[gull-annonces] Résumé SecurityFocus Newsletter #232
Marc SCHAEFER
schaefer at alphanet.ch
Mon Jan 26 09:21:02 CET 2004
Multiple Vendor bzip2 Antivirus Software Denial of Service V...
BugTraq ID: 9393
Remote: Yes
Date Published: Jan 09 2004
Relevant URL: http://www.securityfocus.com/bid/9393
Summary:
Multiple vendor antivirus software applications have been reported to be
prone to a denial of service vulnerability. This issue presents itself
when an affected application attempts to decompress an excessively large
bzip2 archive. It has been reported that the antivirus applications
attempt to decompress a bzip2 archive and store it on the local file
system before scanning the files for malicious code. The applications may
fail to properly detect for anomalies such as the size of the archive.
Therefore, it is possible for an attacker to create an excessively large
bzip2 archive (containing 2GB of 0x31 characters), which may cause a
denial of service condition in the antivirus application upon
decompression.
Successful exploitation of this issue may allow an attacker to cause a
denial of service condition in the antivirus software due to resource
exhaustion, leading to a crash or hang. A successful attack could also
leave a system vulnerable to malicious code threats.
Kaspersky AntiVirus for Linux 5.0.1.0, Trend Micro InterScan VirusWall 3.8
Build 1130, and McAfee Virus Scan for Linux v4.16.0 have been reported to
be prone to this issue, however, it is likely that other products are
affected as well.
[ attaque explosive sur les anti-virus. Peut également avoir des impacts
de place disque => quota
]
Jitterbug CGI Remote Arbitrary Command Execution Vulnerabili...
BugTraq ID: 9397
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9397
Summary:
Jitterbug is a freely available, open source bug tracking system written
in CGI. It is available for the Linux platform.
A vulnerability has been identified in the handling of input by Jitterbug.
Because of this, an attacker may be able to gain unauthorized access to
vulnerable systems.
Due to the nature of this bug and the fact that it is hosted by a web
server process, it is likely that exploitation of this issue results in
command execution with the privileges of the web server process. However,
specific details about this issue are not currently available. This
vulnerability will be further updated as additional information becomes
available.
Zope Multiple Vulnerabilities
BugTraq ID: 9400
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9400
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to carry out attacks resulting from improper input
validation, access validation, information disclosure, and various
improper security checks on a vulnerable system. Successful exploitation
of these issues may lead to cross-site scripting attacks, denial of
service conditions, and other attacks.
The following specific issues have been identified:
The ZSearch interface has been reported to be prone to a cross-site
scripting vulnerability. Successful exploitation of this issue may allow
a remote attacker to carry out cross-site scripting attacks by enticing a
victim user to follow a malicious link to a site hosting the software that
contains embedded HTML and script code. The embedded code may be rendered
in the web browser of the victim user in the security context of the site
hosting the vulnerable software.
A denial of service vulnerability has been identified in
'ZTUtils.SimpleTree' that may allow an attacker to cause a denial of
service condition the software. This condition results from improper
state handling.
An access validation issue has been reported to exist in the admin "find"
functions. This issue may lead to an attacker gaining access to sensitive
information without proper authentication.
An unspecified access validation issue has been identified in the
PropertyManager 'lines' and 'tokens' properties. It has been reported
that some property types are stored in a mutable data type (list) and may
allow untrusted code to effect changes on the properties without proper
security validation.
An unspecified access validation issue may exist in the DTMLDocument
objects. This issue could allow an attacker to gain access to sensitive
information.
Another access validation issue has been identified in DTMLMethods. It
has been reported that DTMLMethods proxy rights may be incorrectly
inherited when traversing to a parent object.
A denial of service vulnerability has been identified in DTML tag
'dtml-tree' that may allow an attacker to cause a denial of service
condition the software.
An information disclosure vulnerability is reported to exist in the
software. This issue may allow an attacker to disclose certain attributes
via XML-RPC marshalling of class instances.
An access validation issue has been reported to exist in the software that
may allow unauthorized access to certain variables. This issue occurs due
to improper initialization of PythonScript class security.
