LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-11-2004, 10:35 AM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
LQ Security Report - September 8th 2004


Sep 8th 2004
25 of 48 issues handled (SF)
2. JazerNorth Scout Tracker Multiple Unspecified Vulnerabilitie...
7. Xedus Web Server Multiple Vulnerabilities
9. Web Animations Password Protect Multiple Input Validation Vu...
10. PvPGN Remote Buffer Overflow Vulnerability
11. CDRTools RSH Environment Variable Privilege Escalation Vulne...
13. Bsdmainutils Calendar Information Disclosure Vulnerability
14. MIT Kerberos 5 Multiple Double-Free Vulnerabilities
15. MIT Kerberos 5 ASN.1 Decoder Denial Of Service Vulnerability
16. PHPScheduleIt HTML Injection Vulnerability
17. SuSE Linux PTMX Unspecified Local Denial Of Service Vulnerab...
18. pLog User Registration HTML Injection Vulnerability
20. IMLib/IMLib2 Multiple BMP Image Decoding Buffer Overflow Vul...
22. Newtelligence DasBlog Request Log HTML Injection Vulnerabili...
23. TorrentTrader Download.PHP SQL Injection Vulnerability
24. PHPWebSite Multiple Input Validation Vulnerabilities
26. Opera Web Browser Empty Embedded Object JavaScript Denial Of...
27. Oracle 10g Database DBMS_SCHEDULER Remote Command Execution ...
29. LHA Multiple Code Execution Vulnerabilities
30. Apache mod_ssl Denial Of Service Vulnerability
33. CuteNews 'index.php' Cross-Site Scripting Vulnerability
34. Squid Proxy NTLM Authentication Denial Of Service Vulnerabil...
35. Oracle Database Server ctxsys.driload Access Validation Vuln...
36. Oracle Database Server dbms_system.ksdwrt Remote Buffer Over...
38. Dynalink RTA 230 ADSL Router Default Backdoor Account Vulner...
39. PhpMyBackupPro Unspecified Potential Input Validation Vulner...

Sep 6th 2004
3 issues handled (SANS)
(1) Oracle Products Multiple Vulnerabilities
(2) MIT Kerberos 5 Double Free Vulnerabilities
(5) LHA Multiple Remote Code Execution Vulnerabilities
 
Old 09-11-2004, 10:37 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Original Poster
Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Sep 8th 2004 (SF)

SecurityFocus

2. JazerNorth Scout Tracker Multiple Unspecified Vulnerabilitie...
BugTraq ID: 11066
Remote: Yes
Date Published: Aug 28 2004
Relevant URL: http://www.securityfocus.com/bid/11066
Summary:
Scout Tracker version 0.10 has been released. This version addresses various unspecified security vulnerabilities associated with passwords and user groups.
Scout Tracker versions 0.9 and prior are affected by these issues.

This BID will be updated as more information becomes available.

7. Xedus Web Server Multiple Vulnerabilities
BugTraq ID: 11071
Remote: Yes
Date Published: Aug 30 2004
Relevant URL: http://www.securityfocus.com/bid/11071
Summary:
It is reported that Xedus is susceptible to multiple vulnerabilities.
The first reported issue is a denial of service vulnerability. The affected application is unable to service multiple simultaneous connections, denying access to the hosted site for legitimate users.
The second reported issue is a cross-site scripting vulnerability in included sample scripts. This vulnerability is due to a failure of the application to properly sanitize user-supplied URI input before including it in the output of the scripts.
The third reported issue is a directory traversal vulnerability. The affected application will reportedly serve documents located outside of the configured web root. This may allow an attacker the ability to read arbitrary, potentially sensitive files on the hosting computer with the privileges of the web server. This may aid malicious users in further attacks.
These vulnerabilities are reported to exist in version 1.0 of Xedus.

9. Web Animations Password Protect Multiple Input Validation Vu...
BugTraq ID: 11073
Remote: Yes
Date Published: Aug 31 2004
Relevant URL: http://www.securityfocus.com/bid/11073
Summary:
Password Protect is reported prone to a multiple cross-site scripting and SQL injection vulnerabilities. These issues occur due to insufficient sanitization of user-supplied input. Successful exploitation of these issues may result in arbitrary HTML and script code execution and/or compromise of the underlying database.
It is reported that these issues could be exploited to gain unauthorized administrative access to the application.
All versions of Password Protect are considered vulnerable to these issues.

