[gull-annonces] Résumé SecurityFocus Newsletter #267

[Marc SCHAEFER]

John Sterling mod_cplusplus Buffer Overflow Vulnerability
BugTraq ID: 11152
Remote: Yes
Date Published: Sep 10 2004
Relevant URL: http://www.securityfocus.com/bid/11152
Summary:
John Sterling mod_cplusplus is a framework for creating Apache modules
in C++. This is designed to function in a similar fashion as mod_perl.

It is reported that mod_cplusplus contains a buffer overflow
vulnerability.

This may allow attacker-supplied data to overwrite a fixed size memory
buffer, corrupting adjacent memory regions. This may allow for denial
of service conditions, or possible remote code execution.

Versions prior to 1.4.1 are reported susceptible to this
vulnerability.

Apache Web Server Configuration File Environment Variable Lo...
BugTraq ID: 11182
Remote: No
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11182
Summary:
Reportedly the Apache Web Server is affected by a configuration file
environment variable local buffer overflow vulnerability.  This issue
is due to a failure of the affected application to validate
user-supplied string lengths before copying them into finite process
buffers.

An attacker may leverage this issue to execute arbitrary code on the
affected computer with the privileges of the Apache Web Server
process.

Apache mod_ssl Remote Denial of Service Vulnerability
BugTraq ID: 11154
Remote: Yes
Date Published: Sep 10 2004
Relevant URL: http://www.securityfocus.com/bid/11154
Summary:
Apache 2.x mod_ssl is reported prone to a remote denial of service
vulnerability.  This issue likely exists because the application fails
to handle exceptional conditions.  The vulnerability originates in the
'char_buffer_read' function of the 'ssl_engine_io.c' file.

It is likely that this issue only results in a denial of service condition in child process.  This BID will be updated as more information becomes available.

Apache 2.0.50 is reported to be affected by this issue, however, it is
possible that other versions are vulnerable as well.

Apache mod_dav LOCK Denial Of Service Vulnerability
BugTraq ID: 11185
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11185
Summary:
Apache's 'mod_dav' module is reported susceptible to a denial of
service vulnerability.

This vulnerability presents itself when Apache is configured to use
the 'mod_dav' module, and it receives a specific sequence of LOCK
commands from an authorized user.

This vulnerability can be exploited by remote attackers to crash
Apache processes. If Apache is configured to use the threaded process
model, an attacker could completely crash Apache. If Apache is
configured to use multiple processes as apposed to threads, an
attacker could crash individual web server processes. With a sustained
attack, they could crash multiple server processes, and still likely
deny service to legitimate users.

All versions of Apache 2.0, prior to 2.0.51 are reported vulnerable.

Apache Web Server Remote IPv6 Buffer Overflow Vulnerability
BugTraq ID: 11187
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11187
Summary:
Apache Web Server is reportedly affected by a remote buffer overflow
vulnerability.  This issue is due to a buffer boundary condition error
that fails to provide a valid string length parameter while using libc
memory copy functions.

It has been reported that this issue can be exploited to execute
arbitrary code on computers running BSD based Unix variants.  This
issue is reportedly due to the implementation of the 'memcpy()'
function.

On Linux based Unix variants this issue can only be exploited to
trigger a denial of service condition.

Webmin / Usermin Installation Insecure Temporary File Creati...
BugTraq ID: 11153
Remote: No
Date Published: Sep 10 2004
Relevant URL: http://www.securityfocus.com/bid/11153
Summary:
It is reported that Webmin and Usermin create insecure temporary files
during installation. The result of this is that temporary files
created by the applications may use predictable filenames.

A local attacker may possibly exploit this vulnerability to execute
symbolic link file overwrite attacks.

Versions of Usermin prior to version 1.090 are reported prone to this
vulnerability.  Webmin 1.150 and prior versions are affected as well.

Samba Multiple ASN.1 and MailSlot Parsing Remote Denial Of S...
BugTraq ID: 11156
Remote: Yes
Date Published: Sep 13 2004
Relevant URL: http://www.securityfocus.com/bid/11156
Summary:
Samba is reportedly affected by multiple remote denial of service
vulnerabilities. These issues are due to a failure to properly parse
ASN.1 and MailSlot packets.

An attacker may leverage these issues to cause the affected Samba
server to become inaccessible, and to crash the NetBIOS name server,
effectively denying service to legitimate users.

