[gull-annonces] Résumé SecurityFocus Newsletter #255

Marc SCHAEFER schaefer at alphanet.ch
Wed Jun 30 11:11:02 CEST 2004


Infoblox DNS One Script Injection Vulnerability
BugTraq ID: 10573
Remote: Yes
Date Published: Jun 19 2004
Relevant URL: http://www.securityfocus.com/bid/10573
Summary:
The Infoblox DNS One appliance has been reported prone to a script
injection vulnerability.  A remote attacker could potentially gain
access to the vulnerable device or potentially execute script on the
computer used to access the device.  The issue is only present if the
device is being used for DHCP.

[ `firmware' ]

RSSH Information Disclosure Vulnerability
BugTraq ID: 10574
Remote: Yes
Date Published: Jun 19 2004
Relevant URL: http://www.securityfocus.com/bid/10574
Summary:
rssh contains a vulnerability that could allow users within a chroot
jail to determine the existence of files outside the chroot jail.
Information gathered in this manner can be used to launch further
attacks against the system.

This vulnerability is reported to exist in rssh versions 2.0 to 2.1.x.

super Local Format String Vulnerability
BugTraq ID: 10575
Remote: No
Date Published: Jun 19 2004
Relevant URL: http://www.securityfocus.com/bid/10575
Summary:
super is prone to a locally exploitable format string
vulnerability. The problem occurs due to the incorrect usage of
programming functions designed to take formatted arguments.

Because of this, attacker supplied format specifiers will be
interpreted literally by the vulnerable program. This vulnerability
may provide a conduit for an attacker to influence arbitrary writes
into process memory space.  Ultimately this vulnerability may be
exploited in order to have arbitrary code executed with superuser
privileges.

**Update: This issue was originally believed to be a duplicate of BID
5367, however further reports indicate that this is not the
case. Therefore this BID is reinstated.

[ ca sert à quoi? quelle license? ]

WWW-SQL Include Command Buffer Overflow Vulnerability
BugTraq ID: 10577
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10577
Summary:
www-sql is reportedly vulnerable to a buffer overflow vulnerability in
its include command implementation.  This issue arises due to a
failure of the affected application to properly handle user-supplied
strings when copying them into finite stack-based buffers.

An attacker can leverage this issue to manipulate process memory; by
supplying program code as well as a specially selected memory address
an attacker gain control of the processes execution flow allowing for
arbitrary code execution.

[ http://www.jamesh.id.au/software/www-sql/ ]

rlpr msg() Function Multiple Vulnerabilities
BugTraq ID: 10578
Remote: Yes
Date Published: Jun 19 2004
Relevant URL: http://www.securityfocus.com/bid/10578
Summary:
It is reported that rlpr is prone to multiple vulnerabilities.  These
vulnerabilities can allow a remote attacker to execute arbitrary code
in order to gain unauthorized access.

The application is affected by a format string vulnerability.  This
vulnerability presents itself due to insufficient sanitization of
user-supplied data through the 'msg()' function.

The 'msg()' function is also affected by a buffer overflow
vulnerability.  This issue occurs due to insufficient boundary
checking and may also be exploited to gain unauthorized access to a
vulnerable computer.

rlpr versions 2.04 and prior are affected by these issues.

[ voir http://www.debian.org/security/2004/dsa-524. Notons qu'on peut
  émuler la fonctionnalité de rlpr avec lpr -Plp at 1.2.3.4 avec lprng,
  même sans serveur local activé ]

monit Authentication Handling Buffer Overflow Vul...
BugTraq ID: 10581
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10581
Summary:
It is reported that monit is vulnerable to a buffer
overflow vulnerability during authentication handling. This issue
arises due to a failure of the affected application to properly handle
user-supplied strings when copying them into finite stack-based
buffers.

Successful exploitation of this issue allows an attacker to execute
arbitrary code as the superuser; facilitating unauthorized access and
privilege escalation.

[ moniteur / alerteur monit, http://www.tildeslash.com/monit/, GPL ]

GNU Radius SNMP OID Remote Denial Of Service Vulnerability
BugTraq ID: 10582
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10582
Summary:
GNU Radius is reported prone to a remote denial of service
vulnerability. The issue is reported to present itself when GNU Radius
handles SNMP messages that contain invalid Object ID data. It is
reported that this vulnerability will exist only when the affected
Radius server is compiled with the '-enable-snmp' option.

