[gull-annonces] Résumé SecurityFocus Newsletter #309

Marc SCHAEFER schaefer at alphanet.ch
Sun Aug 14 13:17:21 CEST 2005


ClamAV Multiple Integer Overflow Vulnerabilities
BugTraq ID: 14359
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14359
Summary:
ClamAV is susceptible to multiple integer overflow vulnerabilities.

Specifically, the vulnerabilities present themselves when the ClamAV 
antivirus library handles malformed files.

This may allow attackers to control the flow of execution, and potentially 
execute attacker-supplied code in the context of the affected application.

ClamAV 0.86.1 and prior versions are reported to be affected.

Beehive Forum Webtag Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 14363
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14363
Summary:
Beehive Forum is prone to multiple cross-site scripting vulnerabilities.  
These issues are due to a failure in the application to properly sanitize 
user-supplied input.

An attacker may leverage any of these issues to have arbitrary script code 
executed in the browser of an unsuspecting user in the context of the 
affected site.  This may facilitate the theft of cookie-based authentication 
credentials as well as other attacks.

[ Java/Struts; donc contrib ]

ECI Telecom B-FOCuS Router 312+ Unauthorized Access Vulnerability
BugTraq ID: 14364
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14364
Summary:
B-FOCuS Router 312+ is affected by a vulnerability that can allow 
unauthorized attackers to gain access to an affected device.

An attacker can disclose the administrator password through the Web 
interface of the device.

This can lead to a complete compromise of the router.

[ firmware ]

Hobbit Monitor Remote Denial Of Service Vulnerability
BugTraq ID: 14365
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14365
Summary:
Hobbit Monitor is affected by a remote denial of service vulnerability.  
This issue is due to a failure in the application to handle exceptional 
conditions.

The application fails to deal with data received in a proper manner.  An 
attacker can exploit this vulnerability by sending malicious data to the 
affected application and crash it, denying service to legitimate users.

[ Système de monitoring de serveurs, un peu comme Big Brother, libre ]

FTPLocate Remote Command Execution Vulnerability
BugTraq ID: 14367
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14367
Summary:
FtpLocate is prone to a remote arbitrary command execution vulnerability. 
This issue presents itself due to insufficient sanitization of user-supplied 
data.

An attacker can supply arbitrary commands and have them executed in the 
context of the server.

This issue may facilitate unauthorized remote access to the computer running 
the hosting Web server.

[ FTP search engine en Perl,
http://turtle.ee.ncku.edu.tw/ftplocate/readme.english.html, utilisant
Glimpse ]

3Com OfficeConnect Wireless 11g Access Point Remote Information 
Disclosure Vulnerability
BugTraq ID: 14370
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14370
Summary:
3Com OfficeConnect Wireless 11g Access Point 3CRWE454G72 is reported prone 
to an information disclosure vulnerability.

Information gathered through this attack may allow an attacker to carry out 
further attacks against the device or other network users.

3Com OfficeConnect Wireless 11g Access Point 3CRWE454G72 firmware versions 
prior to 1.03.12 are reported prone to this vulnerability.

[ firmware ]

Siemens Santis 50 Wireless Router Web Interface Denial Of Service 
Vulnerability
BugTraq ID: 14372
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14372
Summary:
Siemens Santis 50 Wireless router Web interface is affected by a remote 
denial of service vulnerability.

An attacker can exploit this issue to deny service to the Web interface and 
gain access to privileged functions of the telnet CLI.  These functions 
enable the attacker to discover information about the configuration of the 
device and connections.  The attacker can also erase the FLASH contents.

Information obtained may be used in further attacks against the vulnerable 
device or the network it operates on.

This issue may also affect the Ericsson HN294dp and Dynalink RTA300W 
routers.  Both devices are believed to use the same hardware as the Siemens 
Santis 50 Wireless router; this has not been confirmed by Symantec.

[ firmware ]

Vim ModeLines Further Variant Arbitrary Command Execution Vulnerability
BugTraq ID: 14374
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14374
Summary:
Vim is susceptible to an arbitrary command execution vulnerability with 
ModeLines. This issue is due to insufficient sanitization of user-supplied 
input.

By modifying a text file to include ModeLines containing the 'glob()', or 
'expand()' functions with shell metacharacters, attackers may cause 
arbitrary commands to be executed.

This vulnerability allows an attacker to execute arbitrary commands with the 
privileges of the vim user. This gives an attacker the ability to gain 
remote access to computers running the vulnerable software.

This issue is similar to BIDs 6384 and 11941.

Gentoo Sandbox Multiple Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 14375
Remote: No
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14375
Summary:
Sandbox is reported prone to multiple local insecure temporary file creation 
vulnerabilities.  These issues are due to design errors that cause the 
application to fail to verify the existence of files before writing to them.