Samba samba-vscan Undisclosed Denial Of Service Vulnerabilit...
BugTraq ID: 11216
Remote: Yes
Date Published: Sep 17 2004
Relevant URL: http://www.securityfocus.com/bid/11216
Summary:
An undisclosed denial of service vulnerability is reported to exist
that may result in a denial of service for both the smbd and nmbd
daemons. It is reported that the counter and pointer-handling present
in 'samba-vscan' may provide an exploit vector for this vulnerability.

This BID will be updated when further information regarding this
vulnerability is made available.

Multiple Vendor MIME Encapsulation Content Checking Filter B...
BugTraq ID: 11157
Remote: Yes
Date Published: Sep 13 2004
Relevant URL: http://www.securityfocus.com/bid/11157
Summary:
Multiple filter bypass vulnerabilities have been reported in numerous
software implementations due to ambiguities in MIME encapsulation
standards (RFCs 822, and 2045 through 2049).

The following types of software may be impacted by these issues:
- Email clients
- Web clients
- Antivirus products
- Email content filters
- Web content filters

The source of the problem is that affected implementations may not
handle malformed or incorrect MIME encapsulated data.  As a result,
various MIME encapsulation techniques could be used to allow MIME
attachments to pass on through when they should be rejected due to
being malformed or incorrect.  This could have various consequences
depending on the implementation, but will also generally require that
the client receiving the attachment will be able to interpret the
malformed attachment.

A conclusive list of affected implementations is not available at this
time.  This BID will be updated as more vendor products are determined
to be vulnerable.

[ Trop général ]

Pingtel Xpressa Handset Remote Denial Of Service Vulnerabili...
BugTraq ID: 11161
Remote: Yes
Date Published: Sep 13 2004
Relevant URL: http://www.securityfocus.com/bid/11161
Summary:
Pingtel Xpressa handsets are reported prone to a remote denial of
service vulnerability. The issue is reported to exist because of a
lack of sufficient boundary checks performed on HTTP request data
handled by the Xpressa administration web server.

It is reported that a remote attacker may exploit this vulnerability
to effectively deny service to the affected handset. Due to the nature
of this vulnerability, it is reported that this issue may be exploited
in order to execute arbitrary code.

[ firmware ]

Lexar JumpDrive Secure USB Flash Drive Insecure Password Sto...
BugTraq ID: 11162
Remote: No
Date Published: Sep 13 2004
Relevant URL: http://www.securityfocus.com/bid/11162
Summary:
Lexar JumpDrive Secure USB Flash Drive is reportedly affected by an
insecure password storage vulnerability.  This issue is due to a
design error which causes the password to be stored insecurely on the
affected device.

An attacker can exploit this issue to gain access to the password
protecting the secure private zone of the affected drive, facilitating
unauthorized access.

[ firmware ]

ZyXEL P681 ARP Request Information Disclosure Vulnerability
BugTraq ID: 11167
Remote: Yes
Date Published: Sep 13 2004
Relevant URL: http://www.securityfocus.com/bid/11167
Summary:
It is reported that ZyXEL Prestige 681 SDSL routers are susceptible to
an information disclosure vulnerability.

An attacker sniffing network traffic on an attached network would be
able to retrieve partial contents of network packets that have
traversed the affected device.

This information may assist malicious users in attacks on systems and
services that utilize the affected device.

ZyNOS version Vt020225a is reported vulnerable to this issue. Due to
code reuse among products, it is likely that other devices and
versions are also affected by this issue.

[ firmware ]

Mozilla Browser Non-ASCII Hostname Heap Overflow Vulnerabili...
BugTraq ID: 11169
Remote: Yes
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11169
Summary:
Mozilla is prone to a remotely exploitable heap overflow that is
exposed when the browser handles non-ASCII characters in URIs.

This issue could be exploited by enticing a user to open a hyperlink
that references a malicious URI.  Successful exploitation will allow
execution of arbitrary code in the context of the client user.

Mozilla Firefox Default Installation File Permission Vulnera...
BugTraq ID: 11166
Remote: No
Date Published: Sep 13 2004
Relevant URL: http://www.securityfocus.com/bid/11166
Summary:
Mozilla Firefox is reported susceptible to an improper file permission
vulnerability. This vulnerability is reported to exist only in the
Linux archive as published by the Mozilla Foundation. If the browser
is installed by package management software contained in many
distributions of Linux, this vulnerability is likely not present.