[ SNMP, ASN.1 dans toute sa gloire de buffer overflows. Radius est un
  protocole d'identification pour routeurs, concentrateurs, serveurs de
  terminaux, serveur PPP ]

nCipher netHSM Logged Passphrase Information Disclosure Vuln...
BugTraq ID: 10583
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10583
Summary:
It is reported that nCipher's netHSM improperly logs passphrases
entered via the netHSM front panel.

Passphrases are improperly logged when entered on the front panel of
the netHSM device, either through the built-in thumbwheel or a
directly attached keyboard. Under certain configurations, these
passphrases are also sent to a remote filesystem.

If an attacker has access to the passphrases, it may aid them in
further attacks. Exploitation of the netHSM infrastructure requires
physical access to a hardware smartcard, the netHSM device, an
acquired passphrase, and access to host data.

If the passphrase is reused in a different context, an attacker may be
able to launch further attacks.

A firmware upgrade is available resolving this issue.

[ firmware ]

Multiple Vendor Broadband Router Web-Based Administration De...
BugTraq ID: 10585
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10585
Summary:
Multiple broadband routers from several different vendors, used for
home and small office Internet sharing and routing are reported
affected by a denial of service vulnerability in their web-based
administration interfaces.

The embedded web server is reportedly unable to maintain more than a
small number of simultaneous TCP connections. An attacker who
maintains a number of connections to port 80 of an affected device
will block access to the web administration application for legitimate
users.

An attacker could block access to the administration interface as long
as they can maintain the TCP connections.

Netgear FVS318, Linksys BEFSR41, and Microsoft MN-500 devices are
reported to be susceptible.

[ firmware, probablement la même pile TCP/IP propriétaire ]

D-Link AirPlus DI-614+ DHCP Log HTML Injection Vulnerability
BugTraq ID: 10587
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10587
Summary:
It is reported that the DI-614+ is susceptible to an HTML injection
vulnerability in its DHCP log.

An attacker who has access to the wireless segment of the router can
craft malicious DHCP hostnames, that when sent to the router, will be
logged for later viewing by the administrator of the device.

The injected HTML can be used to cause the administrator to make
unintended changes to the configuration of the router. Other attacks
may be possible.

Although only the DI-614+ is reported vulnerable, code reuse across
devices is common and other products may also be affected.

SqWebMail Email Header HTML Injection Vulnerability
BugTraq ID: 10588
Remote: Yes
Date Published: Jun 21 2004
Relevant URL: http://www.securityfocus.com/bid/10588
Summary:
SqWebMail is reported to be prone to an email header HTML injection
vulnerability.  This issue presents itself due to a failure of the
application to properly sanitize user-supplied email header strings.

The problem presents itself when an unsuspecting user views an email
message containing malicious HTML and script code in the email header.

An attacker can exploit this issue to gain access to an unsuspecting
user's cookie based authentication credentials.

BT Voyager 2000 Wireless ADSL Router  SNMP Community String ...
BugTraq ID: 10589
Remote: Yes
Date Published: Jun 22 2004
Relevant URL: http://www.securityfocus.com/bid/10589
Summary:
BT Voyager 2000 Wireless ADSL Router is reported prone to a sensitive
information disclosure vulnerability.

It is reported that 'public' SNMP MIB community strings which, are
world readable by default contain sensitive information pertaining to
the internal protected network.

Data collected by exploiting this vulnerability may be used in further
attacks against the victim network.

[ SNMP strikes again. Firmware ]

ISC DHCPD Hostname Options Logging Buffer Overflow Vulnerabi...
BugTraq ID: 10590
Remote: Yes
Date Published: Jun 22 2004
Relevant URL: http://www.securityfocus.com/bid/10590
Summary:
ISC DHCPD is prone to a remotely exploitable buffer overflow
vulnerability.  This issue exists in routines responsible for logging
hostname options provided by DHCP clients.  Successful exploitation
could result in execution of arbitrary code in the context of the
DHCPD server.

This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and
3.0.1rc13.  The vulnerable code exists in previous versions of ISC
DHCPD 3, but is only believed to be exploitable in these two releases.