10. PvPGN Remote Buffer Overflow Vulnerability
BugTraq ID: 11074
Remote: Yes
Date Published: Aug 29 2004
Relevant URL: http://www.securityfocus.com/bid/11074
Summary:
PvPGN is reported prone to a remote buffer overflow vulnerability. This issue can allow an attacker to execute arbitrary code to gain unauthorized access to a vulnerable computer.
An attacker can trigger this vulnerability by supplying an excessively long string value through the 'watchall' and 'unwatchall' commands.
All versions of PvPGN including 1.6.5 and prior are affected by this vulnerability.

11. CDRTools RSH Environment Variable Privilege Escalation Vulne...
BugTraq ID: 11075
Remote: No
Date Published: Aug 31 2004
Relevant URL: http://www.securityfocus.com/bid/11075
Summary:
CDRTools is reportedly vulnerable to an RSH environment variable privilege escalation vulnerability. This issue is due to a failure of the application to properly implement security controls when executing an application specified by the RSH environment variable.
An attacker may leverage this issue to gain superuser privileges on a computer running the affected software.

13. Bsdmainutils Calendar Information Disclosure Vulnerability
BugTraq ID: 11077
Remote: No
Date Published: Aug 31 2004
Relevant URL: http://www.securityfocus.com/bid/11077
Summary:
The calendar utility contained in the bsdmainutils package on Debian GNU/Linux systems is reported susceptible to an information disclosure vulnerability. This is due to a lack of proper file authorization checks by the application.
The application fails to enforce permissions of included files when run as the superuser with the '-a' argument, therefore it is possible for a local attacker to create a calendar file that will disclose the contents of arbitrary, potentially sensitive files. This may aid them in further attacks against the affected computer.
By default, the package is installed with a crontab file that will not call the calendar utility. Systems are only affected if the crontab is enabled by administrators.
Debian GNU/Linux computers with bsdmainutils versions prior to 6.0.15 are reported to be vulnerable.

14. MIT Kerberos 5 Multiple Double-Free Vulnerabilities
BugTraq ID: 11078
Remote: Yes
Date Published: Aug 31 2004
Relevant URL: http://www.securityfocus.com/bid/11078
Summary:
There are multiple double-free vulnerabilities reported to exist in MIT Kerberos 5.
All vulnerabilities stem from inconsistent memory handling routines in the krb5 library.
These vulnerabilities are exploitable in various ways:
- An attacker can execute arbitrary code in the context of a KDC server process, potentially compromising the entire Kerberos realm.
- An attacker can execute arbitrary code in the context of a krb524d server process, potentially compromising the entire Kerberos realm if it is running on the same computer as a KDC.
- An attacker can execute arbitrary code in the context of various other server processes utilizing the krb5 library.
- An attacker impersonating a KDC or application server may be able to execute arbitrary code in the context of a client process attempting to authenticate.
Versions up to and including 1.3.4 are reported vulnerable.

15. MIT Kerberos 5 ASN.1 Decoder Denial Of Service Vulnerability
BugTraq ID: 11079
Remote: Yes
Date Published: Aug 31 2004
Relevant URL: http://www.securityfocus.com/bid/11079
Summary:
It is reported that MIT Kerberos V is susceptible to a denial of service vulnerability in its ASN.1 decoder.
This vulnerability presents itself when the krb5 library attempts to decode a malformed ASN.1 buffer.
As a result of this vulnerability, a remote attacker may be able to deny all Kerberos service in a realm by sending malicious UDP packets to all KDCs (Key Distribution Center). The affected KDCs would then stop servicing further authentication requests. All services utilizing Kerberos for authentication would fail to allow further requests.
MIT Kerberos V versions 1.2.2 through to 1.3.4 are reportedly affected by this vulnerability.

