[gull-annonces] Résumé SecurityFocus Newsletter #229
Marc SCHAEFER
schaefer at alphanet.ch
Sun Jan 4 20:11:02 CET 2004
OpenBSD Tcpdump Remote Denial of Service Vulnerability
BugTraq ID: 9263
Remote: Yes
Date Published: Dec 20 2003
Relevant URL: http://www.securityfocus.com/bid/9263
Summary:
tcpdump is a freely available, open source network monitoring tool.
It has been reported that tcpdump is vulnerable to a denial of service
when some packet types are received. By sending a maliciously formatted
packet containing 0xff,0x02 bytes to UDP port 1701 of a system running a
vulnerable version of tcpdump, an attacker can cause the L2TP protocol
parser in tcpdump to enter an infinite loop consuming all memory
resources.
Further reports indicate that when a malicious L2TP control packet with
optional bits set, and invalid payload data is handled by tcpdump the
l2tp_avp_print() function is called. It has been reported that this
function falls into a tight infinite recursive loop, where the
l2tp_avp_print() call passes bad data to itself.
Although unconfirmed, this issue may allow an attacker to cause a buffer
overflow in the application leading to arbitrary code execution.
This issue is reported to affect tcpdump 3.7 and prior running on OpenBSD
3.3 and -current, however other versions on different platforms could be
affected as well.
PServ Web Server Directory Traversal Vulnerability
BugTraq ID: 9276
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9276
Summary:
pServ is a freely available, open source web server package. It is
available for the Unix and Linux platforms.
A vulnerability has been identified in the handling of certain types of
requests by pServ. Because of this, it is possible for an attacker to
gain access to potentially sensitive system files.
The problem is in the handling of directory traversal strings. When a
request containing double-slash (//) sequences is placed to a pServ web
server, the program allows a remote user to escape the web root directory.
This issue could be exploited to gain read access to files on a host using
the vulnerable software. Read privileges granted to these files would be
restricted by the permissions of the web server process.
Red Hat Linux 2.4 Kernel Multiple Potential Vulnerabilities
BugTraq ID: 9284
Remote: No
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9284
Summary:
Red Hat Linux has released a 2.4 Kernel update to fix multiple potential
security issues.
The issues are as follows:
Red Hat has reported that ioctls of several RTC drivers have been fixed to
prevent potential data leaks. A privileged attacker may potentially
exploit this condition to gain access to sensitive data. This may be
related to BID 9154.
A previous kernel upgrade may have caused certain "--reject-with
tcp-reset" IPTABLES rules to malfunction. This may lead an administrator
into a false sense of security or introduce security exposures since
existing or newly created rules may not function properly.
It has been reported that if a bonding interface that does not have an IP
address is initiated, the bonding process and kernel may panic due to a
reference to a null pointer. This may require superuser privileges but
could be exposed via third-party setuid applications that may perform this
operation, though this has not been confirmed.
Other non-security related issues were also addressed in this upgrade.
ViewCVS Viewcvs.py Cross-Site Scripting Vulnerability
BugTraq ID: 9291
Remote: Yes
Date Published: Dec 24 2003
Relevant URL: http://www.securityfocus.com/bid/9291
Summary:
ViewCVS is an application that allows users to browse CVS repositories via
the web.
ViewCVS is prone to a cross-site scripting vulnerability. This issue
exists in the 'viewcvs.py' script and is due to insufficient sanitization
of user-supplied input that will be included in error pages. A remote
attacker could take advantage of this issue by constructing a malicious
link to a site running the vulnerable software that include embedded
hostile HTML and script code. If this link is visited by a victim user,
the attacker-supplied code may be rendered in their browser in the context
of the site.
This could permit theft of cookie-based authentication credentials since
the attacker's script code may access properties of the vulnerable site as
the user visiting the malicious link. This vulnerability will also permit
other types of attacks because the attacker may influence how the site is
rendered to the victim of the attack.
Squirrelmail G/PGP Encryption Plugin Remote Command Executio...
BugTraq ID: 9296
Remote: Yes
Date Published: Dec 25 2003
Relevant URL: http://www.securityfocus.com/bid/9296
Summary:
Squirrelmail is a freely available, open source webmail package. It is
available for the Unix and Linux platforms.
A problem in the handling of some types of input passed to the
Squirrelmail G/PGP Plugin has been discovered. This issue may make it
possible for a remote user to gain unauthorized access to a system hosting
the vulnerable application.
The problem is in the checking of input. When an e-mail is sent to a user
through a Squirrelmail implementation which uses the G/PGP plugin, the
program does not sufficiently sanitize user input. Because of this, an
attacker can place shell commands in the To: line of an e-mail sent
through Squirrelmail which, when encrypted with the G/PGP plugin, forces
the execution of the commands supplied by the attacker.
It should be noted that this issue is limited by the permissions of the
web server process.
**December 26, 2003 - The vendor has reported that Squirrelmail version
1.4.2 is not vulnerable to this issue, however, Squirrelmail version 1.4.0
with GPG version 1.2 is reportedly vulnerable. This information cannot be
completely verified at the moment; therefore this BID will be updated as
more information becomes available.
GNU Indent Local Heap Overflow Vulnerability
BugTraq ID: 9297
Remote: No
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9297
Summary:
GNU Indent is an application used to improve the syntax of C, making it
easier to read source code.
An overflow condition has been identified in the software that may allow
an attacker to execute arbitrary code on a vulnerable system.
The issue has been reported to exist in the handle_token_colon() function
of the software. The problem is reported to present itself when the
application attempts to a parse a C source file (*.c). It has been
reported that indent copies data from the file to a 1000 byte long buffer
without sufficient boundary checking. A heap overflow condition may be
triggered, potentially causing heap memory management structures to be
corrupted. This can result in critical memory being overwritten and,
ultimately, code execution with the privileges of the user running indent.
GNU Indent version 2.2.9 has been reported to be prone this issue,
however, other versions may be affected as well.
Surfboard httpd Remote Buffer Overflow Vulnerability
BugTraq ID: 9299
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9299
Summary:
Surfboard is a freely available web server implementation for Unix/Linux
variants.
A vulnerability has been identified in Surfboard web server when handling
certain URL requests. Because of this, it may be possible for a remote
attacker to gain unauthorized access to a system running the vulnerable
software. The condition is present due to insufficient boundary checking.
The issue presents itself when an attacker sends a specially crafted URL
request with more than 1024 characters to the server daemon. Immediate
consequences of an attack may result in a denial of service condition.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed at the moment.
Surfboard version 1.1.9 has been reported to be prone to this issue,
however, other versions may be affected as well.
Apache mod_php Module File Descriptor Leakage Vulnerability
BugTraq ID: 9302
Remote: No
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9302
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. Mod_PHP is an Apache
module which allows for PHP functionality in websites.
A vulnerability has been reported to exist in the Apache mod_php module
that may allow local attackers to gain access to privileged file
descriptors. This issue could be exploited by an attacker to hijack a
vulnerable server daemon.
It has been reported that the file descriptor associated with the socket
listening on port 443, normally used for Secure Sockets Layer (SSL), is
leaked to the mod_php module and any processes it creates. This allows
for scripts and any processes they spawn to access the privileged port.
This issue may allow an attacker to pose as a legitimate server to
clients. An attacker may also steal sensitive information such as user
credentials and other authentication information.
[ en général, je ne reporte pas les bugs liés aux scripts PHP, mais ceci
est un bug dans APache.
]
More information about the gull-annonces
mailing list