ISC DHCPD VSPRINTF Buffer Overflow Vulnerability
BugTraq ID: 10591
Remote: Yes
Date Published: Jun 22 2004
Relevant URL: http://www.securityfocus.com/bid/10591
Summary:
ISC DHCPD is reported likely vulnerable to remotely exploitable buffer
overflow vulnerabilities on systems which lack a vsnprintf() library
function.

On systems which lack the vsnprintf() library call, ISC DHCPD defines
vsnprintf as:

#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)

This definition discards the size argument to the function,
potentially allowing any occurrence of vsnprintf() to be exploitable,
by overflowing whatever intended buffer is passed to the library call.

Other locations in DHCPD utilizing this function may be
exploitable. Successfully exploiting this issue may lead to a denial
of service condition, or remote code execution in the context of the
DHCPD server.

This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and
3.0.1rc13.

[ GNU/Linux a vsnprintf. Pas un problème pour *cette* plateforme. ]

Linux Kernel IEEE 1394  Integer Overflow Vulnerability
BugTraq ID: 10593
Remote: No
Date Published: Jun 22 2004
Relevant URL: http://www.securityfocus.com/bid/10593
Summary:
The driver for IEEE 1394 in the Linux kernel is reported to contain an
integer overflow vulnerability.

The driver contains a function called alloc_hpsb_packet(). This
function takes an unsigned integer argument and uses it to allocate
kernel memory. When allocating memory, the value is incremented,
potentially overflowing the integer.

There are multiple code paths leading to the vulnerable
alloc_hpsb_packet() function, with multiple possible methods of
exploiting this vulnerability.

Successful exploitation could lead to system crash, or possible code
execution.

FreeBSD execve() Unaligned Memory Access Denial Of Service V...
BugTraq ID: 10596
Remote: No
Date Published: Jun 23 2004
Relevant URL: http://www.securityfocus.com/bid/10596
Summary:
It is reported that FreeBSD running on the Alpha architecture is
susceptible to a denial of service vulnerability in its execve()
system call.

An attacker with local interactive user-level access on an affected
machine is reportedly able to crash FreeBSD when running on the Alpha
architecture, denying service to legitimate users.

FreeBSD 5.1-RELEASE/Alpha is reported vulnerable, other architectures
with strict memory alignment requirements are also likely
vulnerable. IA32 is reported immune. Versions other than 5.1-RELEASE
are likely affected as well.

cplay Insecure Temporary File Handling Symbolic Link Vulnera...
BugTraq ID: 10597
Remote: No
Date Published: Jun 23 2004
Relevant URL: http://www.securityfocus.com/bid/10597
Summary:
It is reported that cplay is prone to a local insecure temporary file
handling symbolic link vulnerability. This issue is due to a design
error that allows the application to insecurely write to a temporary
file that is created with a predictable file name. The cplay utility
will write to this file before verifying its existence; this would
facilitate a symbolic link attack.

[ frontal à des joueurs de son, http://www.tf.hut.fi/~flu/cplay/ ]

Linux Kernel Broadcom 5820 Cryptonet Driver Integer Overflow...
BugTraq ID: 10599
Remote: No
Date Published: Jun 23 2004
Relevant URL: http://www.securityfocus.com/bid/10599
Summary:
It is reported that the bcm5820 Linux kernel driver contains an
integer overflow vulnerability.

The driver contains a function ubsec_ioctl() which is used to setup
operating parameters for the driver. This function takes user-supplied
data and copies it into kernel-space. When copying this data, a
user-supplied length value is used in a calculation. This calculation
could cause an integer overflow when allocating buffer space.

This vulnerability could lead to a system crash, or possible code
execution in the context of the kernel.

This driver is not present in the vanilla Linux kernel, nor is it
standard in most distributions of Linux. Redhat 8, with Linux kernel
2.4.20 is confirmed to include the vulnerable driver, but others are
also potentially vulnerable.

