[gull-annonces] Résumé SecurityFocus Newsletter #254

Marc SCHAEFER schaefer at alphanet.ch
Wed Jun 23 15:11:05 CEST 2004 

Horde Chora Viewer Remote Command Execution Vulnerability
BugTraq ID: 10531
Remote: Yes
Date Published: Jun 13 2004
Relevant URL: http://www.securityfocus.com/bid/10531
Summary:
Horde Chora Viewer is reported to be prone to a remote command
execution vulnerability. The vulnerability is reported to exist due to
a lack of sanitization performed on values that may be user-supplied.

Shell metacharacters that are included as a value for the affected URI
parameter may result in attacker specified shell commands being
executed in an exec() call. Command execution will occur in the
context of the affected web server.

Chora versions up to an including version 1.2.1 are reported to be
affected by this vulnerability.

[ Chora est un butineur :) CVS ]

Mozilla Browser URI Obfuscation Weakness
BugTraq ID: 10532
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10532
Summary:
A weakness is reported in Mozilla that may allow an attacker to
obfuscate the URI of a link. This could facilitate the impersonation
of legitimate web sites in order to steal sensitive information from
unsuspecting users.

It is reported that the weakness exists when form method GET action
URI's that are appended with the %2F encoded character, several space
characters and an appended '.' URI are followed.

Mozilla 1.6 and 1.7rc3 for Windows and Firefox 0.8 and 0.9rc for
Windows are reportedly affected by this issue.

Linksys Web Camera Software Next_file Parameter Cross-Site S...
BugTraq ID: 10533
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10533
Summary:
It is reported that Linksys Web Camera software is prone to a
cross-site scripting vulnerability that may allow a remote attacker to
steal cookie-based authentication credentials or carry out other
attacks.

The problem presents itself when an attacker passes malicious HTML or
script code to the application via the 'next_file' parameter of the
'main.cgi' script.

Linksys Web Camera software version 2.10 is reportedly prone to this
issue, however, it is possible that other versions are affected as
well.

[ firmware ]

Immunix StackGuard Canary Corruption Handler Evasion Vulnera...
BugTraq ID: 10535
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10535
Summary:
Immunix StackGuard is affected by a canary corruption handler evasion
vulnerability.  this issue is due to a design error that allows an
attacker to influence the execution flow of the canary corruption
handling function.

This issue may allow an attacker to bypass the security features of
StackGuard and allow an attacker to manipulate the execution flow of
the canary corruption handling function.  It has been speculated that
this issue will allow for code execution, although this has not been
verified.

This issue reportedly affects Immunix OS version 7.0, however it is
likely that other versions are affected as well.

[ StackGuard ajoute un `canari' -- une valeur d?termin?e de mani?re
  ? d?tecter des corruptions de pile en retour de fonctions. Il a
  d?j? ?t? prouv? que cela n'est pas suffisant pour toutes les
  attaques et voici un cas d'exploitation direct
]

Multiple Vendor Anti-Virus Scanner Remote Denial Of Service ...
BugTraq ID: 10537
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10537
Summary:
Multiple vendor anti-virus scanning software is reported prone to a
remote denial of service vulnerability.

The issue is reported to present itself when certain malicious
archives containing large quantities of data are scanned.

In the supplied example approximately 300 Gigabytes of data is
archived in many different archive types. This archive may be
transmitted to a client or submitted to an online anti-virus scanning
service in order to crash the anti-virus software.

[ clamav non vuln?rable ? l'exploit actuellement utilis?, le DoS est
  correctement d?tect?.
]

Linux Kernel Assembler Inline Function Local Denial Of Servi...
BugTraq ID: 10538
Remote: No
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10538
Summary:
The Linux Kernel is reportedly to be affected by a local denial of
service vulnerability surrounding inline assembly functions.  This
issue is due to a design error that causes the application to fail to
properly handle stack frame management.

This issue may be leveraged by an attacker to cause the affected
system to crash, denying service to legitimate users.

Although only select linux kernels are reported to be affected, it is
likely that various other versions are vulnerable as well.

[ c'est bien vague. ]

FreeIPS Protected Service Denial Of Service Vulnerability
BugTraq ID: 10541
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10541
Summary:
It is reported that FreeIPS is susceptible to a denial of service
vulnerability.

FreeIPS scans TCP connections for particular strings, defined by
regular expressions. If a packet matches the regular expression,
FreeIPS assumes malicious intent and attempts to close the TCP
connection. It accomplishes this by sending TCP RST packets to both
the client (attacker) and the server (victim TCP server).

The software correctly generates a TCP RST+ACK packet to the
originating client, but the packet sent to the server is incorrectly
generated. The packet sent to the server contains invalid sequence and
acknowledgment numbers and is ignored.

An attacker can deny service to any TCP application protected by
FreeIPS, denying network service to legitimate users.

The attacker would have to know or guess a string pattern that matches
a regular expression in FreeIPS to successfully exploit this
vulnerability.

