[gull-annonces] Résumé SecurityFocus Newsletter #292

Tue Mar 22 09:56:01 CET 2005

PaX VMA Mirroring Privilege Escalation Vulnerability
BugTraq ID: 12729
Remote: Yes
Date Published: Mar 05 2005
Relevant URL: http://www.securityfocus.com/bid/12729
Summary:
It is reported that PaX contains a privilege escalation vulnerability.

Local unprivileged users may exploit this vulnerability to execute
arbitrary code with the privileges of any targeted user. It is also
conjectured that remote attackers may also be able to exploit this
vulnerability, but exploitability depends on the ability of an
attacker to control the executable file mappings of a targeted
application.

This issue is only exploitable if SEGMEXEC or RANDEXEC are enabled in
the kernel configuration.

This vulnerability is reported to affect all versions of PaX since
September, 2003, when VMA mirroring was introduced.

[ sauf erreur le projet PaX est mort suite à ça ]

Sylpheed Mail Client Buffer Overflow Vulnerability
BugTraq ID: 12730
Remote: Yes
Date Published: Mar 04 2005
Relevant URL: http://www.securityfocus.com/bid/12730
Summary:
It is reported that Sylpheed is susceptible to a buffer overflow
vulnerability. This issue is due to a failure of the application to
properly bounds-check user-supplied input data prior to copying it to
fixed-size memory buffers.

Attackers may exploit this vulnerability to execute arbitrary machine
code in the context of the vulnerable application.

Versions prior to 1.0.3 are reported to be vulnerable.

Xerox Microserver Web Server Unspecified Remote Authorizatio...
BugTraq ID: 12731
BugTraq ID: 12783
BugTraq ID: 12787
Remote: Yes
Date Published: Mar 07 2005
Relevant URL: http://www.securityfocus.com/bid/12731
Summary:
Xerox Microserver is a server utility that includes a Web server.  It
is enabled by default on Xerox WorkCentre devices.

A remote authorization bypass reportedly affects Xerox Microserver Web
server.  The underlying issue causing this vulnerability is currently
unknown; this BID will be updated as further information is released.

An attacker may potentially leverage this issue to alter configuration
settings on the affected device.

A remote authentication bypass vulnerability affects Xerox Document
Centre.  This issue is due to a failure of the application to properly
handle access credentials.

An attacker may leverage this issue to gain unauthorized access to the
device configuration interface. It should be noted that access to user
accounts on the affected device is not granted through exploitation of
this issue.

An information disclosure vulnerability affects Xerox WorkCentre
devices.  This issue is due to a design error that may facilitate
information disclosure under certain extreme conditions when an
unsuspecting user sends a multi-page fax.

This issue may facilitate the disclosure of potentially sensitive
information.

[ firmware ]

Hashcash Email Reply Header Format String Vulnerability
BugTraq ID: 12732
Remote: Yes
Date Published: Mar 07 2005
Relevant URL: http://www.securityfocus.com/bid/12732
Summary:
A format string vulnerability exists in the generic C implementation
of Hashcash.  This vulnerability is exposed when the software handles
an email message that includes format specifiers in the recipient
field of a reply.

Successful exploitation may allow execution of arbitrary code in the
context of the software.

This vulnerability is believed to have been introduced after the
release of version 1.13.  It is not known exactly which version the
vulnerability was introduced in.

Abuse Multiple Local Privilege Escalation Vulnerabilities
BugTraq ID: 12734
Remote: No
Date Published: Mar 07 2005
Relevant URL: http://www.securityfocus.com/bid/12734
Summary:
Abuse is reported prone to multiple vulnerabilities. The following
individual issues are reported:

Abuse is reported prone to multiple local buffer overflow
vulnerabilities.

It is reported that a local attacker may exploit these issues to
execute arbitrary code with superuser privileges.

