[gull-annonces] Résumé SecurityFocus Newsletter #233

[Marc SCHAEFER]

QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
BugTraq ID: 9432
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9432
Summary:
qmail is a popular Mail Transfer Agent (MTA).

A vulnerability has been reported to exist in qmail-smtpd that may allow a
remote attacker to cause a denial of service condition in the software. It
has been reported that an attacker may be able to crash the current
qmail-smtpd session via a long SMTP request. The problem is reported to
exist due to an integer-handling bug. It has reported that the excessive
SMTP session data causes a signed integer to wrap; this negative value is
then employed as an array subscript. A subsequent attempt to access the
out-of-bounds address based on the wrapped integer will trigger a segment
violation. This may be leveraged by a remote attacker to consume resources
and thereby deny service to legitimate users.

A remote attacker may potentially exploit this vulnerability to crash or
hang a qmail SMTP session.

qmail 1.03 running on a Linux platform has been reported to be prone to
this issue, however, other versions may be affected as well.

SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
BugTraq ID: 9434
Remote: No
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9434
Summary:
3Ddiag is a 3D diagnosis tool designed to evaluate the 3D hardware,
software libraries and hardware driver configuration on SuSE Linux 7.3 and
greater.

A vulnerability has been found in the handling of temporary files by the
3Ddiag tool in the SuSE Linux distribution.  This issue may allow local
destruction of data on affected systems potentially leading to a loss of
sensitive data or denial of service.

This issue is due to the 3Ddiag tool failing to properly handle the
creation and state of temporary files in the /usr/bin/switch2nv,
/usr/bin/switch2nvdia and /usr/bin/3Ddiag.ignoredb applications.

The switch2nv and switch2nvidia scripts, which are used by the 3Ddiag
utility, create a file in the /tmp directory named XF86Config. An attacker
would be able to remove the temporary file and replace it with a malicious
symbolic link pointing to a target file.  When either application is
activated it will write to the link with root privileges and without
verifying the files validity, causing the target file to be overwritten.

The 3Ddiag.ignoredb application creates a temporary file in the /tmp/
directory named 3Ddiag.ignoredb.  An attacker can create a symbolic link
with a name corresponding to the temporary file.  When the 3Ddiag
application is activated, the target file will be overwritten with root
privileges thus causing loss of sensitive data or denial of service
against the vulnerable system.

This issue is likely only to affect personal desktop machines and poorly
configured servers as this tool is implemented to update software
libraries and hardware configurations, and is not intended for use by
remote users.  Furthermore this tool is only available for SuSE Linux 7.3
and greater.

OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
BugTraq ID: 9435
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9435
Summary:
OpenCA is an Open Source Certification Authority solution. OpenCA includes
a library to support Crypto procedures, this library is named
crypto-utils.lib.

OpenCA has reported a vulnerability in the crypto-utils.lib library,
specifically in the libCheckSignature() function. This function is
normally employed to load a signature from the OpenCA database and ensure
that the signer certificate matches. However a flaw has been discovered in
the manner in which the affected function operates, the
libCheckSignature() function only performs a comparison on the base of the
serial of the associated certificate. This may inadvertently lead to the
acceptance of a malicious certificate.

The vendor has reported that, if the signature chain can manufacture a
trust-relationship to the chain directory of OpenCA, and a valid
certificate that possesses a matching serial already exists in the Public
Key Infrastructure that is being used, then the malicious certificate may
be accepted.

The result of this issue is that a malicious party in possession of a
certificate that has been crafted in a manner sufficient to trigger this
vulnerability, could possibly sign something that may verify. This can be
abused to establish a false sense of trust, leading to a variety of other
attacks.

This issue has been reported to affect all versions of OpenCA up to and
including OpenCA version 0.9.1.6.

OpenBSD 3.4 Crypto Card Handlers File Descriptor Leak Vulner...
BugTraq ID: 9436
Remote: No
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9436
Summary:
OpenBSD 3.4 has been reported prone to an undisclosed file descriptor leak
vulnerability. The vendor has reported that this vulnerability may present
problems when a crypto card is installed in the affected system.

Although unconfirmed it has been conjectured that this issue may be
exploited by a local attacker to gain access to a privileged IO channel.
Ultimately this may in turn allow an attacker to become privy to sensitive
data related to cryptological procedures. This, however, has not been
confirmed.

This issue does not affect OpenBSD 3.3.

This BID will be updated as further details regarding this vulnerability
are disclosed.

MetaDot Corporation MetaDot Portal Server Multiple Vulnerabi...
BugTraq ID: 9439
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9439
Summary:
MetaDot Portal Server is an open source portal software which provides
content management, portal, and online database applications.  It is used
to create web portals and websites.

A number of vulnerabilities have been found in MetaDot Corporation's
MetaDot Portal Server.  Due to a failure of the software to properly
validate user input, an attacker may be able to carry out SQL injection
attacks that may lead to data corruption data or force the server to
disclose system configuration information.  Cross-site scripting
vulnerabilities have also been identified that are related to a similar
issue.

