds the size of the reserved buffer in
stack-based memory may be written past the end of the buffer corrupting
adjacent memory. If memory adjacent to this buffer contains saved values
that are crucial to controlling execution flow of the affected service,
the attacker may replace these values with attacker supplied values,
ultimately influencing execution flow into attacker-controlled memory.
This may lead to the execution of attacker-supplied instructions in the
context of the vulnerable mnoGoSearch server.

[ licence? langage? ]

ShopCartCGI Remote File Disclosure Vulnerability
BugTraq ID: 9670
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9670
Summary:
ShopCartCGI is a commercially available collection of CGI scripts
implemented using Perl and intended to form the foundation for a web based
shopping cart application.

It has been reported that ShopcartCGI is prone to a remote file disclosure
vulnerability.  This issue is due to insufficient validation of
user-supplied input passed via a URI parameter.

The problem revolves around the 'gotopage.cgi' and 'getindexpage.cgi'
scripts. An attacker may be able to submit a request to the affected
application while specifying the file to be viewed.  The application fails
to validate the location of the requested file and will display any files
on the system, which are readable by the web server.

This issue has been reported to affect version 2.3 of the software,
however it is possible that earlier versions are affected as well.

Upon successful exploitation of this issue and attacker may be able to
gain access to sensitive system files, potentially facilitating further
attacks.

YABB SE Quote Parameter SQL Injection Vulnerability
BugTraq ID: 9674
Remote: Yes
Date Published: Feb 16 2004
Relevant URL: http://www.securityfocus.com/bid/9674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for Unix, Linux, and Microsoft Operating
Systems.

A vulnerability in YaBB SE could make it possible for a remote user to
launch SQL injection attacks.

It has been reported that the issue exists due to insufficient sanitizing
of the 'quote' URI parameter, it is possible for a remote user to inject
arbitrary SQL queries into the database used by YaBB SE. This could permit
remote attackers to pass malicious input to database queries, resulting in
modification of query logic or other attacks.

Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.

Proof of concept supplied within the reported allows an attacker to gain
access to users' password hash.

YaBB SE versions 1.5.4 and 1.5.5 have been reported to be affected by this
issue, however, other versions could be affected as well.

[ licence? langage? ]

YaBB Information Leakage Weakness
BugTraq ID: 9677
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9677
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl.  YaBB will run on most Unix/Linux variants, Mac
OS, and Microsoft Windows platforms.

YaBB is prone to a weakness that may permit remote users to enumerate
usernames.  The cause of this issue is that YaBB returns different
responses based on whether or not a guessed username is valid or invalid
when the user attempts to log in. This information could aid in further
attacks.

It should be noted that this issue would only present a security risk on
installations that do not allow guests or anonymous web users to browse
the forum, in which case remote users would not be privy to usernames.
Otherwise this information would already be publicly accessible.

This issue was reported in YaBB 1 Gold - SP 1.3.1.  Other versions may
also be affected.

APC SmartSlot Web/SNMP Management Card Default Password Vuln...
BugTraq ID: 9681
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9681
Summary:
APC SmartSlot Web/SNMP Management Card provides a remote administration
solution for APS SmartSwitch and UPS products. APC SmartSlot Web/SNMP
Management Card provides for Serial Console, TELNET, HTTP, and SNMP
access.

APC SmartSlot Web/SNMP Management Card has been reported prone to a
default password vulnerability. This password is reportedly used during
initial card configuration, prior to public distribution. It has been
reported that an attacker may access any of the affected services, if they
are available, by passing the following case sensitive password to the
authentication procedures:
TENmanUFactOryPOWER
It does not matter if the attacker passes a valid username or not. Once
authenticated an attack scenario has been demonstrated, where by employing
memory enumeration an attacker may potentially reveal stored plaintext
authentication credentials.

The impact of this issue may be exaggerated if the same authentication
credentials are used to access multiple hosts.

[ backdoor; firmware ]

Snort Signature Mislabeling Weakness
BugTraq ID: 9683
Remote: Yes
Date Published: Feb 17 2004
Relevant URL: http://www.securityfocus.com/bid/9683
Summary:
A weakness has been identified in Snort that may cause an analyst or the
correlation engine to improperly identify a signature that was triggered
by the IDS.  This issue may lead to mischaracterization of potentially
malicious network traffic, resulting in leaving the system vulnerable due
to false assumptions.