This application runs with superuser privileges, allowing local attackers to 
overwrite arbitrary files. This may cause system-wide crashes, denying 
service to legitimate users. It may also be possible to gain elevated 
privileges by exploiting this vulnerability, but this has not been confirmed.

pstotext Arbitrary Code Execution Vulnerability
BugTraq ID: 14378
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14378
Summary:
pstotext is susceptible to an arbitrary command execution vulnerability. 
This issue is due to a failure of the application to ensure that GhostScript 
is executed in a secure manner.

This issue allows attackers to create malicious PostScript files, that when 
parsed by the affected utility, allow arbitrary commands to be executed. 
This occurs in the context of the user running the affected utility.

netpbm pstopnm Arbitrary Code Execution Vulnerability
BugTraq ID: 14379
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14379
Summary:
pstopnm is susceptible to an arbitrary command execution vulnerability. This 
issue is due to a failure of the application to ensure that GhostScript is 
executed in a secure manner.

This issue allows attackers to create malicious PostScript files, that when 
parsed by the affected utility, allow arbitrary commands to be executed. 
This occurs in the context of the user running the affected utility.

This vulnerability was reported in version 10.0 of netpbm. Other versions 
may also be affected.

ProFTPD SQLShowInfo SQL Output Format String Vulnerability
BugTraq ID: 14380
Remote: Yes
Date Published: 2005-07-26
Relevant URL: http://www.securityfocus.com/bid/14380
Summary:
A format string vulnerability exists in ProFTPD.  This issue is exposed when 
the SQLShowInfo directive is enabled.  If the attacker can influence data in 
the backend SQL database, it is possible to exploit this issue by inserting 
a malicious format string into data that will be queried by ProFTPD.

Successful exploitation will result in arbitrary code execution in the 
context of the server.

ProFTPD Shutdown Message Format String Vulnerability
BugTraq ID: 14381
Remote: Yes
Date Published: 2005-07-26
Relevant URL: http://www.securityfocus.com/bid/14381
Summary:
A format string vulnerability exists in ProFTPD.  This issue is exposed when 
the server prints a shutdown message containing certain variables such as 
the current directory.  If an attacker could create a directory on the 
server, it may be possible to trigger this issue.

Successful exploitation will result in arbitrary code execution in the 
context of the server.

Fetchmail POP3 Client Remote Denial of Service Vulnerabilities
BugTraq ID: 14384
Remote: Yes
Date Published: 2005-07-26
Relevant URL: http://www.securityfocus.com/bid/14384
Summary:
Fetchmail is affected by multiple remote denial of service vulnerabilities.

These issues were introduced due to a fix that was released for BID 14349 
(Fetchmail POP3 Client Buffer Overflow Vulnerability).

Specifically, malformed responses from a malicious server can cause the 
client to crash.

These issues affect Fetchmail 6.2.5.1.

FreeBSD IPsec Session AES-XCBC-MAC Authentication Constant Key Usage 
Vulnerability
BugTraq ID: 14394
Remote: Yes
Date Published: 2005-07-27
Relevant URL: http://www.securityfocus.com/bid/14394
Summary:
FreeBSD is affected by a vulnerability that may allow remote unauthorized 
attackers to establish an IPsec session.

The vulnerability presents itself when the 'AES-XCBC-MAC' algorithm is used 
for authentication without any other method of IPsec encryption.

A successful attack can allow an attacker to forge packets and potentially 
establish an IPsec session.  This can lead to various other attacks.

Ethereal Multiple Protocol Dissector Vulnerabilities
BugTraq ID: 14399
Remote: Yes
Date Published: 2005-07-27
Relevant URL: http://www.securityfocus.com/bid/14399
Summary:
Many vulnerabilities in Ethereal have been disclosed by the vendor. The 
reported issues are in various protocol dissectors.

These issues include:
- Buffer overflow vulnerabilities
- Format string vulnerabilities
- Null pointer dereference denial of service vulnerabilities
- Infinite loop denial of service vulnerabilities
- Memory exhaustion denial of service vulnerabilities
- Unspecified denial of service vulnerabilities

These issues could allow remote attackers to execute arbitrary machine code 
in the context of the vulnerable application. Attackers could also crash the 
affected application.

Various vulnerabilities affect differing versions of Ethereal, from 0.8.5, 
through to 0.10.11.

Gforge Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 14405
Remote: Yes
Date Published: 2005-07-28
Relevant URL: http://www.securityfocus.com/bid/14405
Summary:
Gforge is prone to multiple cross-site scripting vulnerabilities. These 
issues are due to a failure in the application to properly sanitize 
user-supplied input.