A denial of service vulnerability exists in RESPONSE.write() that may
allow an attacker to pass malicious unicode values resulting in Zserver
main loop to terminate resulting in a crash or hang.
An access validation issue may exist in the software due to Unpacking via
function calls, variable assignment, exception variables without
sufficient security check. This issue may allow an attacker to gain
access to sensitive data.
Another access validation issue may allow an attacker to execute a
malicious script on a vulnerable system in order to gain unauthorized
access to certain objects. This issue results from improper verification
of variables bound to page templates and Python scripts such as 'context'
and 'container'.
An unspecified error has been reported to exist due to the use of min,
max, enumerate, iter, and sum in untrusted code.
An issue has been identified in the use of 'import as' in Python scripts
that may allow an attacker to bypass security checks.
Another access validation issue has been identified in the list and
dictionary instance methods that may allow an attacker to gain
unauthorized access to certain objects. A similar issue has also been
identified in for loops, list comprehensions, and other iterations of
untrusted code.
Further analysis of these issues is currently underway. This BID will be
separated into individual BIDs upon completion of analysis.
These issues have been reported to exist in Zope versions 2.6.2 and prior
and development releases 2.7.0 beta3. Other versions could be affected as
well.
Mod-Auth-Shadow Apache Module Expired User Credential Weakne...
BugTraq ID: 9404
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9404
Summary:
Mod-Auth-Shadow is a module for the Apache server that authenticates users
against the /etc/shadow file on Unix and Linux platforms.
A problem has been identified in mod-auth-shadow that may permit a user to
gain access to a system after the expiration of their credentials. This
weakness may result in users gaining access to the web site outside of the
period of validity for their credentials.
The problem is in the handling of expiration data entered into the
/etc/shadow file. Specific details of this weakness are not available.
This vulnerability entry will be updated when further information becomes
available.
Multiple Vendor H.323 Protocol Implementation Vulnerabilitie...
BugTraq ID: 9406
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9406
Summary:
The H.323 protocol is used in various telephony and multimedia products in
IP networks. It may be used in hardware products supporting multimedia
conferencing as well as various operating systems.
The H.225 subcomponent of the H.323 protocol was found to have multiple
vulnerabilities in various vendor implementations of the protocol. H.225
is most commonly used as a component of Voice over IP (VoIP). These
vulnerabilities may range from a denial of service to potential arbitrary
code execution.
For a complete listing of vulnerable vendors and products, see the
referenced advisory.
Not all vendor advisories are currently available. Once more information
becomes available on specific vulnerabilities contained in affected
products, this BID will be split into separate records.
Cisco has reported that Cisco IOS 11.3T and all later Cisco IOS versions
might be affected if the software supports voice or multimedia
applications.
[ votre téléphone IP a des buffer overflows ]
SuSE YaST SuSEconfig.gnome-filesystem Local Insecure File Cr...
BugTraq ID: 9411
Remote: No
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9411
Summary:
YaST helps configure and reconfigure SuSE Linux systems. The
SuSEConfig.gnome-filesystem script is designed to set up the GNOME
environment.
SuSEconfig.gnome-filesystem has been reported prone to an insecure file
creation vulnerability that may be exploited to corrupt arbitrary files.
The issue has been reported to present itself because the
SuSEconfig.gnome-filesystem script will follow symbolic links (symlinks)
when writing certain specific files.
Ultimately a local user may exploit this condition by creating a symlink
in the place of the vulnerable SuSEconfig.gnome-filesystem file. The
malicious symlink will point to an arbitrary file on the system. When an
unsuspecting user invokes SuSEconfig.gnome-filesystem, potentially via the
YaST software, the file linked by the symlink will be corrupted, the file
corruption will occur only if the user invoking
SuSEconfig.gnome-filesystem has sufficient privileges to write to the
target file. A local user may leverage this condition to corrupt arbitrary
files triggering a system wide denial of service or potentially elevating
their system privileges.
SuSE Linux 9.0 has been reported to be prone to this issue, however, other
versions could be affected as well.
