[gull-annonces] Résumé SecurityFocus Newsletter #252

Tue Jun 8 15:01:03 CEST 2004

Isoqlog Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10433
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10433
Summary:
Isoqlog is prone to multiple buffer overflow vulnerabilities that span
various source files and functions.  Some of the vulnerabilities are
remotely exploitable and may permit execution of arbitrary code in the
context of the process.  Others are local in nature, but as the
software is not typically installed setuid/setgid, should not present
any security risk.

[ http://www.enderunix.org/isoqlog/, écrit en C ]

Spamguard Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10434
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10434
Summary:
Spamguard is prone to multiple buffer overflow vulnerabilities that
span various source files and functions.  Some of the vulnerabilities
are remotely exploitable and may permit execution of arbitrary code in
the context of the process.  Others are local in nature, but as the
software is not typically installed setuid/setgid, should not present
any security risk.

[ http://www.enderunix.org/spamguard/, analyse les logs de
  sendmail/qmail/postfix et réagit en conséquence pour éviter le spam
]

gatos xatitv Missing Configuration File Privilege Escalation...
BugTraq ID: 10437
Remote: No
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10437
Summary:
The gatos xatitv utility is prone to a local privilege escalation
vulnerability.

This issue may occur when the utility, which is installed setuid root,
fails to drop privileges due to a missing configuration file.
Unsanitized user-supplied environment variables may then be exploited
to escalate privileges.

It is noted that the software ships with a default configuration file,
so exploitation would require that the file was removed at some point.

[ application similaire à xawtv, voir
  http://www.debian.org/security/2004/dsa-509 ]

Linksys WRT54G Router World Accessible Remote Administration...
BugTraq ID: 10441
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10441
Summary:
A weakness is reported to affect the Linksys WRT54G appliance. It is
reported that the web based administration service is published to the
WAN interface of the appliance, even when the remote administration
functionality is disabled.

[ firmware ]

Firebird Remote Pre-Authentication Database Name Buffer Over...
BugTraq ID: 10446
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10446
Summary:
Firebird is reported prone to a remote buffer overrun
vulnerability. The issue presents itself due to a lack of sufficient
boundary checks performed when the database server is handling
database names.

A remote attacker may exploit this vulnerability, without requiring
valid authentication credentials, to influence execution flow of the
affected Firebird database server. Ultimately this may lead to the
execution of attacker-supplied code in the context of the affected
software.

[ Je suppose qu'il s'agit du RDBMS Firebird AKA Interbase,
  licence libre, http://firebird.sourceforge.net/ ]

MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
BugTraq ID: 10448
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10448
Summary:
Kerberos 5 is prone to multiple boundary condition errors that exist
in the krb5_aname_to_localname() and helper functions and are due to
insufficient bounds checking performed on user-supplied data.

An additional boundary condition issue also exists in the
krb5_aname_to_localname() function. The condition is reported to
present itself in the explicit mapping functionality of the
krb5_aname_to_localname() as an off-by-one.

These conditions may be theoretically exploitable to execute arbitrary
code remotely in the context of the affected service.

It is reported that explicit mapping or rules-based mapping
functionality of krb5_aname_to_localname() must be enabled for these
vulnerabilities to be present. Additionally it is necessary that the
principal name used by the attacker to exploit the issue be listed in
the explicit mapping list.

These vulnerabilities are reported to affect all releases of MIT
Kerberos 5, up to and including version krb5-1.3.3.

IBM Multiple Product Unspecified Credential Impersonation Vu...
BugTraq ID: 10449
Remote: Yes
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10449
Summary:
Multiple IBM products are prone to an unspecified credential
impersonation vulnerability.

According to IBM this vulnerability may allow a remote attacker to
gain access to resources and data, or gain control of the compromised
application.  It is reported that this attack can allow the attacker
to exploit the usage of cookies and impersonate a legitimate user to
gain unauthorized access.

Due to a lack of details, further information is not available at the
moment.  This BID will be updated as more information becomes
available.

[ J'adore celle-là. Aucune information derrière cette information.
  Impossible de déterminer la licence des logiciels concernés.
  Impossible d'évaluer l'impact.  On se demande si ce n'est pas
  juste là pour être le premier à le dire.
]

Multiple Linksys Routers Gozila.CGI Denial Of Service Vulner...
BugTraq ID: 10453
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10453
Summary:
Multiple Linksys routers are reported vulnerable to a denial of
service condition. The issues presents themselves due to a lack of
sufficient sanitization performed on parameters that are passed to the
Gozila.CGI script.

