LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
LinkBack Search this Thread
Old 02-07-2004, 09:54 AM   #1
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
LQ Security Report February 7th 2004


LQ Security Report February 7th 2004

February 6th 2004
11 issues across 4 distros (LAW)
1. Perl
2. Crawl
3. Kernel
4. CVS
5. Tcpdump
6. Ethereal
7. Gaim
8. NetPBM
9. Mc
10. Util-linux
11. Kernel


February 2nd 2004
7 issues handled (Security Focus)
1. Gaim Multiple Remote Boundary Condition Error Vulnerabilities
2. Antologic Antolinux Administrative Interface NDCR Parameter Vulnerability
3. Cherokee Error Page Cross Site Scripting Vulnerability
4. Xoops Viewtopic.php Cross-Site Scripting Vulnerability
5. TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerabilitity
6. Macromedia ColdFusion MX Security Sandbox Circumvention Vulnerability
7. Third-party CVSup Binary Insecure ELF RPATH Library Replacement Vulnerability
 
Old 02-07-2004, 10:24 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
February 2nd 2004 (SF)

Security Focus

1. Gaim Multiple Remote Boundary Condition Error Vulnerabilitie...
BugTraq ID: 9489
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9489
Summary:
Gaim is an instant messaging client that supports numerous protocols.
It is available for the Unix and Linux platforms.

Several vulnerabilities in the handling of YMSG protocol, Oscar
protocol, proxy handling, and Gaim utilities have been identified.
Because of these issues, it may be possible for a remote attacker
to gain unauthorized access to hosts using the vulnerable software.

Reports indicate the following 12 problems:

Due to two errors in the handling of octal decoding code used for
e-mail notification, it is possible to create a condition suitable for
heap-based overflow attacks.

An overflow in the parsing of Yahoo Web cookies in HTTP headers
exists when handling a specially prepared cookie. Initial reports indicate
a low possibility of exploitation due to circumstances in memory
management of various platforms.

There is insufficient bounds checking of data returned from the Yahoo!
Login page. Name and Value strings returned to the client from a
system purporting to be the Yahoo! Login page could potentially
result in the execution of arbitrary code on the client side.

The YMSG protocol handler is vulnerable to a buffer overflow when
handling keynames of excessive sizes, usually greater than 64 bytes.
Remote communications with maliciously crafted keynames can be
forwarded through the Yahoo! server.

An integer overflow exists in the DirectIM handling by Gaim. A remote
user sending a value to a vulnerable Gaim client with a payload
length of UINT_MAX will result in an overflow in the calloc function.

Due to two errors in the handling of Quoted Printable decoding code
used for e-mail notification, it is possible to create conditions suitable
for heap-based overflow attacks.

The URI parsing utility contains an overflow in the handling of specially
crafted URIs. An attacker could pass along a URI of excessive length to
create an exploitable stack overflow.

The Get User Info utility performs inadequate bounds checking on data
received from the YMSG and MSN protocol handlers. Because of this,
it is possible for a remote attacker to exploit a stack overflow in the
utility to execute arbitrary code.

A client-side overflow in the handling of HTTP proxy connections
exists in Gaim. A remote proxy sending a string of data in excess of 8192
bytes could potentially create an exploitable stack overflow on the client
system.

These issues are undergoing further analysis and will be separated
into individual BIDs when analysis is complete.

*Update: Ultramagnetic, a concurrent fork of the Gaim instant
messaging software, has also been reported to be affected by the issues
listed under CAN-2004-0006, CAN-2004-0007 and CAN-2004-0008.

2. Antologic Antolinux Administrative Interface NDCR Parameter ...
BugTraq ID: 9495
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9495
Summary:
Antologic Antolinux is a Linux server based server. The server is shipped
with an administrative interface written in PHP.