[ YaST est non libre; mais comme c'est un composant très répandu ... ]
Snort_Inline Rule 2077 Failure Vulnerability
BugTraq ID: 9415
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9415
Summary:
snort_inline is a modified version of Snort. snort-inline is designed to
accept packets from iptables, it then instructs iptables as to whether the
packet should be dropped based on a snort rule set.
snort_inline has been reported prone to a vulnerability. The issue is said
to occur when snort_inline is configured so that the action for rule 2077
(Rule to flag for BID 6572 Mambo Site Server Arbitrary File Upload
Vulnerability) is to drop the packets. It has been reported that
regardless of this rule, after a period of time has elapsed snort_inline
will permit the attackers requests, even though this traffic is supposedly
categorically denied.
This may lead a network administrator into a false sense of security,
believing that communications based on the vulnerable rule set are
blocked, when in fact they are not.
KAME Racoon "Authentication" SA Deletion Vulnerability
BugTraq ID: 9416
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9416
Summary:
KAME Racoon is an IPSec key management daemon developed for BSD Unix
platforms that is used for negotiating and configuring security
associations in authenticated or encrypted network traffic.
It has been reported that it may be possible for attackers to remotely
delete security associations (SAs) in hosts running the KAME IKE daemon
Racoon.
The issue presents itself when the Racoon daemon receives and handles a
specially crafted delete message. The delete message will consist of an
Initiator-Cookie of a Main/Aggressive/Base mode that has not yet setup a
security association for ISAKMP. Racoon erroneously fulfills the malicious
request provided that the malicious message includes a dummy hash payload
and originates from the correct IP address, which can be easily spoofed.
To exploit this vulnerability an attacker would carry out a two-step
process after first creating an IPsec tunnel to the server using a spoofed
IP address. The attacker will then craft a malicious message in a manner
that is sufficient to trigger the vulnerability. Ultimately, if successful
the attacker may delete security associations, resulting in a disruption
of service.
KAME Racoon "Initial Contact" SA Deletion Vulnerability
BugTraq ID: 9417
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9417
Summary:
KAME Racoon is an IPSec key management daemon developed for BSD Unix
platforms that is used for negotiating and configuring security
associations in authenticated or encrypted network traffic.
It has been reported that it may be possible for attackers to remotely
delete security associations (SAs) in hosts running the KAME IKE daemon
Racoon.
The issue presents itself when the Racoon daemon receives and handles a
specially crafted delete message. An attacker would exploit this issue by
initializing an IPsec session with the vulnerable server and proceeding to
inject a malicious ISAKMP message into the phase one communication.
Racoon will simply execute the message, which may cause the deletion of
all security associations (SAs) "relative to the destination address"
This vulnerability is reportedly much easier to exploit and much more
effective than the issue described as Bugtraq ID 9416.
Exploitation of this vulnerability may result in a disruption of service.
KDE Personal Information Management Suite VCF File Remote Bu...
BugTraq ID: 9419
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9419
Summary:
KDE Personal Information Management Suite (kdepim) helps users organize
mail, tasks, appointments, contacts etc. It is packaged with KDE, a
graphical desktop for the X Window System.
A buffer overflow vulnerability has been reported to exist in the KDE
Personal Information Management Suite (kdepim) that may allow a remote
attacker to execute arbitrary code on a vulnerable system. The issue
presents itself when an attacker sends a malformed VCF file to a user on a
vulnerable system. Due to a problem with the file information reader of
VCF files, an attacker may be able to execute arbitrary code on a
vulnerable system if the malicious VCF file is opened by the user.
The condition exists due to insufficient boundary checking. Because of
this, it may be possible for a remote attacker to gain unauthorized access
to a system running the vulnerable software.
Successful exploitation of this vulnerability may allow a remote attacker
to execute arbitrary code in the context of the user.
TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Over...
BugTraq ID: 9423
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9423
Summary:
tcpdump is a freely available open source network monitoring tool. It is
available for the Unix, Linux, and Microsoft Windows operating systems.