16. PHPScheduleIt HTML Injection Vulnerability
BugTraq ID: 11080
Remote: Yes
Date Published: Aug 31 2004
Relevant URL: http://www.securityfocus.com/bid/11080
Summary:
phpScheduleIt is reported to contain an HTML injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input before including it in dynamically generated web page content.
This may allow an attacker to inject malicious HTML and script code into the application. An unsuspecting user viewing the schedule will have the attacker-supplied script code executed within their browser in the context of the vulnerable site. This issue may be leverage to steal cookie based authentication credentials. Other attacks are also possible.
Although this issue reportedly affects version 1.0.0RC1 of the affected software, it is likely that other versions are affected as well.

17. SuSE Linux PTMX Unspecified Local Denial Of Service Vulnerab...
BugTraq ID: 11081
Remote: No
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11081
Summary:
Reportedly SuSE Linux is vulnerable to a local ptmx denial of service vulnerability; fixes are available. The underlying cause of this issue is currently unknown; this BID will be updated as more information is released.
An attacker may leverage this issue to cause the affected computer to hang or crash, denying service to legitimate users.

18. pLog User Registration HTML Injection Vulnerability
BugTraq ID: 11082
Remote: Yes
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11082
Summary:
pLog is prone to an HTML injection vulnerability that is exposed via the user registration form. Fields in the form are not adequately sanitized of HTML and script code.
This may permit execution of hostile script code when a user views pages that include the injected code. The hostile code would be rendered in the context of the site hosting the vulnerable software. Exploitation could allow for theft of cookie-based authentication credentials or other attacks.

20. IMLib/IMLib2 Multiple BMP Image Decoding Buffer Overflow Vul...
BugTraq ID: 11084
Remote: Yes
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11084
Summary:
Multiple buffer overflow vulnerabilities are reported to exist in the Iimlib/Imlib2 libraries. These issues may be triggered when handling malformed bitmap images.
These vulnerabilities could be exploited by a remote attacker to cause a denial of service in applications that use the vulnerable library to render images. It is also reported that these vulnerabilities may be exploited to execute code arbitrary code.

22. Newtelligence DasBlog Request Log HTML Injection Vulnerabili...
BugTraq ID: 11086
Remote: Yes
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11086
Summary:
DasBlog is reportedly susceptible to an HTML injection vulnerability in its request log. This vulnerability is due to a failure of the application to properly sanitize user-supplied input data before using it in the generation of dynamic web pages.
This may allow an attacker to inject malicious HTML and script code into the application. An administrator displaying the 'Activity and Events Viewer' will have the attacker-supplied script code executed within their browser in the context of the vulnerable site. This issue may be leverage to steal cookie based authentication credentials. Other attacks are also possible.
Although this issue reportedly affects versions 1.3 through 1.6 of the affected software.

23. TorrentTrader Download.PHP SQL Injection Vulnerability
BugTraq ID: 11087
Remote: Yes
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11087
Summary:
TorrentTrader is vulnerable to a remote SQL injection vulnerability in the 'download.php' script. This issue is due to a failure of the application to properly validate user-supplied input prior to including it in an SQL query.
An attacker may exploit this issue to manipulate and inject SQL queries onto the underlying database. It will be possible to leverage this issue to steal database contents including administrator password hashes and user credentials as well as to make attacks against the underlying database.

24. PHPWebSite Multiple Input Validation Vulnerabilities
BugTraq ID: 11088
Remote: Yes
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11088
Summary:
It is reported that phpWebSite is susceptible to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities.
The cross-site scripting issue is present in a parameter of the comments module script. An attacker can exploit these issues by creating a malicious link to the vulnerable module containing HTML and script code and send this link to a vulnerable user. When the user follows the link, the attacker-supplied code renders in the user's browser.
An SQL injection issue exists in the application as well. This issue affects a parameter of the calendar module script. This issue may be exploited to cause sensitive information to be disclosed to a remote attacker.
Finally, a HTML Injection vulnerability is reported to affect the application. The problem is said to occur in the notes module due to a lack of sufficient sanitization performed on user supplied data.
Attackers may potentially exploit this issue to manipulate web content, take unauthorized site actions in the context of the victim, or to steal cookie-based authentication credentials.
These vulnerabilities were reported in phpWebsite 0.9.3-4, previous versions are also reported to be vulnerable.

