[gull-annonces] Résumé SecurityFocus Newsletter #231

Marc SCHAEFER schaefer at alphanet.ch
Tue Jan 13 12:11:02 CET 2004


VCard4J Toolkit HTML Injection Vulnerability
BugTraq ID: 9343
Remote: Yes
Date Published: Jan 02 2004
Relevant URL: http://www.securityfocus.com/bid/9343
Summary:
VCard4J Toolkit is a Java-based toolkit for manipulating vCards.  It
includes various Java APIs for parsing vCard data.

VCard4J Toolkit is prone to a HTML injection vulnerability.  This issue
may be exploited through a malicious vCard.  Hostile HTML and script code
injected into the malicious vCard may be rendered at some point after the
application has processed the malicious vCard.  The consequences and
exploitability of this issue could vary depending on how components are
used in an implementation, but theoretically this could result in theft of
cookie-based authentication credentials if the toolkit were implemented on
a site that processed an untrusted vCard.  Other attacks are also
possible.

[ licence? ]

Cherokee HTTP Post Remote Content Length Denial Of Service V...
BugTraq ID: 9345
Remote: Yes
Date Published: Jan 01 2004
Relevant URL: http://www.securityfocus.com/bid/9345
Summary:
Cherokee is a freely available, open source web server software package.
It is available for the Unix and Linux platforms.

A problem has been identified in the handling of HTTP POST requests by
Cherokee.  Because of this, it may be possible for a remote attacker to
deny service to legitimate users of a vulnerable server.

The problem is in the handling of HTTP Content-Length header fields.  When
a POST request is made, Cherokee may react unpredictably when a
Content-Length header field is not supplied with the POST.  This has been
reported to result in a denial of service issue.  It is conjectured that
this issue may not be limited to just a denial of service, though
available information is insufficient it making a further determination.

This Bugtraq ID will be further updated if more information becomes
available.

Linux Kernel do_mremap Function Boundary Condition Vulnerabi...
BugTraq ID: 9356
Remote: No
Date Published: Jan 05 2004
Relevant URL: http://www.securityfocus.com/bid/9356
Summary:
A vulnerability involving the do_mremap system function has been reported
in the Linux kernel, allowing for local privilege escalation.

The mremap(2) system call is used to resize and relocate Virtual Memory
Areas (VMA).  It calls the kernel do_mremap function internally.  Due to a
bounds checking issue within the function, it is possible for local
attackers to disrupt the operation of the kernel.  It is reported that
this flaw may be exploited to create a malicious VMA of zero bytes in
length.  The malicious VMA may disrupt other memory management operations
in the kernel, potentially causing system instability.  Attack vectors
also exist that may permit a local attacker to gain root privileges.

This type of vulnerability will permit a remote attacker who has already
gained limited privileges on a host to fully compromise the system.

Because the 2.2 kernel series does not support the affected MREMAP_FIXED
flag, it is not reported to be prone to this issue.

Le patch:

diff -urN linux-2.4.23/mm/mremap.c linux-2.4.24/mm/mremap.c
--- linux-2.4.23/mm/mremap.c	2003-08-25 04:44:44.000000000 -0700
+++ linux-2.4.24/mm/mremap.c	2004-01-05 05:53:56.000000000 -0800
@@ -241,6 +241,13 @@
 
 		if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
 			goto out;
+		/*
+		 * Allow new_len == 0 only if new_addr == addr
+		 * to preserve truncation in place (that was working
+		 * safe and some app may depend on it).
+		 */
+		if (unlikely(!new_len && new_addr != addr))
+			goto out;
 
 		/* Check if the location we're moving into overlaps the
 		 * old location at all, and fail if it does.

OpenBSD PF State Tracking Spoofed Packet Vulnerability
BugTraq ID: 9362
Remote: Yes
Date Published: Jan 05 2004
Relevant URL: http://www.securityfocus.com/bid/9362
Summary:
PF is the Packet Filter distributed with OpenBSD.  It is maintained and
distributed by the OpenBSD project, and available for the Unix operating
system.

A problem in the handling of packets has been reported when stateful
inspection is activated.  Because of this, it may be possible for an
attacker to circumvent traffic filtering by PF.

The problem is in the handling of packets that match the firewall's
current state sessions.  An attacker sending custom packets with data
crafted to match known current states could bypass firewall rules,
resulting in communication with restricted hosts.  The problem affects all
interfaces on which the firewall operates and has stateful filtering
enabled.

mpg321 MP3 File Remote Format String Vulnerability
BugTraq ID: 9364
Remote: Yes
Date Published: Jan 06 2004
Relevant URL: http://www.securityfocus.com/bid/9364
Summary:
mpg321 is a command-line media player for Unix/Linux variants.

A remotely exploitable format string vulnerability is present in mpg321.
The source of the problem is incorrect usage of printf() functions,
allowing format specifiers to be supplied directly to the vulnerable
functions from external data.  This issue is likely exposed when the media
player handles MP3 meta data such as information included in ID3 tags,
though this has not been confirmed.

