[gull-annonces] Résumé SecurityFocus Newsletter #283
Marc SCHAEFER
schaefer at alphanet.ch
Sat Jan 15 11:01:02 CET 2005
HTML Headline Temporary File Symbolic Link Vulnerabilities
BugTraq ID: 12147
Remote: No
Date Published: Jan 03 2005
Relevant URL: http://www.securityfocus.com/bid/12147
Summary:
It has been reported that there are numerous instances in HtmlHeadline
where insecure temporary files are used. According to the report, it
is possible for at least some of these instances to be exploited to
corrupt files on the filesystem. It is likely that HtmlHeadline
creates and writes to temporary files in the world writeable "/tmp"
with predictable filenames.
[ sh script ]
Apple AirPort Wireless Distribution System Remote Denial of ...
BugTraq ID: 12152
Remote: Yes
Date Published: Jan 03 2005
Relevant URL: http://www.securityfocus.com/bid/12152
Summary:
Apple AirPort Extreme and AirPort Express wireless base stations are
prone to a denial of service vulnerability when used in Wireless
Distribution System (WDS) mode. This issue could allow a remote
attacker to cause the base station to stop processing traffic.
[ firmware ]
Mozilla/Firefox File Download Dialog Spoofing Vulnerability
BugTraq ID: 12153
Remote: Yes
Date Published: Jan 04 2005
Relevant URL: http://www.securityfocus.com/bid/12153
Summary:
Mozilla and Firefox are prone to a vulnerability that may permit a
malicious Web page to spoof the source of a download.
This may be used in a social engineering attack that entices a user to
download a malicious file under the assumption that it is coming from
a trusted source.
[ md5sum and/or gpg --verify; d'ailleurs moi si je butine parfois avec
Mozilla, je downloade toujours avec wget, plus simple, plus efficace,
moins de copies inutiles, et je vois l'URL pour la prochaine fois.
]
Bugzilla Internal Error Cross-Site Scripting Vulnerability
BugTraq ID: 12154
Remote: Yes
Date Published: Jan 04 2005
Relevant URL: http://www.securityfocus.com/bid/12154
Summary:
Bugzilla is prone to a cross-site scripting vulnerability. The issue
is exposed when the software renders internal errors that include
user-supplied input.
This issue may be exploited by enticing a user into following a link
that will cause hostile HTML and script code to be rendered in an
internal error page. Exploitation may allow for theft of cookie-based
authentication credentials or other attacks.
Multiple Vendor Bluetooth Device Unauthorized Serial Command...
BugTraq ID: 12166
Remote: Yes
Date Published: Jan 04 2005
Relevant URL: http://www.securityfocus.com/bid/12166
Summary:
Multiple vendors of Bluetooth devices are reported susceptible to an
unauthorized access vulnerability.
This vulnerability allows remote users to utilize the mobile device to
act as a modem. Once connected, remote users may exploit the simulated
modem to initiate calls, download potentially sensitive information
from the mobile device, monitor conversations, divert calls, or
connect to data services such as the Internet. Other attacks are also
likely possible.
It should be noted that this vulnerability is likely present in the
application layer, and not in the actual Bluetooth protocol layer.
[ firmware ]
Linux Kernel sysenter Thread Information Pointer Local Infor...
BugTraq ID: 12167
Remote: No
Date Published: Jan 05 2005
Relevant URL: http://www.securityfocus.com/bid/12167
Summary:
The Linux kernel is reported susceptible to a local information
disclosure vulnerability.
This vulnerability may allow local attackers to gain access to
potentially sensitive information that may aid them in further
attacks.
There is insufficient information at this time to elaborate
further. This BID will be updated as more information is disclosed.
This vulnerability is reported to exist in the Linux kernel in the 2.6
series, in versions prior to 2.6.10.
Linux Kernel Local File Descriptor Passing Security Module B...
BugTraq ID: 12168
Remote: No
Date Published: Jan 05 2005
Relevant URL: http://www.securityfocus.com/bid/12168
Summary:
It is reported that in certain cases, the Linux kernel fails to
properly call defined security module functions in its SCM system.
This vulnerability may allow local attackers to bypass the expected
security measures when passing file descriptors. The exact results of
this vulnerability depend on the implementation of applications that
utilize file descriptor passing. It is conjectured that this may
result in open file descriptors being passed to processes that would
not normally be able to access them. This may lead to attackers
gaining access to read or modify files that would normally be denied
to them.
This vulnerability is reported to exist in the Linux kernel in the 2.6
series, in versions prior to 2.6.10.
[ le passage de descripteurs se fait notamment avec les sockets UNIX ]
libtiff tiffdump Heap Corruption Integer Overflow Vulnerabil...
BugTraq ID: 12173
Remote: Yes
Date Published: Jan 05 2005
Relevant URL: http://www.securityfocus.com/bid/12173
Summary:
It has been reported that 'tiffdump' is affected by a heap corruption
vulnerability due to an integer overflow error that can be triggered
when malicious or malformed image files are processed. Theoretically,
an attacker can exploit this vulnerability to execute arbitrary code
in the context of the affected application when TIFF image data is
processed. Because image data is frequently external in origin, these
vulnerabilities are considered remotely exploitable.
mod_dosevasive Apache Module Local Insecure Temporary File C...
BugTraq ID: 12181
Remote: No
Date Published: Jan 06 2005
Relevant URL: http://www.securityfocus.com/bid/12181
Summary:
A local temporary file creation vulnerability reportedly affects
mod_dosevasive. This issue is due to a failure of the module to
create and write to temporary files in a secure manner.