[ http://sourceforge.net/projects/freeips/, un IPS (Intrusion
  Prevention/Detection System, originellement BSD, 
]

VICE Monitor Memory Dump Format String Vulnerability
BugTraq ID: 10543
Remote: No
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10543
Summary:
VICE monitor is reported prone to a format string vulnerability. The
issue is reported to exist when output from the monitor "memory dump"
command is displayed. Memory contents are used without sanitization as
the format string for a print formatted function. As a result,
malicious memory contents containing format specifiers will be
interpreted literally when a memory dump is performed; this may result
in attacker-specified memory being corrupted in the context of the
user who is running the VICE monitor memory dump command.

[ ?mulateur VIC-20 ... ]

KAME Racoon IDE Daemon X.509 Improper Certificate Verificati...
BugTraq ID: 10546
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10546
Summary:
It is reported that racoon improperly validates X.509 certificates
when negotiating IPSec connections.

When checking certificate validity, racoon ignores many errors from
OpenSSL and grants access to invalid certificates.

When ignoring these errors, racoon would allow improper certificates
to be used when authenticating connections. This vulnerability would
allow attackers to forge certificates and potentially gain access to
IPSec VPNs. This would also effectively make all certificates
permanent.

It is unknown the exact versions of racoon that are vulnerable at this
time.

Thy HTTP Daemon Null Pointer Exception Denial Of Service Vul...
BugTraq ID: 10550
Remote: Yes
Date Published: Jun 15 2004
Relevant URL: http://www.securityfocus.com/bid/10550
Summary:
Thy HTTP Daemon is reportedly affected by a NULL pointer exception
denial of service vulnerability.  This issue is due to a failure of
the application to handle malformed requests.

Successful exploitation of this issue will cause the affected server
to crash, denying service to legitimate users.

[ un daemon HTTP l?ger POSIX en GPL ]

Cisco IOS Border Gateway Protocol Denial Of Service Vulnerab...
BugTraq ID: 10560
Remote: Yes
Date Published: Jun 16 2004
Relevant URL: http://www.securityfocus.com/bid/10560
Summary:
The problem presents itself when an affected device handles a
malformed or invalid Border Gateway Protocol (BGP) packet. During
processing the offending packet the affected device will reset.

It should be noted that this issue only affects devices with BGP
enabled; BGP is not enabled by default.  It has been reported that
this issue would be very difficult to exploit as it would require
injecting malicious packets into communication between trusted peers.

An attacker may exploit this issue to cause the affected device to
reset, taking several minutes to become functional.  It is possible to
create a persistent denial of service condition by continually
transmitting malformed packets to the affected device.

[ firmware ]

Linux Kernel I2C Bus Driver Integer Overflow
BugTraq ID: 10563
Remote: No
Date Published: Jun 17 2004
Relevant URL: http://www.securityfocus.com/bid/10563
Summary:
The Linux kernel has been reported to be vulnerable to an integer
overflow in the inter integrated circuit (I2C) bus driver.  This issue
is due to a failure of the offending driver to properly validate
user-reported size values.

This issue could be leveraged by an attacker to execute machine code
with the privileges of the affected driver; potentially leading to
privilege escalation and ring 0 access.

It should be noted that in most cases I2C device files are by default
only readable and writable by superusers; in such a case an attacker
would have to have superuser privileges.

Linux Kernel Multiple Device Driver Vulnerabilities
BugTraq ID: 10566
Remote: No
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10566
Summary:
It has been reported that the Linux kernel is vulnerable to multiple
device driver issues. These issues were found during a recent audit of
the Linux kernel source.

Drivers reportedly affected by these issues are: aironet, asus_acpi,
decnet, mpu401, msnd, and pss.

These issues may reportedly allow attackers to gain access to kernel
memory or gain escalated privileges on the affected computer.

MoinMoin Group Name Privilege Escalation Vulnerability
BugTraq ID: 10568
Remote: Yes
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10568
Summary:
It is reported that MoinMoin contains a privilege escalation
vulnerability whereby regular users can gain administrative
privileges.

MoinMoin allows remote web clients to create their own user accounts
without administrative intervention or approval. It is reported that
if a user creates an account with the same name as an administrative
group, the user will inherit the privileges of that same
administrative group.

An attacker would use this vulnerability to gain complete access to
the MoinMoin Wiki, and could gain access to sensitive information, or
destroy information.

Versions before 1.2.2 are reported vulnerable.

[ Wiki en Python ]

Asterisk PBX Multiple Logging Format String Vulnerabilities
BugTraq ID: 10569
Remote: Yes
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10569
Summary:
It is reported that Asterisk is susceptible to format string
vulnerabilities in its logging functions.

An attacker may use these vulnerabilities to corrupt memory, and read
or write arbitrary memory. Remote code execution is likely possible.

Due to the nature of these vulnerabilities, there may exist many
different avenues of attack. Anything that can potentially call the
logging functions with user-supplied data is vulnerable.

Versions 0.7.0 through to 0.7.2 are reported vulnerable.

[ en particulier si vous contr?lez l'information de caller-id

More information about the gull-annonces mailing list