This issue could be exploited if a malicious MP3 file is played by a user,
either by opening the file manually or by streaming the malicious file.
Format string vulnerabilities permit attackers to overwrite arbitrary
locations in memory with attacker-specified data, giving the attacker a
means of controlling execution flow of the vulnerable program.  This will
permit for execution of arbitrary code in the context of the user invoking
the media player.

nd Multiple Buffer Overrun Vulnerabilities
BugTraq ID: 9365
Remote: Yes
Date Published: Jan 06 2004
Relevant URL: http://www.securityfocus.com/bid/9365
Summary:
nd is a command-line WebDAV interface for Unix/Linux platforms.

Multiple buffer overrun vulnerabilities were reported in nd.  The source
of the vulnerabilities appears to be multiple instances where sprintf()
operations are performed on server-supplied data without proper bounds
checking.

These issues may be exploited by a malicious WebDAV server.  If the server
supplies malicious data to the software that is sufficient in length to
trigger one of the conditions, then it will be possible to overrun
adjacent regions of memory with the superfluous data.  If a sensitive
variable in memory, such as a return address, can be overwritten then it
will be possible to control the execution flow of the program.  This will
result in execution of arbitrary code.

ZyXEL ZyWALL 10 Management Interface Cross-Site Scripting Vu...
BugTraq ID: 9373
Remote: Yes
Date Published: Jan 06 2004
Relevant URL: http://www.securityfocus.com/bid/9373
Summary:
ZyWALL 10 firewalls are prone to cross-site scripting attacks via the web
management interface of affected devices.  This is due to insufficient
input validation of user-supplied input, that will be included in web
pages that are generated by the software.  The specific issue is in the
'rpAuth_1' program included in the management interface.

An attacker will likely exploit this issue by enticing a victim user to
follow a malicious link to a site hosting the software that contains
embedded HTML and script code. The embedded code may be rendered in the
web browser of the victim user.

This could potentially be exploited to steal cookie-based authentication
credentials from legitimate users. Other attacks are also possible since
the attacker can influence how the management pages will be rendered to
the victim user.

[ firmware ]

Edimax AR-6004 ADSL Router Management Interface Cross-Site S...
BugTraq ID: 9374
Remote: Yes
Date Published: Jan 06 2004
Relevant URL: http://www.securityfocus.com/bid/9374
Summary:
Edimax AR-6004 ADSL Routers are prone to cross-site scripting attacks via
the web management interface of affected devices.  This is due to
insufficient input validation of user-supplied input, that will be
included in web pages that are generated by the software.

An attacker will likely exploit this issue by enticing a victim user to
follow a malicious link to a site hosting the software that contains
embedded HTML and script code. The embedded code may be rendered in the
web browser of the victim user.

This could potentially be exploited to steal cookie-based authentication
credentials from legitimate users. Other attacks are also possible since
the attacker can influence how management pages will be rendered to the
victim user.

[ firmware ]

Debian FSP Vulnerabilities
BugTraq ID: 9377
Remote: Yes
Date Published: Jan 07 2004
Relevant URL: http://www.securityfocus.com/bid/9377
Summary:
The File Service Protocol (FSP) is a file transfer protocol that is an
alternative to FTP.  A set of FSP client and server tools is included with
Debian Linux.  It has been reported that there are two vulnerabilities
present in the implementation of FSP included with Debian Linux.

The first vulnerability is an access validation error that can allow for a
client to access parts of the filesystem outside of the FSP root
directory.  Exploitation may result in a disclosure of sensitive
information to malicious users.

The second vulnerability is a buffer overflow condition that can be
exploited by clients to execute instructions on the target server.  This
may result in a full compromise of the underlying host.

At this time, further technical details are not known.

[ sisi, voir http://www.debian.org/security/2004/dsa-416 ]

VBox3 For ISDN4Linux Local Privilege Escalation Vulnerabilit...
BugTraq ID: 9381
Remote: No
Date Published: Jan 07 2004
Relevant URL: http://www.securityfocus.com/bid/9381
Summary:
isdn4linux is a freely available, open source package of Linux kernel
module ISDN compatibility tools. It is available for Linux operating
systems. vbox3 is a voice response system for isdn4linux.

vbox3 has been reported prone to a local privilege escalation
vulnerability. The issue is reported to occur because the vbox3 software
does not lower execution privilege before accepting and interpreting a
user-supplied TCL script. A local user may potentially exploit this
condition to have arbitrary TCL code executed with elevated privileges.
Potentially this vulnerability may provide for unfettered access to a
vulnerable system for local users.

ISC INN Control Message Handling Buffer Overrun Vulnerabilit...
BugTraq ID: 9382
Remote: Yes
Date Published: Jan 08 2004
Relevant URL: http://www.securityfocus.com/bid/9382
Summary:
ISC INN is a Usenet/NNTP implementation that is available for Unix and
Linux platforms.

ISC has reported a remotely exploitable buffer overrun in INN.  This issue
exists in the control message handling code that was introduced into
version 2.4.0.  This code is responsible for special filing of control
messages into per-type newsgroups.

The issue exists in the 'art.c' source file and is due to an operation
where externally supplied data is copied into a static buffer without
sufficient bounds checking.  This could cause adjacent regions of memory
to be overrun with attacker-specified data, allowing remote attackers to
overwrite sensitive variables in memory to control the execution flow of
the program.  It may possible to exploit this issue to execute arbitrary
code in the context of the innd process.  It should be noted that innd is
designed to drop privileges after binding to port 119, so successful
exploitation would typically only yield the privileges of the news user.

[ version 2.3.x non vulnérable ]




More information about the gull-annonces mailing list