This allows attackers with local interactive access to computers
hosting installations of Firefox to overwrite binaries and scripts
used by Firefox. This allows script, or code execution in the context
of the user running the affected package.

If this method of installation is used to install a system-wide
version of the browser by the superuser, then root-owned files are
world writable, allowing for code execution in the context of any user
utilizing the affected package.

The installation package from Mozilla.org for versions 0.9.x of
Firefox for Linux is reported to contain this vulnerability.

Mozilla Multiple URI Processing Heap Based Buffer Overflow V...
BugTraq ID: 11170
Remote: Yes
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11170
Summary:
Mozilla is reportedly affected by multiple heap based buffer overflow
vulnerabilities when processing URIs in emails. These issues are due
to a failure of the affected application to validate user-supplied
string lengths before copying them into finite process buffers.

An attacker might leverage these issues to have arbitrary code
executed in the context of the user running the vulnerable
application.

Mozilla Browser BMP Image Decoding Multiple Integer Overflow...
BugTraq ID: 11171
Remote: Yes
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11171
Summary:
Mozilla Browser is reportedly prone to multiple integer overflow
vulnerabilities in the image parsing routines.  These issues exist due
to insufficient boundary checks performed by the application.  A
remote attacker may cause denial of service conditions in the client
or execute arbitrary code to gain unauthorized access to a vulnerable
computer.

These vulnerabilities were researched on Mozilla 1.7, however, other
versions may be affected as well.  Thunderbird 0.7 was also tested.

Mozilla Browser vcard Handling Remote Buffer Overflow Vulner...
BugTraq ID: 11174
Remote: Yes
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11174
Summary:
Mozilla Browser is reported prone to a remote buffer overflow
vulnerability when processing malicious vcard files.  This issue
presents itself due to insufficient boundary checks performed by the
application and may allow a remote attacker to gain unauthorized
access to a vulnerable computer.

It is reported that the issue originates in the 'nsVCardObj.cpp' file
and may allow an attacker to overflow a finite buffer by creating a
malformed vcard (vcf) file and sending the file to a vulnerable user
in email.  Reportedly, this issue occurs when the mail is previewed in
the browser.

These vulnerabilities were researched on Mozilla 1.7, however, other
versions may be affected as well. Thunderbird 0.7 was tested as well.

Mozilla/Firefox Browsers URI Drag And Drop Cross-Domain Scri...
BugTraq ID: 11177
Remote: Yes
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11177
Summary:
Both Mozilla and Firefox are reported to be prone to a cross-domain
scripting vulnerability. It is reported that URI links that are
dragged from one browser window and dropped into another browser
window will bypass the browser same-origin policy security checks.

Certain URI types may be employed by a malicious website in order to
trigger this vulnerability. If successful, this attack will result in
the execution of arbitrary script code in the context of a target
domain.

Mozilla/Firefox Browsers Unauthorized Clipboard Contents Dis...
BugTraq ID: 11179
Remote: Yes
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11179
Summary:
A vulnerability is reported in Mozilla and Firefox browsers that could
permit a remote site to gain access to contents of the client user's
clipboard.

This vulnerability exists because certain unsafe scripting operations
are permitted on TextAreas. This can lead to the disclosure of
clipboard contents and malicious Web sites having the ability to write
to a users clipboard.

Mozilla/Firefox Browsers Tar.GZ Archive Weak Permissions Vul...
BugTraq ID: 11192
Remote: No
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11192
Summary:
Mozilla and Mozilla Firefox browsers tar.gz archive that contains the
installation files is reported susceptible to an improper file
permissions vulnerability. It is reported that if the archive is
extracted in a certain manner, then the archive is extracted with
world read/writeable permissions on its contents.

This allows attackers with local interactive access to overwrite or
modify installation files used during the installation of the browser.

Mozilla/Firefox Browsers PrivilegeManager EnablePrivilege Di...
BugTraq ID: 11194
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11194
Summary:
A vulnerability is reported in the Mozilla 'enablePrivilege'
method. Because the argument data of a 'enablePrivilege' method is
used as text in a prompt dialog if the user has not accessed the
principal previously, it is possible to manipulate dialog contents.

A remote attacker may exploit this condition to influence a victim
user into permitting a malicious script to run.