A remote attacker may potentially exploit these conditions to deny
service to an affected appliance. It is reported that the device must
be reset to the original factory defaults in order to restore normal
device functionality.

[ firmware ]

Tripwire Email Reporting Format String Vulnerability
BugTraq ID: 10454
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10454
Summary:
Tripwire is affected by an email reporting format string
vulnerability.  This issue is due to a failure to properly inplement a
formatted string function.

This vulnerability will allow for execution of arbitrary code on a
system running the affected software. This would occur in the security
context of the user invoking the vulnerable application; typically the
superuser.

**Update - It is reported that this issue only presents itself when
the MAILMETHOD is sendmail.

Unix and Unix-based select() System Call Overflow Vulnerabil...
BugTraq ID: 10455
Remote: Unknown
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10455
Summary:
The select() system call may be vulnerable to an overflow condition,
possibly allowing attackers to write data past the end of a fixed size
buffer.

select() uses arguments of type 'fd_set', which is of a fixed size in
many Unix variants. fd_set is used to keep track of open file
descriptors.

If a process raises its rlimit for open files past 1024, it is
theoretically possible to cause select to change individual bits past
the end of the fixed size fds_bits structure. In theory, an attacker
may be able to use this vulnerability to cause a denial of service
condition, or possibly execute arbitrary code.

It should be noted that rlimits can only be raised by root, and that
only processes with rlimits allowing more than 1024 file descriptors
would be affected.

This is a theoretical issue, and it has not been confirmed by any
vendor. This BID will be updated when further information is released.

[ Très général. Sous le kernel Linux, à ma connaissance, en interne
  une structure dynamique basée sur des pointeurs et des
  tests de longueur sont faits. Le problème n'est d'ailleurs
  pas forcément au niveau de l'appel système: certains systèmes
  implémentent select() au niveau de la libc via poll(2).
  Comme work-around dans tous les cas: modifier les `hard limits'
  de manière appropriée. Seul root peut les remonter. Voir
  ulimit.
]

Sun Fire B1600 Network Management Port Remote Denial Of Serv...
BugTraq ID: 10458
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10458
Summary:
Sun Fire B1600 is reported prone to remote denial of service
vulnerability. The issue exists because the switch firmware will
disable all of the network ports on the switch for a short period when
an ARP datagram is received on the Network Management Port.

[ firmware ]

Netgear WG602 Wireless Access Point Default Backdoor Account...
BugTraq ID: 10459
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10459
Summary:
Netgear WG602 reportedly contains a default administrative account.
This issue can allow a remote attacker to gain administrative access
to the device.

Netgear WG602 access point with firmware version 1.04.0 is reportedly
affected by this issue.  It is likely that other versions of the
firmware are also vulnerable.  It is reported that the new version
(1.7.14) of the Firmware for WG602 is vulnerable to this issue as
well, however, the username and password for the backdoor account has
been changed.

[ firmware ]

Michael Krax log2mail Log File Writing Format String Vulnera...
BugTraq ID: 10460
Remote: No
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10460
Summary:
Michael Krax log2mail is reported prone to a log file writing format
string vulnerability.  This issue is due to a failure of the
application to properly implement a formatted string function.

This vulnerability will ultimately allow for execution of arbitrary
code on a system running the affected software. This would occur in
the security context of the user invoking the vulnerable application;
typically the 'log2mail' user with group 'adm'.

mkdir Buffer Overflow Vulnerability
BugTraq ID: 10462
Remote: No
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10462
Summary:
It is reported that mkdir is susceptible to a buffer overflow
vulnerability. An attacker with local access passes a long path to
mkdir, which overflows a fixed buffer.

mkdir is installed setuid root by default, as the mknod() system call
can only be called by root. There is no mkdir() system call, so the
mkdir command must use mknod to create a directory node, then populate
the node with "." and ".." itself.

A local attacker can exploit this issue to execute arbitrary code as root.

[ sous Linux, mkdir(2) est un appel système et donc cette attaque est
  impossible. Il est vrai que certains très anciens systèmes que j'ai utilisés
  jusqu'en 1992, comme SPIX 31 (SYSVR2), n'avaient pas de mkdir(2) et donc
  mkdir(1) le faisait manuellement comme ce qui est décrit ici, mais
  franchement cette approche a tant d'autres problèmes ...
  Ah, et mknod(2) dans les systèmes modernes est appelable par les
  utilisateurs normaux pour créer des `named pipes'.
]