Abuse is also reported prone to an insecure file creation
vulnerability. Reports indicate that this issue may be leveraged to
overwrite arbitrary files with superuser privileges.

mlterm Background Image Integer Overflow Vulnerability
BugTraq ID: 12737
Remote: Yes
Date Published: Mar 07 2005
Relevant URL: http://www.securityfocus.com/bid/12737
Summary:
mlterm is reported prone to an integer overflow vulnerability. This
vulnerability arises due to a lack of sanity checks performed on a
malformed image file.

mlterm versions 2.5.0 to 2.9.1 are reported vulnerable.

Nokia Series 60 BlueTooth Remote Denial Of Service Vulnerabi...
BugTraq ID: 12743
Remote: Yes
Date Published: Mar 07 2005
Relevant URL: http://www.securityfocus.com/bid/12743
Summary:
A remote denial of service vulnerability affects Nokia Series 60.
This issue is due to a failure of the operating system to handle
malformed network data.

An attacker may leverage this issue to cause affected Nokia devices to
restart, denying service to legitimate users.

[ firmware ]

EXIF Library EXIF Tag Parsing Unspecified Memory Corruption ...
BugTraq ID: 12744
Remote: Yes
Date Published: Mar 07 2005
Relevant URL: http://www.securityfocus.com/bid/12744
Summary:
libexif is reported prone to a memory corruption vulnerability. It is
reported that the issue presents itself when the affected library is
processing malformed EXIF tags.

It is reported that this issue may be leveraged to execute arbitrary
code in the context of an application that is linked to the vulnerable
library.

RedHat Linux Less Remote Buffer Overflow Vulnerability
BugTraq ID: 12753
Remote: Yes
Date Published: Mar 08 2005
Relevant URL: http://www.securityfocus.com/bid/12753
Summary:
A remote, client-side buffer overflow vulnerability affects RedHat
Linux less.  This issue is due to a failure of the application to
securely copy file data into finite process buffers.

An attacker may leverage this issue to execute arbitrary code with the
privileges of an unsuspecting user.

[ me semble mal classé ]

Ethereal RADIUS Authentication Dissection Buffer Overflow Vu...
BugTraq ID: 12759
Remote: Yes
Date Published: Mar 08 2005
Relevant URL: http://www.securityfocus.com/bid/12759
Summary:
A remote buffer overflow vulnerability reportedly affects Ethereal.
This issue is due to a failure of the application to securely copy
network-derived data into sensitive process buffers.  The specific
issue exists in the 3GPP2 A11 dissector.

An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This
may facilitate unauthorized access or privilege escalation.

Ethereal Etheric/GPRS-LLC/IAPP/JXTA/sFlow Dissector Vulnerab...
BugTraq ID: 12762
Remote: Yes
Date Published: Mar 09 2005
Relevant URL: http://www.securityfocus.com/bid/12762
Summary:
Multiple buffer overflow and denial of service vulnerabilities affect
various Ethereal protocol dissectors.  The Etheric, GPRS-LLC, IAPP,
JXTA, and sFlow dissectors are affected by these issues.

These vulnerabilities may be triggered when the software is used to
monitor live network traffic or when a dump is viewed.  In the worst
case scenario, it is possible to execute arbitrary code as the
superuser.  Other vulnerabilities will only cause the software to
crash when an affected dissector processes live network traffic or a
dump.

NewsScript Access Validation Vulnerability
BugTraq ID: 12761
Remote: Yes
Date Published: Mar 08 2005
Relevant URL: http://www.securityfocus.com/bid/12761
Summary:
NewsScript is reported prone to an access validation vulnerability.
This issue may allow an unauthorized attacker to add, modify and
delete messages.

It is reported that an attacker can exploit this issue by issuing a
specially crafted HTTP GET request for the 'newsscript.pl' script to
bypass access checks and carry out administrative tasks.

Linux Kernel sys_epoll_wait() Local Integer Overflow Vulnerabi...
BugTraq ID: 12763
Remote: No
Date Published: Mar 09 2005
Relevant URL: http://www.securityfocus.com/bid/12763
Summary:
A Local integer overflow vulnerability affects the Linux kernel.  This
issue is due to a failure of the affected kernel to properly handle
user-supplied size values.

An attacker may leverage this issue to overwrite low kernel memory.
This may potentially facilitate privilege escalation.