SUS Format String Vulnerability
BugTraq ID: 11176
Remote: No
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11176
Summary:
It is reported that SUS contains a format string vulnerability in its
logging function. This issue is due to a failure of the applications
to properly sanitize user-supplied input before using it as the format
specifier in a formatted printing function.

Due to improper message sanitization, any format string specifiers are
interpreted literally by the syslog() function, giving the attacker
control over process memory.

Due to the nature of the SUS package, an attacker with local
interactive access could exploit this vulnerability to gain superuser
privileges.

SUS versions prior to 2.0.6 are reported vulnerable.

[ sudo-like ]

Inkra 1504GX Remote Denial Of Service Vulnerability
BugTraq ID: 11178
Remote: Yes
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11178
Summary:
It is reported that the Inkra 1504GX is susceptible to a denial of
service vulnerability.

This vulnerability presents itself when the device receives particular
malformed IP packets. The switch must be configured in a particular
state for this vulnerability to be exploited.

This vulnerability allows a remote attacker to crash affected devices,
denying service to legitimate users.

Inkra 1504GX routers with VSM release 2.1.4.b003 is reportedly
vulnerable to this issue. Other versions are also likely affected.

[ firmware ]

SnipSnap HTTP Response Splitting Vulnerability
BugTraq ID: 11180
Remote: Yes
Date Published: Sep 14 2004
Relevant URL: http://www.securityfocus.com/bid/11180
Summary:
SnipSnap is reported prone to an HTTP response splitting
vulnerability.  The issue exists in the 'referer' parameter.  The
issue presents itself due to a flaw in the application that allows an
attacker to manipulate how POST requests are handled.

This issue was identified in SnipSnap 0.5.2a and prior.

[ weblog/wiki en Java ]

CUPS UDP Packet Remote Denial Of Service Vulnerability
BugTraq ID: 11183
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11183
Summary:
CUPS is prone to a remotely exploitable denial of service
vulnerability that may be triggered through port 631 by a zero-length
UDP packet.

LinuxPrinting.org Foomatic-Filter Command Execution Vulnerab...
BugTraq ID: 11184
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11184
Summary:
Reportedly the LinuxPrinting.org Foomatic-Filter is affected by an
arbitrary command execution vulnerability.  Although unconfirmed, it
is likely that this issue is due to a failure of the affected script
to properly validate input when issuing shell commands.

An attacker may exploit this issue to execute arbitrary commands as
the printer user on a computer running the vulnerable software.

Multiple Browser Cross-Domain Cookie Injection Vulnerability
BugTraq ID: 11186
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11186
Summary:
Multiple Browsers are reported prone to a cross-domain cookie
injection vulnerability.  This issue is identified in Microsoft
Internet Explorer, KDE Konqueror, and Mozilla and may allow an
attacker to carry out session hijacking attacks.

The issue presents itself due to a design error in multiple browsers
that allows cookies to be incorrectly sent to other domains.

This BID will be divided and updated as more information becomes
available.

gdk-pixbuf Multiple Vulnerabilities
BugTraq ID: 11195
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11195
Summary:

Multiple vulnerabilities have been reported in gdk-pixbuf.

The first vulnerability in the library presents itself upon attempting
to decode BMP images. In certain circumstances, the library may enter
into an infinite loop, consuming CPU resources, and halting further
execution of applications utilizing the library.

The second and third vulnerabilities are exist when the library
attempts to decode XPM images. Specially crafted image files could
either crash applications utilizing the affected library, or allow for
the execution of attacker-supplied code.

The forth and last vulnerability in the library presents itself upon
attempting to decode ICO images. Specially crafted ICO files could
cause applications to crash.

These vulnerabilities allow attackers to crash applications, or
execute arbitrary code in the context of applications that use the
affected library.

libXpm Image Decoding Multiple Remote Buffer Overflow Vulner...
BugTraq ID: 11196
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11196
Summary:
Multiple vulnerabilities are reported to exist in the libXpm. These
issues may be triggered when the library handles malformed XPM images.
The vulnerabilities exist due to insufficient boundary checks
performed by the application and may allow for unauthorized access to
a vulnerable computer.

An attacker can exploit these issues by crafting a malicious XPM file
and having unsuspecting users view the file through an application
that uses the affected library.

libXpm shipped with X.org X11R6 6.8.0 is reported vulnerable to this
issue.

This BID will be divided and updated as more information becomes
available.