A vulnerability has been reported to exist in the administration interface of
the product that may allow a remote attacker to execute arbitrary
commands on vulnerable systems. The issue reportedly exists in
the 'NDCR' parameter of the software. Due to insufficient sanitization of
user-supplied input, data supplied to this variable will be interpreted in
the shell. An attacker can exploit this vulnerability by passing malicious
shell metacharacters to the software in order to execute arbitrary
commands with the privileges of the server hosting the vulnerable
software. It has been demonstrated that an attacker may gain access to
the password file by carrying out a 'cat' command. An attacker may need
to spoof the HTTP REFERER to carry out successful exploitation.

Antologic Antolinux 1.0 has been reported to be prone to this issue,
however, other versions may be affected as well.

3. Cherokee Error Page Cross Site Scripting Vulnerability
BugTraq ID: 9496
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9496
Summary:
Cherokee is a web server distributed under the GNU public license.
It is available for numerous platforms, including Microsoft Windows and
Unix/Linux variants.

Cherokee has been reported to contain a cross-site scripting vulnerability.
This issue is due to the server failing to check and filter user-supplied
strings issued to the server in a web request, which are then included
directly in error output.

An attacker can exploit this issue by crafting a URI link containing the
malevolent HTML or script code, and enticing a user to follow it. If this link
were followed, the hostile code may be rendered in the web browser of
the victim user. This would occur in the security context of the affected
web server and may allow for theft of cookie-based authentication
credentials or other attacks.

4. Xoops Viewtopic.php Cross-Site Scripting Vulnerability
BugTraq ID: 9497
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9497
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.

A vulnerability has been reported to exist in Xoops that may allow a
remote user to execute HTML or script code in a user's browser.

The issue is reported to exist due to improper sanitizing of user-supplied
data. It has been reported that HTML and script code may be parsed via
the 'topic_id' and 'forum' URI parameters of 'newbb/viewtopic.php' script.
This vulnerability makes it possible for an attacker to construct a malicious
link containing HTML or script code that may be rendered in a user's
browser upon visiting that link. This attack would occur in the security
context of the site.

Successful exploitation of this attack may allow an attacker to steal cookie-
based authentication credentials. Other attacks are also possible.

Xoops versions 2.x have been reported to be prone to this issue.

5. TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerabi...
BugTraq ID: 9507
Remote: Yes
Date Published: Jan 27 2004
Relevant URL: http://www.securityfocus.com/bid/9507
Summary:
tcpdump is a freely available, open source network monitoring tool.
It is available for the Unix, Linux, and Microsoft Windows operating
systems.

A vulnerability has been identified in the software that may allow a
remote attacker to cause a denial of service condition in the software.
The issue occurs due to the way tcpdump decodes Internet Security
Association and Key Management Protocol (ISAKMP) packets. A remote
attacker may cause the software to enter an infinite loop by sending
malformed ISAKMP packets resulting in a crash or hang.

Although unconfirmed, due to the nature of this issue, an attacker may
leverage the issue by exploiting an unbounded memory copy operation to
overwrite the saved return address/base pointer, causing an affected
procedure to return to an address of their choice. Successful exploitation
of this issue may allow an attacker to execute arbitrary code with the
privileges of the tcpdump process in order to gain unauthorized access.

tcpdump versions prior to 3.8.1 have been reported to be prone to this
issue.

6. Macromedia ColdFusion MX Security Sandbox Circumvention Vuln...
BugTraq ID: 9521
Remote: No
Date Published: Jan 28 2004
Relevant URL: http://www.securityfocus.com/bid/9521
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a
standalone product for Unix, Linux, and Microsoft Operating Systems.

ColdFusion MX has been reported prone to a security sandbox
circumvention vulnerability. The issue is reported to exist because
programmers have the ability to create instances of classes without using
"CreateObject()" or "<cfobject>" tags. It has been reported that the
security sandbox does not prevent this behavior.

This issue cannot be exploited remotely, but the vulnerability may present
a danger in a shared hosted environment.

An attacker may exploit this issue to circumvent the security sandbox of
ColdFusion MX.

This issue has been reported to affect ColdFusion MX 6.1.

7. Third-party CVSup Binary Insecure ELF RPATH Library Replacem...
BugTraq ID: 9523
Remote: No
Date Published: Jan 29 2004
Relevant URL: http://www.securityfocus.com/bid/9523
Summary:
CVSup is a network file distribution utility that is intended to be used with
CVS repositories. It is available for various Unix/Linux derivatives.