MetaDot portal server is vulnerable to a SQL injection vulnerability.
This vulnerability may allow an attacker to destroy or corrupt data on
vulnerable systems.  It has also been reported that this issue may
disclose server configuration information. An attacker may exploit this
vulnerability by issuing a specially crafted URI to the MetaDot server.
This is due to the software failing to properly validate the values
assigned to URL variables.

The values stored in the 'key', 'id' and 'iid' variables defined in the
URI are used in an SQL statement and may allow a user to inject SQL
commands.  It has also been reported that this issue also produces a
cross-site scripting vulnerability, as an attacker can force the error
message to execute a script supplied in the variable.  Furthermore, the
error message issue by a failed SQL command reveals a significant amount
of information to the attacker as it is displayed in the error message.
This information includes system configuration details such as the current
perl version as well as web server path.

Aside from the above-mentioned cross-site scripting vulnerabilities, there
are a number of other URIs that will produce similar effects.  These
issues are also due to improper validation of variables specified in the
URI.

MetaDot Portal Server versions 5.6.5.4 b5 and prior have been reported to
be vulnerable to these issues.

These issues are currently undergoing further analysis. This cumulative
BID will be separated into individual entries when analysis is complete.

[ langage inconnu ]

Netpbm Temporary File Vulnerabilities
BugTraq ID: 9442
Remote: No
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9442
Summary:
Netpbm is a collection of utilities for the manipulation of graphic
images.

Debian has announced that Netpbm is affected by numerous vulnerabilities
related to its use of temporary files.  These vulnerabilities may allow
for a malicious local user to cause the corruption of files owned by other
users.  It is likely that the attacker must wait for the target user to
run one of the Netpbm utilities before any of the vulnerabilities can be
exploited.  The attacker may also be required to successfully guess the
filename of the temporary file, though it may be trivial to do so.  Any
file overwrites most likely occur with the privilege level of the victim
user who is running Netpbm.

GoAhead WebServer Directory Management Policy Bypass Vulnera...
BugTraq ID: 9450
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9450
Summary:
GoAhead WebServer is an embedded web server implementation that is
available for a number of operating systems, including Microsoft Windows
and Unix/Linux derivatives.

GoAhead WebServer allows users to configure a policy for how requests for
resources in certain directories are handled, such as defining default
actions for resources in cgi-bin or other directories.  This is handled
internally via the websUrlHandlerRequest() server function.  GoAhead
WebServer is prone to a vulnerability that may permit remote attackers to
bypass directory management policy.

It is reported that certain syntax may be used in HTTP GET requests to
bypass the policy for how certain requests should be handled, for example,
a script that should be interpreted may be downloaded by the attacker
instead.  The following example requests are reported to reproduce this
behavior:

GET cgi-bin/cgitest.c HTTP/1.0
GET \cgi-bin/cgitest.c HTTP/1.0
GET %5ccgi-bin/cgitest.c HTTP/1.0

By omitting the initial forward-slash (/) or substituting a back-slash (/)
for the initial forward-slash, it is possible to bypass directory
management policy.  A URL-encoded back-slash (%5c) at the beginning of the
request may also bypass the policy.  Other variations also exist.

This could allow for unauthorized access to resources hosted on the
server, likely resulting in disclosure of sensitive information such as
script source code.  The exact consequences will depend on what sort of
directory management policy is in place and also the nature of information
included in scripts or other sensitive resources hosted on the server.

[ license ? ]

GoAhead WebServer Post Content-Length Remote Resource Consum...
BugTraq ID: 9452
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9452
Summary:
GoAhead WebServer is an embedded web server implementation that is
available for a number of operating systems, including Microsoft Windows
and Unix/Linux derivatives.

A vulnerability in the handling of unusual HTTP requests and
content-length sizes may cause a vulnerable GoAhead WebServer to become
unstable.  Because of this, a remote attacker may be able consume
excessive resources on the underlying host, resulting in a denial of
service condition.

The problem is in the handling of remote POST requests.  By specifying a
content-length of a specific size in a POST request, and sending data of a
lesser size then breaking the connection, it is possible to send the
service into an infinite loop.  The program does not sufficiently handle
the condition of a broken connection, and can consume excessive system
resources, potentially taking down the system with the service.

NetScreen Security Manager Insecure Default Remote Communica...
BugTraq ID: 9455
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9455
Summary:
NetScreen-Security Manager is the firewall and security management product
distributed and maintained by NetScreen.

A problem in the handling of default communications has been identified in
NetScreen-Security Manager.  Because of this, an attacker may be able to
gain access to potentially sensitive information.

The problem is in the default use of encryption.  When NetScreen-Security
Manager is used to communicate with remote ScreenOS 5.0 devices, the
device does not use encryption by default.  Information sent between the
ScreenOS devices and NetScreen-Security Manager may transit in plain text,
making it possible for an intermediary network to capture potentially
sensitive data while traveling between end-points.