SMC7004VWBR and SMC7008ABR Authentication Bypass Vulnerabili...
BugTraq ID: 11197
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11197
Summary:
SMC 7004VWBR, and 7008ABR devices are reportedly susceptible to an
authentication bypass vulnerability in their web administration
interface.

This vulnerability exists due to the method by which the web
administration software validates authenticated users. Reportedly, the
software uses the source IP address of the web client to differentiate
between users accessing the administration interface.

This vulnerability allows attackers to gain administrative access to
affected devices.

[ firmware ? ]

GNU Radius SNMP String Length Remote Denial Of Service Vulne...
BugTraq ID: 11198
Remote: Yes
Date Published: Sep 15 2004
Relevant URL: http://www.securityfocus.com/bid/11198
Summary:
GNU Radius is reported prone to a remote integer overrun
vulnerability. When GNU Radius handles SNMP string lengths that
contain a large unsigned number, a memory access violation will occur
this will cause the affected service to crash.

A remote attacker may exploit this condition to cause the affected
server to crash.

sudo Information Disclosure Vulnerability
BugTraq ID: 11204
Remote: No
Date Published: Sep 16 2004
Relevant URL: http://www.securityfocus.com/bid/11204
Summary:
sudo is reported prone to an information disclosure vulnerability.

This vulnerability presents itself when sudo is called with the '-e'
option, or the 'sudoedit' command is invoked. In certain
circumstances, attackers may access the contents of arbitrary files
with superuser privileges.

Version 1.6.8 is reported susceptible to this vulnerability.

xine-lib DVD Subpicture Decoder Heap Overflow Vulnerability
BugTraq ID: 11205
Remote: Yes
Date Published: Sep 16 2004
Relevant URL: http://www.securityfocus.com/bid/11205
Summary:
A buffer overflow in the DVD subpicture component, exploitable through
malicious DVD or MPEG content, may allow for the execution of
arbitrary code.  The xine-lib decoder converts subpicture data into an
internal representation and stores it in dynamically allocated memory.
There exists a flaw in the calculation of required buffer space that
may result in allocation of a buffer that is too small.  Consequently,
neighboring data in the heap may be corrupted when data is written to
the buffer.

This vulnerability can theoretically be exploited to write arbitrary
words to nearly arbitrary locations in memory.  The Linux and Windows
dynamic memory allocation subsystems may be more susceptible than
BSD-based systems.

xine-lib VideoCD And Text Subtitle Stack Overflow Vulnerabil...
BugTraq ID: 11206
Remote: Yes
Date Published: Sep 16 2004
Relevant URL: http://www.securityfocus.com/bid/11206
Summary:
Two buffer overflows are reported to exist in xine-lib. These issues
are exploitable through malicious VideoCDs or subtitle text content,
and may allow for the execution of arbitrary code in the context of
the user invoking Xine. Attackers can overwrite critical memory
structures and return addresses in order to control the flow of
execution of the application.

The first vulnerability presents itself when the affected application
attempts to read malicious ISO disk labels from VideoCDs. The second
vulnerability presents itself when the affected application attempts
to parse malicious text subtitle data.

xine-lib versions 1-rc2 though 1-rc5 are reported vulnerable to these
issues.

MacOSXLabs RsyncX Local Privilege Escalation Vulnerability
BugTraq ID: 11211
Remote: No
Date Published: Sep 17 2004
Relevant URL: http://www.securityfocus.com/bid/11211
Summary:
It is reported that RsyncX is prone to a local privilege escalation
vulnerability.

RsyncX is installed setuid root and setgid wheel. It is reported that
RsyncX drops root privileges properly but fails to drop setgid wheel
privileges before executing a third party binary.

A local attacker may exploit this vulnerability to execute arbitrary
code with group wheel privileges.

[ je suppose que la licence est libre, mais c'est à vérifier. De plus
  c'est inexploitable sans l'interface graphique propriétaire de
  MacOS X. ]

MacOSXLabs RsyncX Insecure Temporary File Creation Vulnerabi...
BugTraq ID: 11212
Remote: No
Date Published: Sep 17 2004
Relevant URL: http://www.securityfocus.com/bid/11212
Summary:
RsyncX is reported to contain an insecure temporary file creation
vulnerability.  The result of this is that temporary files created by
the application may use predictable filenames.

A local attacker may exploit this vulnerability to execute symbolic
link file overwrite attacks.