An attacker may leverage any of these issues to have arbitrary script code 
executed in the browser of an unsuspecting user in the context of the 
affected site.  These may facilitate the theft of cookie-based 
authentication credentials as well as other attacks.

Linksys WRT54G Wireless Router Default SSL Certificate and Private Key 
Vulnerability
BugTraq ID: 14407
Remote: Yes
Date Published: 2005-07-28
Relevant URL: http://www.securityfocus.com/bid/14407
Summary:
Linksys WRT54G wireless routers contain a default SSL certificate and 
private key.

This constant certificate/key pair is always used to access the device.

This can allow an attacker to obtain the certificate/key pair and carry out 
various attacks.

A complete compromise of the device is possible.

[ firmware ]

Cisco IOS IPv6 Processing Arbitrary Code Execution Vulnerability
BugTraq ID: 14414
Remote: Yes
Date Published: 2005-07-27
Relevant URL: http://www.securityfocus.com/bid/14414
Summary:
A remote arbitrary code execution vulnerability affects the IPv6 processing 
functionality of Cisco IOS.

A successful attack may allow a remote attacker to execute arbitrary code 
and gain unauthorized access to the device.  An attacker can also leverage 
this issue to cause an affected device to reload, denying service to 
legitimate users.

This issue may be related to BID 12368 (Cisco IOS IPv6 Processing Remote 
Denial Of Service Vulnerability).

Cisco has stated that exploitation of this vulnerability in Cisco IOS XR may 
cause the IPv6 neighbor discovery process to restart.  If exploited 
repeatedly, this could result in a prolonged denial of service affecting 
IPv6 traffic travelling through the device.

[ firmware ]

libtiff Tiff Image Header Divide By Zero Denial of Service Vulnerability
BugTraq ID: 14417
Remote: Yes
Date Published: 2005-07-29
Relevant URL: http://www.securityfocus.com/bid/14417
Summary:
libtiff is affected by a vulnerability that may cause a denial of service in 
applications utilizing the library.  This issue is due to a failure in the 
library to sufficiently validate specific header values.

An attacker can exploit this vulnerability to cause a denial of service, or 
loss of data in applications utilizing the affected library.

This issue is known to affect the CUPS printing system and the Evolution 
email client; other applications using the LibTIFF library may also be 
affected.

This issue may be related to BID 12874 - ImageMagick TIFF Image File 
Unspecified Denial Of Service Vulnerability.

Gopher Insecure Temporary File Creation Vulnerability
BugTraq ID: 14420
Remote: No
Date Published: 2005-07-29
Relevant URL: http://www.securityfocus.com/bid/14420
Summary:
Gopher is prone to an unspecified insecure temporary file creation 
vulnerability.  This issue is likely due to a design error that causes the 
application to fail to verify the existence of a file before writing to it.

The details available regarding this issue are not sufficient to provide an 
in depth technical description. This BID will be updated when more 
information becomes available.

An attacker may leverage this issue to overwrite arbitrary files with the 
privileges of an unsuspecting user that activates the vulnerable application.

[ j'ai arrêté de faire du Gopher en 1992 ... qui utilise encore ce
système ? :) ]

Kismet Multiple Unspecified Remote Vulnerabilities
BugTraq ID: 14430
Remote: Yes
Date Published: 2005-07-29
Relevant URL: http://www.securityfocus.com/bid/14430
Summary:
Kismet is prone to three unspecified remote vulnerabilities.  These issues 
could be exploited to completely compromise a computer running Kismet to 
sniff wireless network traffic.

There is no further information available at this time.

Metasploit Framework Unspecified Remote Vulnerability
BugTraq ID: 14431
Remote: Yes
Date Published: 2005-07-30
Relevant URL: http://www.securityfocus.com/bid/14431
Summary:
Metasploit Framework is prone to an unspecified vulnerability. This issue 
allows remote attackers to compromise the computer of users using the 
affected application.

This vulnerability is likely exploited by returning malicious data to the 
application in unknown network connections, causing arbitrary code to be 
executed in the context of the scanning application.

UPDATE: This BID has been retired as it been determined that the issue is 
not a vulnerability.  Additional information has been provided that states 
the issue is a due to insufficient filtering of potentially malicious 
terminal escape sequences when logging external input.  These escape 
sequences are not interpreted at any point by the application, and only pose 
a threat if rendered with an external viewer within a terminal emulator 
program that will interpret them.  In that instance, this presents a 
security vulnerability in the terminal emulator program.  As Metasploit does 
not interpret the malicious input itself, it is not within the scope of the 
application to filter this type of input.  This is not a vulnerability in 
Metasploit since it does not impact security properties of the application 
itself.




More information about the gull-annonces mailing list