[ firmware ]

SuSE Multiple Scripts Insecure Temporary File Handling Symbo...
BugTraq ID: 9457
Remote: No
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9457
Summary:
fvwmbug is a helper shell script to allow a user to compose and email
bug-reports that concern FVWM. wm-oldmenu2new is used to convert from an
old-style WindowMaker menu file to the new PropertyList style. x11perfcomp
is a script that merges and formats the output of x11perf. xf86debug is a
script used to debug X server, it must be invoked by a root user.
winpopup-send.sh is a script that is shipped as a part of the kopete
package. lvmcreate_initrd is used to create a new compressed initial
ramdisk.

Multiple scripts that are shipped with SuSE 9.0 have been reported prone
to insecure temporary file creation and symbolic link vulnerabilities. The
following scripts have been reported vulnerable:
/usr/X11R6/bin/fvwm-bug
/usr/X11R6/bin/wm-oldmenu2new
/usr/X11R6/bin/x11perfcomp
/usr/X11R6/bin/xf86debug
/opt/kde3/bin/winpopup-send.sh
/sbin/lvmcreate_initrd

The issues are present, because the vulnerable scripts create temporary
files in an insecure manner. Specifically, when a script is invoked a
predictable temporary file is created. To exploit this issue, a local
attacker may create many symbolic links in the "tmp" directory with
incremental values representing the variable part of the vulnerable
temporary filename. Each of these links will point to an arbitrary file
that the attacker wishes to target. When the vulnerable script is invoked,
operations that were supposed for the temporary file will be carried out
on the file that is linked by the malicious symbolic link.

An attacker may exploit these issues to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in a
system wide denial of service.

Each issue described in this BID will be given individual BID's once
further analysis is complete.

Honeyd Remote Virtual Host Detection Vulnerability
BugTraq ID: 9464
Remote: Yes
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9464
Summary:
Honeyd is honeypot software that simulates virtual hosts on IP addresses
that are not in use.  It is available for various Unix/Linux derivatives.

Honeyd is prone to a vulnerability that may permit remote users to detect
the presence of the server.  This is due to a flaw in how Honeyd responds
to certain TCP SYN packets, effectively allowing a remote user to
determine if a scanned address is a virtual Honeyd host.  Upon receipt of
such a packet, the daemon will respond with a packet that has the SYN and
RST flags set.  The consequence is that a remote attacker could enumerate
the existence of simulated Honeyd hosts and then either target specific
attacks against these hosts or avoid them altogether.

Mephistoles HTTPD Cross-Site Scripting Vulnerability
BugTraq ID: 9470
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9470
Summary:
Mephistoles httpd is a simple web server implemented in PERL.

It has been discovered that Mephistoles httpd daemon fails to sanitize
user-supplied input, making it vulnerable to cross-site scripting attacks.
This vulnerability makes it possible for an attacker to construct a
malicious link containing HTML or script code that may be rendered in a
user's browser upon visiting that link. This attack would occur in the
security context of the affected server.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.

Apache mod_perl Module File Descriptor Leakage Vulnerability
BugTraq ID: 9471
Remote: No
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9471
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. mod_perl is an Apache
module that provides for Perl functionality in websites.

A vulnerability has been reported to exist in the Apache mod_perl module
that may allow local attackers to gain access to privileged file
descriptors. This issue could be exploited by an attacker to hijack a
vulnerable server daemon.

It has been reported that multiple file descriptors, including those
associated with the sockets listening on ports 443 and 80, are leaked to
the mod_perl module and any processes it creates. Additionally file
descriptors associated with logging functionality are also leaked. This
allows for Perl scripts and any processes they spawn to access the
privileged I/O streams.

This issue may allow an attacker to pose as a legitimate server to
clients. An attacker may also steal sensitive information, or read and
write to a privileged I/O stream.

It should be noted that this issue appears to be distinct from the
vulnerability described in BID 7255 (and patched in Apache 2.0.45).
Versions later than Apache 2.0.45 reportedly still leak descriptors.

Additionally, it is not recommended that mod_perl be run in a shared user
environment, as mod_perl is not intended to run untrusted Perl code. This
BID will be updated as further information becomes available.

Acme thttpd CGI Test Script Cross-Site Scripting Vulnerabili...
BugTraq ID: 9474
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9474
Summary:
thttpd is an HTTP server implementation that is maintained by Acme.  It is
intended to run on Unix/Linux variants.

thttpd is prone to a cross-site scripting vulnerability in the CGI test
script.  This could permit a remote attacker to create a malicious link to
the web server that includes hostile HTML and script code.  If this link
were followed, the hostile code may be rendered in the web browser of the
victim user.  This would occur in the security context of the web server
and may allow for theft of cookie-based authentication credentials or
other attacks.

It should be noted that FREESCO includes an embedded version of thttpd and
is also prone to this vulnerability due to their inclusion of the
vulnerable component.

[ license ?  firmware ]