An attacker may leverage this issue to write to arbitrary files on the
affected computer with the privileges of the web server utilizing the
affected module.
[ mod_dosevasive is an evasive maneuvers module for Apache to provide
evasive action in the event of an HTTP DoS or DDoS attack or brute force
attack. http://www.nuclearelephant.com/projects/dosevasive/ ]
Exim Illegal IPv6 Address Buffer Overflow Vulnerability
BugTraq ID: 12185
Remote: Unknown
Date Published: Jan 06 2005
Relevant URL: http://www.securityfocus.com/bid/12185
Summary:
Exim is reported susceptible to a buffer overflow vulnerability when
attempting to parse illegal IPv6 addresses. This issue is due to a
failure of the application to properly bounds check user-supplied
input prior to copying it to a fixed-size memory buffer.
The original reporter suggested that this vulnerability may be
exploited to gain elevated privileges via calling Exim with
unspecified command line arguments. Gaining elevated privileges would
only be possible where the Exim binary is installed with setuid
privileges.
It is conjectured that code paths other than those pertaining to
command line processing may result in remotely exploitable buffer
overflow vulnerabilities, but this is not confirmed at the present
time.
Exim SPA Authentication Remote Buffer Overflow Vulnerability
BugTraq ID: 12188
Remote: Yes
Date Published: Jan 06 2005
Relevant URL: http://www.securityfocus.com/bid/12188
Summary:
Exim is reported susceptible to a buffer overflow vulnerability when
attempting to authenticate remote users via SPA. This issue is due to
a failure of the application to properly bounds check user-supplied
input prior to copying it to a fixed-size memory buffer.
This vulnerability reportedly allows remote attackers to execute
arbitrary code in the context of the affected server application. This
issue is only exploitable if SPA authentication is configured to be
used. SPA authentication is not enabled by default.
Linux kernel uselib() Local Privilege Escalation Vulnerabili...
BugTraq ID: 12190
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12190
Summary:
Linux kernel is reported prone to a local privilege escalation
vulnerability. This issue arises in the 'uselib()' functions of the
Linux binary format loader as a result of a race condition.
Successful exploitation of this vulnerability can allow a local
attacker to gain elevated privileges on a vulnerable computer.
The ELF and a.out loaders are reportedly affected by this
vulnerability.
Linux Kernel Multiple Local MOXA Serial Driver Buffer Overfl...
BugTraq ID: 12195
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12195
Summary:
The MOXA serial port driver in the Linux kernel is reported
susceptible to multiple buffer overflow vulnerabilities. These issues
are due to a failure of the driver to perform proper bounds checks
prior to copying user-supplied data to fixed-size memory buffers.
These vulnerabilities exist in the 'drivers/char/moxa.c' file.
The vulnerable functions perform a 'copy_from_user()' function call to
copy user-supplied, user-space data to a fixed-size, static kernel
memory buffer (moxaBuff) of 10240 bytes in length while utilizing the
user-supplied length argument as passed from 'MoxaDriverIoctl()'. This
reportedly results in improperly bounded operations, potentially
resulting in locally exploitable buffer overflows.
Linux kernels from 2.2, through 2.4, and 2.6 are all reportedly
susceptible to these vulnerabilities.
Linux Kernel Random Poolsize SysCTL Handler Integer Overflow...
BugTraq ID: 12196
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12196
Summary:
The Linux Kernel is reported prone to a local integer overflow
vulnerability. The issue occurs in the 'poolsize_strategy' function of
the 'random.c' kernel driver.
The vulnerability exists due to a lack of sufficient sanitization
performed on integer values before these values are employed as the
size argument of a user-land to kernel memory copy operation.
This vulnerability may be leveraged to corrupt kernel memory and
ultimately execute arbitrary code with ring-0
privileges. Alternatively, the issue may be exploited to trigger a
kernel panic.
It is reported that a user must have UID 0 to exploit this issue,
however the user does not require superuser privileges. This may
hinder exploitability.
Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial Of Service V...
BugTraq ID: 12197
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12197
Summary:
The Linux kernel contains the capability to lock allocated
memory. This capability is used by certain applications to ensure that
memory is not swapped out of main memory and onto disk.
The Linux kernel is reported susceptible to a local denial of service
vulnerability when handling locked memory pages. This issue is due to
a failure of the kernel to properly enforce defined limits to the
'mlockall()' system call.
This vulnerability is reported to exist in versions 2.6.9 and 2.6.10
of the Linux kernel.
Linux Kernel SCSI IOCTL Integer Overflow Vulnerability
BugTraq ID: 12198
Remote: No
Date Published: Jan 07 2005
Relevant URL: http://www.securityfocus.com/bid/12198
Summary:
The Linux Kernel is reported prone to a local integer overflow
vulnerability. The issue occurs in the 'sg_scsi_ioctl' function of the
'scsi_ioctl.c' kernel driver.
The vulnerability exists due to a lack of sufficient sanitization
performed on user-controlled integer values before these values are
employed as the size argument of a user-land to kernel memory copy
operation.
This vulnerability may be leveraged to corrupt kernel memory and
ultimately execute arbitrary code with ring-0
privileges. Alternatively, the issue may be exploited to trigger a
kernel panic or to disclose contents of kernel memory.
It is reported that a user must have access to the respective SCSI
devices in order to exploit this issue. This may hinder
exploitability.
More information about the gull-annonces
mailing list