Multiple buffer overflow vulnerabilities have been reported to exist in
tcpdump that may allow a remote attacker to gain unauthorized access to a
system running the vulnerable software. The conditions are present due to
insufficient boundary checking.
The conditions are reported to exist in the ISAKMP decoding routines of
tcpdump. It has been reported that a remote attacker may be able to cause
a buffer overrun condition by sending specially crafted packets to a
vulnerable system. Immediate consequences of a successful attack may
cause a denial of service condition in the software, however, it has been
reported that an attacker may be able to execute arbitrary code on a
vulnerable system as the 'pcap' user.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of these issues may allow an attacker to execute arbitrary
code as the 'pcap' user in order to gain unauthorized access.
Some of the issues are reported to affect tcpdump versions prior to 3.8.1
and others reportedly affect all versions up to and including tcpdump
3.8.1.
This vulnerability record will be divided into multiple Bugtraq IDs when
analysis of the individual issues is complete. Some of these issues may
already be known. Where it is appropriate, existing Bugtraq IDs will also
be updated to reflect the information in the advisory.
Linux Kernel 32 Bit Ptrace Emulation Full Kernel Rights Vuln...
BugTraq ID: 9429
Remote: No
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9429
Summary:
Unix and Unix-like kernels offer a debugging facility called ptrace.
Ptrace allows for one process to 'attach' to another and inspect/modify
it's memory. Updating certain sections of memory (system registers) that
control a process's privileges must be carefully verified to ensure that
privilege is not escalated.
A vulnerability has been discovered in the 32-bit ptrace emulation in the
Linux kernel on x86_64 (AMD64) architectures. This vulnerability allows a
user space program to gain full control of the kernel due to a failure to
validate information stored in a system register.
It has been reported that due to improper validation of the data written
to the EFLAGS register of a child process it is possible for a user
process to set itself, or another process, to ring 0 privileges. Ring 0
is the highest possible privilege level, and so the user space process can
gain full control of the vulnerable kernel.
This issue arises because the PTRACE_SETREGS request, when used to set the
EFLAGS register, fails to retain the previous state of the system flags.
At every write to the EFLAGS register, the ptrace software clears all of
the EFLAGS flags that a restricted to privileged processes. This results
in setting the I/O Privilege Level (via the IOPL flag in the EFLAGS
register) to ring 0, giving the process the ability to write to memory
space outside of its own. Another result of this is that all maskable
interrupts become disabled. This could be used to crash the kernel and
therefor result in denial of service.
This issue is known to affect the 2.4 Linux kernels that support the
x86_64 (AMD 64) architecture, however other version of the kernel may also
be vulnerable for x86_64 (AMD64) processors.
Further information concerning this issue is not currently available. This
BID will be updated as more information becomes available.
[ semble ne concerner que l'architecture 64 bits AMD ]
ELM frm Command Remote Buffer Overflow Vulnerability
BugTraq ID: 9430
Remote: Yes
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9430
Summary:
ELM is a mail user agent for unix.
A buffer overflow vulnerability has been reported to exist in ELM e-mail
client that may allow a remote attacker to execute arbitrary code on a
vulnerable system.
It has been reported that a remote attacker may be able to cause a buffer
overrun condition by sending a message with an excessively long header
field. Specifically, the issue is presented if the maliciously crafted
message is opened by a user via the 'frm' command. The condition exists
due to insufficient boundary checking. Because of this, it may be possible
for a remote attacker to gain unauthorized access to a system running the
vulnerable software.
Successful exploitation of this vulnerability may allow a remote attacker
to execute arbitrary code in the context of the user running the affected
mail client.
Although unconfirmed, ELM versions 2.5.6 and prior may be vulnerable to
this issue.
QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
BugTraq ID: 9432
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9432
Summary:
qmail is a popular Mail Transfer Agent (MTA).