It has been reported that due to unspecified circumstances, the
application may incorrectly classify network traffic with a "MS-SQL Worm
propagation attempt" label or other labels.  This issue could present a
security risk in a situation where many false positives for MS-SQL Worm
propagation (or other mislabeled alerts) are generated, this problem may
lead to misreported traffic mistakenly flagged as innocuous if not
expected thoroughly via some other means such as manual examination of
packets.

Snort versions 2.0.6 and 2.1.0 have been reported to be prone to this
weakness.

Linux Kernel do_mremap Function VMA Limit Local Privilege Es...
BugTraq ID: 9686
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9686
Summary:
A vulnerability involving the do_mremap system function has been reported
in the Linux kernel, allowing for local privilege escalation.  The
mremap(2) system call is used to resize and relocate Virtual Memory Areas
(VMA).

It has been reported that in order to move a part of the virtual memory
from inside a VMA area to a new location, it is required that a new VMA
descriptor  is created and the underlying page table entries are copied as
described by the VMA from the old to the new location in the process's
page table.  The do_mremap function is responsible for this task and it
calls the calls the kernel do_munmap() function to eliminate the old
virtual memory mapping and any existing virtual memory mapping in the new
location.  The issue presents itself because the return value of the
do_munmap() function is not properly verified.  If the maximum amount of
VMAs (65535) for a process has been achieved and part of an existing
memory mapping is unmapped, the maximum number of available VMA
descriptors may be exceeded.  The missing return value check allows the
corresponding page table entries from one VMA to be inserted into the page
table location described by the previous VMA are therefore subject to the
previous VMA's page protection flags.

Furthermore, it has been reported that due to two other unchecked calls by
do_mremap() to do_munmap() another exploitable incidence of do_munmap()
may be presented.  This occurs when the VMA to be remapped is truncated.

Successful exploitation of this issue may allow a local attacker with
limited privileges on a host to fully compromise the system because
special privileges are not required to use the mremap(2) system call.  The
issue may also allow a denial of service condition on available system
memory.

Linksys WAP55AG SNMP Community String Insecure Configuration...
BugTraq ID: 9688
Remote: Yes
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9688
Summary:
Linksys WAP55AG is a wireless routing appliance. SNMP (Simple Network
Management Protocol) is used to allow remote configuration of hardware.
Configuration is accomplished through read and write strings.

Linksys WAP55AG appliance has been reported prone to an insecure default
configuration vulnerability.

It has been reported that all SNMP MIB (Management Information Base)
community strings, even read/write strings may be disclosed to a remote
attacker if the attacker queries OID 1.3.6.1.4.1.3955.2.1.13.1.2.

An attacker may disclose specific information, such as MAC hardware
addresses, route table data and other configuration details for hosts that
are on the internal protected network. It may also be possible for the
attacker to manipulate the appliance configuration through writeable
strings.

Exploitation of this vulnerability may be used to aid in further attacks
against the victim network.

[ firmware ]


Linux Kernel Vicam USB Driver Userspace/Kernel Memory Copyin...
BugTraq ID: 9690
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9690
Summary:
It has been reported that the Vicam USB driver does not access userspace
memory in a safe manner.  The source of the problem is that the
copy_from_user function is not used by the driver.  This function is used
to copy a block of memory from userspace into kernel memory.  This is
reported to present unspecified local security risks.

Though unconfirmed, this could theoretically present a situation where
memory in userspace is copied into kernel memory in a manner that causes
kernel structures or other sensitive variables in kernel memory to be
corrupted.  This type of issue could possibly lead to privilege escalation
or a denial of service condition, though this is also not confirmed.

This issue is reported to exist in kernel versions prior to 2.4.25.

Further technical details related to this issue are not known at this
time.  This BID will be updated as more information is made available.

Linux Kernel NCPFS ncp_lookup() Unspecified Local Privilege ...
BugTraq ID: 9691
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9691
Summary:
NCPFS is a suite of programs that allow users to access a Novell server.
NetWare servers can be mounted under Linux by NCPFS and functionality to
print with NetWare printers is provided.

An unspecified local privilege escalation vulnerability has been reported
to exist due to the ncp_lookup() function of NCPFS.  This issue may allow
for a local user to gain elevated privileges. Exploitation of this
vulnerability may result in a compromise of root access by local
attackers.

Due to a lack of details further information cannot be provided at the
moment. This BID will be updated as more information becomes available.

Metamail Multiple Buffer Overflow/Format String Handling Vul...
BugTraq ID: 9692
Remote: Yes
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9692
Summary:
Metamail is a multi-platform utility that was originally developed by
Bellcore, but is no longer maintained. Metamail parses and decodes MIME
encoded email.