It has been reported that some third-party vendor-supplied CVSup
binaries may have an insecure ELF RPATH that includes world-writeable
directories in the path. This variable is used to specify the run-time search
path for ELF objects. A local attacker could exploit this issue by placing
malicious libraries in these directories, which would be dynamically linked
against at run-time when the cvsup, cvsupd or cvpasswd programs are
executed. This would result in execution of arbitrary code with elevated
privileges.

This issue was reported to affect CVSup RPMs that ship with SuSE
Linux. Other distributions may also be affected. In the instance of SuSE,
the /home/anthon and /usr/src/packages directories included in the search
path may be world-writeable, depending on the value of the
PERMISSIONS_SECURITY setting in the /etc/sysconfig/security configuration
file. Statically linked versions of the software should not be affected by
this version.
 
Old 02-07-2004, 10:34 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
February 6th 2004 (LAW)

Linux Advisory Watch

Distribution: Debian

2/2/2004 - perl
Information leak
An attacker could abuse suidperl to discover information about
files that should not be accessible to unprivileged users.
http://www.linuxsecurity.com/advisor...sory-3986.html


2/3/2004 - crawl
Buffer overflow vulnerability
The program applies an unchecked-length environment variable into
a fixed size buffer.
http://www.linuxsecurity.com/advisor...sory-3994.html


2/4/2004 - kernel
Privilage escalation MIPS patch
Integer overflow in the do_brk() function of the Linux kernel
allows local users to gain root privileges.
http://www.linuxsecurity.com/advisor...sory-3996.html

Distribution: Fedora

2/2/2004 - cvs
Multiple vulnerabilities
Vulnerabilities allow cvs to write to root filesystem and retain
root privileges.
http://www.linuxsecurity.com/advisor...sory-3987.html


2/3/2004 - tcpdump
Malformed packet vulnerability
If the victim uses tcpdump, attack could result in a denial of
service, or possibly execute arbitrary code as the 'pcap' user.
http://www.linuxsecurity.com/advisor...sory-3992.html


2/3/2004 - ethereal
Denial of service vulnerability
Multiple security vulnerabilities may allow attackers to make
Ethereal crash using intentionally malformed packets.
http://www.linuxsecurity.com/advisor...sory-3993.html


Distribution: Mandrake

2/2/2004 - gaim
Multiple vulernabilities
Multiple buffer overflows exist in gaim 0.75 and earlier.
http://www.linuxsecurity.com/advisor...sory-3988.html

Distribution: Red Hat

2/3/2004 - NetPBM
Temporary file vulnerabilities
A number of temporary file bugs have been found in versions of
NetPBM.
http://www.linuxsecurity.com/advisor...sory-3989.html


2/3/2004 - mc
Buffer overflow vulnerability
A buffer overflow allows remote attackers to execute arbitrary
code during symlink conversion.
http://www.linuxsecurity.com/advisor...sory-3990.html


2/3/2004 - util-linux Login data leakage
Buffer overflow vulnerability
In some situations, the login program could use a pointer that had
been freed and reallocated.
http://www.linuxsecurity.com/advisor...sory-3991.html


2/3/2004 - kernel
Multiple vulnerabilities
Updated kernel packages are now available that fix a few security
issues.
http://www.linuxsecurity.com/advisor...sory-3995.html
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ Security Report - February 27th 2005 Capt_Caveman Linux - Security 3 02-27-2005 10:10 PM
LQ Security Report - February 20th 2005 Capt_Caveman Linux - Security 4 02-20-2005 11:16 PM
LQ Security Report - February 13th 2005 Capt_Caveman Linux - Security 4 02-13-2005 09:51 PM
LQ Security Report - November 7th 2004 Capt_Caveman Linux - Security 4 11-07-2004 10:00 PM
LQ Security Report - June 27 2004 Capt_Caveman Linux - Security 3 06-27-2004 01:37 AM


All times are GMT -5. The time now is 05:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration