[gull-annonces] Résumé SecurityFocus Newsletter #139

Marc SCHAEFER schaefer at alphanet.ch
Wed Mar 10 11:01:02 CET 2004 

NOTES
   - Apparemment cela n'intéresse plus securityfocus de nous indiquer
     le rôle et les licences des logiciels, ni même les plateformes.
     Je ferai de mon mieux pour compléter.
   - Les entrées acceptées sont:
        - logiciel libre uniquement
        - pas de jeux ou de clients/serveurs de chat, etc.
        - pas de PHP (éventuellement si cela concerne le core
          mais pas des scripts lambda)
        - firmwares, comme exception.

calife local overflow
Remote: No
Date Published: Feb 27 2004
Relevant URL: http://www.securityfocus.com/bid/9756
Summary:
Calife is reportedly prone to a locally exploitable heap overrun
vulnerability.  This issue is due to insufficient bounds checking of
password input.  If this issue was successfully exploited to execute
arbitrary code, it could potentially allow an unprivileged local user to
gain root access.

It has been reported that this issue may actually be indicative of a more
serious problem in the glibc implementation of the getpass() function.
This has not been confirmed.  This BID will be updated as more information
is provided.

[ calife est une version légère de sudo ]

UUDeview MIME Archive Buffer Overrun Vulnerability
BugTraq ID: 9758
Remote: Yes
Date Published: Feb 27 2004
Relevant URL: http://www.securityfocus.com/bid/9758
Summary:
A buffer overrun vulnerability has been reported in UUDeview.  This issue
exists in the MIME parsing routines.

It is reported that this issue may be exploited via a malicious MIME
archive that specifies excessively long strings for various parameters.
This could be exploited to execute arbitrary code on a system in the
context of a user who opens a malicious MIME archive using the UUDeview
program.

It should be noted that UUDeview is shipped as a component of WinZip.

[ logiciel libre, disponible dans certaines distributions ]

FreeBSD Unauthorized Jailed Process Attaching Vulnerability
BugTraq ID: 9762
Remote: No
Date Published: Feb 27 2004
Relevant URL: http://www.securityfocus.com/bid/9762
Summary:
A vulnerability was reported in FreeBSD that may permit a jailed process
with superuser privileges to gain unauthorized access to other jails.
This is due to an access validation issue in the jail_attach(2) system
call.

GNU Anubis Multiple Remote Buffer Overflow and Format String...
BugTraq ID: 9772
Remote: Yes
Date Published: Mar 01 2004
Relevant URL: http://www.securityfocus.com/bid/9772
Summary:
GNU Anubis has been reported prone to multiple buffer overflow and format
string vulnerabilities.  It has been conjectured that a remote attacker
may potentially exploit these vulnerabilities to have arbitrary code
executed in the context of the Anubis software.  The buffer overflow
vulnerabilities exist in the 'auth_ident' function in 'auth.c'.  The
format string vulnerabilities are reported to affect the 'info' function
in 'log.c', the 'anubis_error' function in 'errs.c' and the 'ssl_error'
function in 'ssl.c'.

These vulnerabilities have been reported to exist in GNU Anubis versions
3.6.0, 3.6.1, 3.6.2, 3.9.92, and 3.9.93.  It is possible that other
versions are affected as well.

These issues are undergiong further analysis, they will be divided into
separate BIDs as analysis is completed.

Squid Proxy NULL URL Character Unauthorized Access Vulnerabi...
BugTraq ID: 9778
Remote: Yes
Date Published: Mar 01 2004
Relevant URL: http://www.securityfocus.com/bid/9778
Summary:
It has been reported that Squid Proxy may be prone to an unauthorized
access vulnerability that may allow remote users to bypass access controls
resulting in unauthorized access to attacker-specified resources.  The
vulnerability presents itself when a URI that is designed to access a
specific location with a supplied username, contains '%00' characters.
This sequence may be placed as part of the username value prior to the @
symbol in the malicious URI.

Squid Proxy versions 2.0 to 2.5 STABLE4 are reported to be prone to this
vulnerability.

Motorola T720 Phone Denial Of Service Vulnerability
BugTraq ID: 9779
Remote: Yes
Date Published: Mar 01 2004
Relevant URL: http://www.securityfocus.com/bid/9779
Summary:
The Motorola T720 has been reported prone to a remote denial of service
vulnerability. The issue presents itself when the phone handles excessive
IP based traffic under certain circumstances.

An attacker may potentially exploit this issue to cause a target phone to
crash.

[ firmware ]

ProFTPD _xlate_ascii_write() Buffer Overrun Vulnerability
BugTraq ID: 9782
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9782
Summary:
A remotely exploitable buffer overrun was reported in ProFTPD.  This issue
is due to insufficient bounds checking of user-supplied data in the
_xlate_ascii_write() function, permitting an attacker to overwrite two
bytes memory adjacent to the affected buffer.  This may potentially be
exploited to execute arbitrary code in the context of the server.  This
issue may be triggered when submitting a RETR command to the server.

Symantec Firewall/VPN Appliance Cached Plaintext Password Vu...
BugTraq ID: 9784
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9784
Summary:
It has been reported that Symantec Firewall/VPN Appliance is prone to an
issue where depending on browser settings; administration password
credentials may be stored in the browser\proxy cache in plaintext format.

Symantec Firewall/VPN Appliance Models 100, 200, 200R are reported to be
prone to this vulnerability.

[ firmware ]

Nortel Wireless LAN Access Point 2200 Series Denial Of Servi...
BugTraq ID: 9787
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9787
Summary:
Nortel Wireless LAN Access Point 2200 series appliances have been reported
to be prone to a remote denial of service vulnerability.  The issue is
reported to present itself when a large network request is handled by one
of the Wireless LAN Access Point default administration services. This
will reportedly cause the Access Point Appliance Operating service to
crash, effectively denying service to legitimate users.

[ firmware ]

SonicWall Firewall/VPN Appliance Multiple ARP Request Handli...
BugTraq ID: 9789
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9789
Summary:
Several problems in the handling of ARP requests have been identified in
SonicWall VPN and Firewall devices.  Because of this, an attacker may be
able to gain access to sensitive information about networks behind
SonicWall devices.  Denial of service attacks through affected devices are
also possible.

[ firmware ]

NetScreen SA 5000 Series delhomepage.cgi Cross-Site Scriptin...
BugTraq ID: 9791
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9791
Summary:
It has been reported that NetScreen SA 5000 Series may be prone to a
cross-site scripting vulnerability that may allow an attacker to execute
arbitrary HTML or script code in the browser of a vulnerable user.  The
issue presents itself due to insufficient sanitization of user-supplied
data via the 'row' parameter of the 'delhomepage.cgi' CGI binary.

The vulnerability has been discovered in an appliance called
A5030-Clustered pair running IVE firmware version 3.3 Patch 1 build 4797.

[ firmware ]

FreeBSD Out Of Sequence Packets Remote Denial Of Service Vul...
BugTraq ID: 9792
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9792
Summary:
A problem in the handling of out-of-sequence packets has been identified
in FreeBSD.  Because of this, it may be possible for remote attackers to
deny service to legitimate users of vulnerable systems.

Coreutils DIR Width Argument Integer Overflow Vulnerability
BugTraq ID: 9793
Remote: Unknown
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9793
Summary:
Coreutils 'dir' has been reported prone to an integer overflow
vulnerability. The issue reportedly presents itself when handling large
integer value '-w' (width) command line arguments passed to the vulnerable
application.

Due to the nature of this issue it may possibly be leveraged to deny
service to applications that use the 'dir' utility.  It has been
conjectured that when invoked by an application with a malicious integer
value passed via the '-w' argument, the affected application may hang
while waiting for the utility to return output.

SureCom Network Device Malformed Web Authorization Request D...
BugTraq ID: 9795
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9795
Summary:
An issue in the handling of specific web requests by SureCom network
devices has been identified.  By placing a malformed request to the web
configuration interface, it is possible for an attacker to deny service to
legitimate users of a vulnerable device.

[ firmware ]

QMail-QMTPD RELAYCLIENT Environment Variable Integer Overflo...
BugTraq ID: 9797
Remote: Yes
Date Published: Mar 03 2004
Relevant URL: http://www.securityfocus.com/bid/9797
Summary:
An integer overflow vulnerability has been reported in qmail-qmtpd.  This
issue exists in code that processes values supplied to qmail-qmtpd in
RELAYCLIENT data.  Though unconfirmed, this issue may be exploitable to
execute arbitrary code with elevated privileges.

It should be noted that this issue does not exist in the default
configuration and is only exposed if mail relaying is enabled by setting
the RELAYCLIENT environment variable.

Multiple Vendor HTTP Response Splitting Vulnerability
BugTraq ID: 9804
Remote: Yes
Date Published: Mar 04 2004
Relevant URL: http://www.securityfocus.com/bid/9804
Summary:
A paper (Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning
Attacks, and Related Topics) was released to describe various attacks that
target web users through web application, browser, web/application server
and proxy implementations.  These attacks are described under the general
category of HTTP Response Splitting and involve abusing various input
validation flaws in these implementations to split HTTP responses into
multiple parts in such a way that response data may be misrepresented to
client users.

Exploitation would occur by injecting variations of CR/LF sequences into
parts of HTTP response headers that the attacker may control or influence.
The general consequences of exploitation are that an attacker may
misrepresent web content to the client, potentially enticing the user to
trust the content and take actions based on this false trust.

While the various implementations listed in the paper contribute to these
attacks, this issue will most likely be exposed through web applications
that do not properly account for CR/LF sequences when accepting
user-supplied input that may be returned in server responses.

This vulnerability could also aid in exploitation of cross-site scripting
vulnerabilities.

Cisco Content Service Switch Management Port UDP Denial Of S...
BugTraq ID: 9806
Remote: Yes
Date Published: Mar 04 2004
Relevant URL: http://www.securityfocus.com/bid/9806
Summary:
A problem in the handling of some types of malformed UDP network traffic
to the Cisco Content Service Switch management port has been identified.
Because of this, it may be possible for an attacker to deny service to
legitimate users of vulnerable systems.

[ firmware ]

More information about the gull-annonces mailing list