Metamail has been reported prone to multiple vulnerabilities that may
provide for arbitrary code execution.

The first issue, a format string handling vulnerability, is reported to
present itself when metamail handles a message that consists of a
multipart/alternative data type. Format specifiers that exist as a value
for the Content-Type header in one of the message body parts will be
interpreted literally, providing for arbitrary writes into process memory.
The issue exists due to programmatical errors in fprintf() calls in the
function SaveSquirrelFile() of the source file metamail.c.

The second issue, again a format string handling vulnerability, is
reported to present itself when a processed email message contains
specially encoded non-ASCII characters including malicious format
specifiers in the email header. This vulnerability may provide a conduit
for an attacker to influence arbitrary writes into process memory space.
The issue exists due to programmatical errors in a printf() call in the
function PrintHeader() of the source file metamail.c.

A third issue, resulting from a lack of sufficient boundary checks has
been reported to exist due to a unsafe strcpy() call in the function
PrintHeader() of the source file metamail.c. The issue is triggered when
the value in an email message header used to identify a character set is
of excessive length, it has been reported that the message headers must
also consist of encoded non-ASCII characters.

The final vulnerability exists in the splitmail executable. This issue is
due to a lack of sufficient boundary checks performed on Subject values
contained in email headers. The issue may be triggered if the splitmail
executable is used to process a malicious email that contains a Subject
line of sufficient length to overflow the bounds of a reserved buffer in
process memory. The issue exists due to an unsafe strcpy() call in the
function ShareThisHeader() of the source file splitmail.c.

This BID will be broken up into unique BIDs, as further analysis of these
issues is completed. The following CVE IDs have been associated with these
vulnerabilities (CAN-2004-0104) and (CAN-2004-0105).

Linux Kernel execve() Malformed ELF File Unspecified Local D...
BugTraq ID: 9695
Remote: No
Date Published: Feb 18 2004
Relevant URL: http://www.securityfocus.com/bid/9695
Summary:
It has been reported that the Linux Kernel is prone to a local denial of
service vulnerability due to an inability of the exceve() system function
to handle exceptional conditions.

The issue surrounds the failure of the execve() system function to
properly handle malformed  ELF (Executable Linking Format) binaries.  The
immediate consequences of this issue may allow an attacker to cause the
linux kernel to fail, denying service to legitimate users.

This BID will be updated with further technical details if more
information is made available.

Cisco ONS Platform Vulnerabilities
BugTraq ID: 9699
Remote: Yes
Date Published: Feb 19 2004
Relevant URL: http://www.securityfocus.com/bid/9699
Summary:
Cisco has reported multiple vulnerabilities affecting various ONS
platforms, allowing for unauthorized access and denial of service attacks.
These optical platforms are all managed via XTC, TCC+/TCC2, TCCi/TCC2, and
TSC control cards.

The following specific issues were reported:

TFTP services (via port 69/UDP) on some ONS platforms allow
unauthenticated access to TFTP GET/PUT commands.  This could be used to
upload or retrieve ONS system files on the TCC in the /flash0 or /flash1
directories.  Cisco has reported that this does not affect user files.
This could disclose sensitive information but would also likely result in
a denial of service.  This issue affects Cisco ONS 15327, ONS 15454, ONS
15454 SDH and Cisco ONS 15600 platforms.

A denial of service attack was reported which may occur via network
management application port (1080/TCP) on affected platforms.  This issue
is exposed when the  final ACK packet in the TCP three-way handshake is
not sent, causing affected platforms to enter an invalid TCP state.  An
attacker with network access to affected devices could trigger this issue
by sending an invalid response instead of an ACK.  The denial of service
condition would persist until the control card is rebooted, effectively
denying network manageability functions.  This issue is reported to affect
Cisco ONS 15327, ONS 15454 and ONS 15454 SDH hardware.  The Cisco ONS
15600 Multiservice Switching Platform is not vulnerable.

The underlying VxWorks operating system provides telnet access to some
platforms for superusers.  It has been reported that if a superuser
account has been locked out, disabled, or suspended, the user may still
authenticate and access the VxWorks shell.  This affects  Cisco ONS 15327,
ONS 15454, ONS 15454 SDH and Cisco ONS 15600 platforms.

It should be noted that the various ONS platforms are intended to be
deployed on networks that are physically separated from the Internet, so
exposure to these issues by remote attackers is limited.

This cumulative BID will be divided into three distinct BIDs when further
analysis is complete.

[ firmware ]