A vulnerability has been reported to exist in qmail-smtpd that may allow a
remote attacker to cause a denial of service condition in the software. It
has been reported that an attacker may be able to crash the current
qmail-smtpd session via a long SMTP request. The problem is reported to
exist due to an integer-handling bug. It has reported that the excessive
SMTP session data causes a signed integer to wrap; this negative value is
then employed as an array subscript. A subsequent attempt to access the
out-of-bounds address based on the wrapped integer will trigger a segment
violation. This may be leveraged by a remote attacker to consume resources
and thereby deny service to legitimate users.
A remote attacker may potentially exploit this vulnerability to crash or
hang a qmail SMTP session.
qmail 1.03 running on a Linux platform has been reported to be prone to
this issue, however, other versions may be affected as well.
SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
BugTraq ID: 9434
Remote: No
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9434
Summary:
3Ddiag is a 3D diagnosis tool designed to evaluate the 3D hardware,
software libraries and hardware driver configuration on SuSE Linux 7.3 and
greater.
A vulnerability has been found in the handling of temporary files by the
3Ddiag tool in the SuSE Linux distribution. This issue may allow local
destruction of data on affected systems potentially leading to a loss of
sensitive data or denial of service.
This issue is due to the 3Ddiag tool failing to properly handle the
creation and state of temporary files in the /usr/bin/switch2nv,
/usr/bin/switch2nvdia and /usr/bin/3Ddiag.ignoredb applications.
The switch2nv and switch2nvidia scripts, which are used by the 3Ddiag
utility, create a file in the /tmp directory named XF86Config. An attacker
would be able to remove the temporary file and replace it with a malicious
symbolic link pointing to a target file. When either application is
activated it will write to the link with root privileges and without
verifying the files validity, causing the target file to be overwritten.
The 3Ddiag.ignoredb application creates a temporary file in the /tmp/
directory named 3Ddiag.ignoredb. An attacker can create a symbolic link
with a name corresponding to the temporary file. When the 3Ddiag
application is activated, the target file will be overwritten with root
privileges thus causing loss of sensitive data or denial of service
against the vulnerable system.
This issue is likely only to affect personal desktop machines and poorly
configured servers as this tool is implemented to update software
libraries and hardware configurations, and is not intended for use by
remote users. Furthermore this tool is only available for SuSE Linux 7.3
and greater.
[ licence ? ]
OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
BugTraq ID: 9435
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9435
Summary:
OpenCA is an Open Source Certification Authority solution. OpenCA includes
a library to support Crypto procedures, this library is named
crypto-utils.lib.
OpenCA has reported a vulnerability in the crypto-utils.lib library,
specifically in the libCheckSignature() function. This function is
normally employed to load a signature from the OpenCA database and ensure
that the signer certificate matches. However a flaw has been discovered in
the manner in which the affected function operates, the
libCheckSignature() function only performs a comparison on the base of the
serial of the associated certificate. This may inadvertently lead to the
acceptance of a malicious certificate.
The vendor has reported that, if the signature chain can manufacture a
trust-relationship to the chain directory of OpenCA, and a valid
certificate that possesses a matching serial already exists in the Public
Key Infrastructure that is being used, then the malicious certificate may
be accepted.
The result of this issue is that a malicious party in possession of a
certificate that has been crafted in a manner sufficient to trigger this
vulnerability, could possibly sign something that may verify. This can be
abused to establish a false sense of trust, leading to a variety of other
attacks.
This issue has been reported to affect all versions of OpenCA up to and
including OpenCA version 0.9.1.6.
OpenBSD 3.4 Crypto Card Handlers File Descriptor Leak Vulner...
BugTraq ID: 9436
Remote: No
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9436
Summary:
OpenBSD 3.4 has been reported prone to an undisclosed file descriptor leak
vulnerability. The vendor has reported that this vulnerability may present
problems when a crypto card is installed in the affected system.
Although unconfirmed it has been conjectured that this issue may be
exploited by a local attacker to gain access to a privileged IO channel.
Ultimately this may in turn allow an attacker to become privy to sensitive
data related to cryptological procedures. This, however, has not been
confirmed.
This issue does not affect OpenBSD 3.3.
This BID will be updated as further details regarding this vulnerability
are disclosed.
[ + pas mal de trucs PHP ]
More information about the gull-annonces
mailing list