[ Les pilotes Broadcom sont souvent sur les machines Dell
  et leur source, même si elle est parfois disponible, n'est pas
  pour le moment intégrée dans le kernel. ]

3Com SuperStack Switch Web Interface Denial Of Service Vulne...
BugTraq ID: 10601
Remote: Yes
Date Published: Jun 24 2004
Relevant URL: http://www.securityfocus.com/bid/10601
Summary:
It has been reported that 3Com SuperStack switches are affected by a
denial of service vulnerability.  This issue arises due to a failure
of the device to handle exceptional input.

This issue will allow an attacker to cause the affected device to
reset, denying service to legitimate users.

[ firmware ]

GNU gzexe Temporary File Command Execution Vulnerability
BugTraq ID: 10603
Remote: Yes
Date Published: Jun 24 2004
Relevant URL: http://www.securityfocus.com/bid/10603
Summary:
Reportedly gzexe is affected by a temporary file command execution
vulnerability.  This issue is due to a failure of the application
properly handle exceptional condition when attempting to create
temporary files.

This issue may allow an attacker to execute an arbitrary file in the
context of an unsuspecting user; this may potentially lead to
privilege escalation or unauthorized access.

[ gzexe permet de compresser des exécutables qui seront décompressés
  à la volée ? l'exécution. Jamais utilisé ça. ]

Dr.Cat drcatd Multiple Local Buffer Overflow Vulnerabilities
BugTraq ID: 10608
Remote: No
Date Published: Jun 25 2004
Relevant URL: http://www.securityfocus.com/bid/10608
Summary:
Dr.Cat is reported prone to multiple local buffer overflow
vulnerabilities.  These vulnerabilities exist due to insufficient
boundary checks performed by certain functions of the application.
These vulnerabilities may allow a local attacker to gain uanuthorized
access and/or elevated privileges on a vulnerable computer.

An attacker may also be able to exploit this issue remotely, however,
this cannot be confirmed at the moment.

All versions of the application are considered to be vulnerable at
this moment.

[ pourquoi ne pas faire alias rcat=ssh remote host cat ou quelque chose
  d'équivalent ? ]

GNU GNATS syslog() Format String Vulnerability
BugTraq ID: 10609
Remote: Yes
Date Published: Jun 25 2004
Relevant URL: http://www.securityfocus.com/bid/10609
Summary:
It is reported that GNU GNATS contains a format string vulnerability
in its logging function.

GNATS has the ability to log to various files: stderr, syslog() or a
file.

If an attacker devises a method of controlling the arguments to the
logging function, they would be able to read or write arbitrary
locations in memory. Code execution could be possible.

GNU GNATS version 4.0 is reported vulnerable. Other version may also
be affected.

sysstat Multiple Local Buffer Overflow Vulnerabilities
BugTraq ID: 10610
Remote: No
Date Published: Jun 25 2004
Relevant URL: http://www.securityfocus.com/bid/10610
Summary:
sysstat is reported prone to multiple local buffer overflow
vulnerabilities. It is reported that these vulnerabilities are not
exploitable to execute arbitrary code.

However, although unconfirmed, due to the nature of these
vulnerabilities, the issue may be exploitable in order to execute
arbitrary code on certain platforms or when certain compilers are
used.

[ http://perso.wanadoo.fr/sebastien.godard/, étrangement ce sont des
  utilitaires plutôt d'administration système. L'overflow est-il
  à la lecture de données systèmes genre SYSV acct ?
  sinon l'exploit est nul. ]

FreeS/WAN X.509 Patch Certificate Verification Vulnerability
BugTraq ID: 10611
Remote: Yes
Date Published: Jun 25 2004
Relevant URL: http://www.securityfocus.com/bid/10611
Summary:
FreeS/WAN X.509 patch is reported susceptible to a certificate
verification vulnerability.

When the vulnerable implementation is negotiating an IPSec connection
using PKCS#7 wrapped X.509 certificates, it can be fooled into
authenticating fake certificates.

If an attacker crafts a Certificate Authority (CA) certificate and a
user certificate with identical subjects, they can reportedly be
improperly authenticated by FreeS/WAN.

Using this vulnerability, an attacker could potentially successfully
authenticate to a FreeS/WAN VPN server. Further attacks on machines
now accessible to the attacker are likely possible.

**Update: This vulnerability was previously thought to exist in the
FreeS/WAN application, however, new information suggests that the
issue is present in the X.509 patch for the application.



More information about the gull-annonces mailing list