Perl Local Race Condition Privilege Escalation Vulnerability
BugTraq ID: 12767
Remote: No
Date Published: Mar 09 2005
Relevant URL: http://www.securityfocus.com/bid/12767
Summary:
Perl is reported prone to a local race condition vulnerability. The
vulnerability is present in the 'rmtree()' function provided by the
'File::Path.pm' module.

A successful attack may allow an attacker to gain elevated privileges
on a vulnerable computer.

Grip CDDB Response Multiple Matches Buffer Overflow Vulnerab...
BugTraq ID: 12770
Remote: Yes
Date Published: Mar 10 2005
Relevant URL: http://www.securityfocus.com/bid/12770
Summary:
A buffer overflow vulnerability exists in Grip.  The vulnerability
occurs when the software processes a response to a CDDB query that has
in excess of 16 matches.

For an attacker to exploit this issue, they must be able to influence
the response to a CDDB query, either by controlling a malicious CDDB
server or through other means.  Successful exploitation will result in
execution of arbitrary code.

This vulnerability is reported to affect versions 3.1.2 and 3.2.0.  It
is not known if other versions are also affected.

Multiple Vendor Antivirus Products Malformed ZIP Attachment ...
BugTraq ID: 12771
Remote: Yes
Date Published: Mar 10 2005
Relevant URL: http://www.securityfocus.com/bid/12771
Summary:
Multiple antivirus products from various vendors are reported prone to
a vulnerability that may allow potentially malformed ZIP archives to
bypass detection.

This issue arises when an affected application processes a ZIP archive
with an invalid CRC-32 checksum.  It should be noted that affected
software may possibly detect a malicious file in the archive when it
is decompressed or scanned manually.

The discoverer of this vulnerability has reported that this issue
affects H+BEDV AntiVir, AVG Anti-Virus, Sybari Antigen for Microsoft
Exchange, and products by McAfee, and BitDefender.  Symantec products
were not found to be vulnerable to the issue.

**Update: Symantec believes that the impact of this issue is low. This
is because an archive handler processing an archive that possesses a
corrupt CRC-32 checksum will fail, reporting that the archive is
corrupt. This would mean that a malicious file contained in such an
archive would not be directly accessible to a target recipient user.

Alternatively, if the CRC-32 checksum is corrected manually by the
recipient user and the file is extracted, it will likely be detected
by client-side Anti-Virus solutions during the file extraction
routine. This detection will likely occur before the malicious file is
directly processed by the end user.

[ aussi pour info clamav par défaut ne reporte que le premier fichier vulnérable
d'une archive. Soit considérer dès qu'il y a un fichier vulnérable que
toute l'archive -- voir le mail suite aux attaques automatiques -- est
à jeter, soit utiliser l'option ad-hoc de clamav ]

MySQL AB MySQL Multiple Remote Vulnerabilities
BugTraq ID: 12781
Remote: Yes
Date Published: Mar 11 2005
Relevant URL: http://www.securityfocus.com/bid/12781
Summary:
MySQL is reported prone to multiple vulnerabilities that can be
exploited by a remote authenticated attacker. The following individual
issues are reported:

MySQL is reported prone to an insecure temporary file creation
vulnerability.

Reports indicate that an attacker that has 'CREATE TEMPORARY TABLE'
privileges on an affected installation may leverage this vulnerability
to corrupt files with the privileges of the MySQL process.

MySQL is reported prone to an input validation vulnerability that can
be exploited by remote users that have INSERT and DELETE privileges on
the 'mysql' administrative database.

Reports indicate that this issue may be leveraged to load an execute a
malicious library in the context of the MySQL process.

Finally, MySQL is reported prone to a remote arbitrary code execution
vulnerability. It is reported that the vulnerability may be triggered
by employing the 'CREATE FUNCTION' statement to manipulate functions
in order to control sensitive data structures.

This issue may be exploited to execute arbitrary code in the context
of the database process.

These issues are reported to exist in MySQL versions prior to MySQL
4.0.24 and 4.1.10a.