26. Opera Web Browser Empty Embedded Object JavaScript Denial Of...
BugTraq ID: 11090
Remote: Yes
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11090
Summary:
Opera is a web browser available for a number of platforms, including Microsoft Windows, Linux and Unix variants and Apple MacOS.
Opera Web Browser is reported to be susceptible to a JavaScript denial of service vulnerability. This vulnerability presents itself when Opera attempts to execute a specific JavaScript command. Upon executing this command, Opera will reportedly crash.
This vulnerability was reported to exist in version 7.23 of Opera for Microsoft Windows. Other versions are also likely affected. Version 7.54 does not seem to be susceptible.

27. Oracle 10g Database DBMS_SCHEDULER Remote Command Execution ...
BugTraq ID: 11091
Remote: Yes
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11091
Summary:
Oracle 10g Database is reported prone to a remote command execution vulnerability. It is reported that the vulnerability exists in the scheduler functionality that was added to Oracle 10g R1.
A remote authenticated attacker may exploit this vulnerability to execute arbitrary commands in the context of the vulnerable software.
This issue was originally announced as an undisclosed issue in BID 10871.

29. LHA Multiple Code Execution Vulnerabilities
BugTraq ID: 11093
Remote: Yes
Date Published: Sep 01 2004
Relevant URL: http://www.securityfocus.com/bid/11093
Summary:
LHA is reported prone to multiple vulnerabilities. These issues include multiple local and remote buffer overflow vulnerabilities and a remote command execution vulnerability. Successful exploitation of these issues may allow an attacker to execute arbitrary code and gain unauthorized access to a vulnerable computer.
The following specific issues were reported:
The application is prone to a stack overflow vulnerability when processing a malicious archive.
Multiple local buffer overflow vulnerabilities were reported as well. These issues can be triggered by supplying an excessive string value to the application through the command line.
Additionally, a remote command execution issue affects the application. This issue is triggered when LHA processes a directory with a malformed name.
LHA versions 1.14 and prior are affected by these issues.

30. Apache mod_ssl Denial Of Service Vulnerability
BugTraq ID: 11094
Remote: Yes
Date Published: Sep 02 2004
Relevant URL: http://www.securityfocus.com/bid/11094
Summary:
Apache mod_ssl is reported susceptible to a denial of service vulnerability.
This issue presents itself during SSL connections to a vulnerable Apache server. The affected software may enter into an infinite loop in certain circumstances. This will consume CPU resources and potentially cause further connections to the affected server to fail.
All Apache versions from 2.0 through to 2.0.50 are reported vulnerable.

33. CuteNews 'index.php' Cross-Site Scripting Vulnerability
BugTraq ID: 11097
Remote: Yes
Date Published: Sep 02 2004
Relevant URL: http://www.securityfocus.com/bid/11097
Summary:
It is reported that CuteNews is affected by a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input.
This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
This vulnerability is reported to exist in versions 1.3.6 and prior of CuteNews.

34. Squid Proxy NTLM Authentication Denial Of Service Vulnerabil...
BugTraq ID: 11098
Remote: Yes
Date Published: Sep 02 2004
Relevant URL: http://www.securityfocus.com/bid/11098
Summary:
Squid is reported to be susceptible to a denial of service vulnerability in its NTLM authentication module.
This vulnerability presents itself when attacker supplied input data is passed to the affected NTLM module without proper sanitization.
This vulnerability allows an attacker to crash the NTLM helper application. Squid will respawn new helper applications, but with a sustained, repeating attack, it is likely that proxy authentication depending on the NTLM helper application would fail. Failure of NTLM authentication would result in the Squid application denying access to legitimate users of the proxy.
Squid versions 2.x and 3.x are all reported to be vulnerable to this issue. A patch is available from the vendor.

35. Oracle Database Server ctxsys.driload Access Validation Vuln...
BugTraq ID: 11099
Remote: Yes
Date Published: Sep 03 2004
Relevant URL: http://www.securityfocus.com/bid/11099
Summary:
Oracle Database Server is prone to an access validation vulnerability that may permit unprivileged users to execute commands as the DBA. This could compromise the database.
This issue corresponds to one of the unspecified vulnerabilities mentioned in BID 10871 and addressed by Oracle Alert #68.

36. Oracle Database Server dbms_system.ksdwrt Remote Buffer Over...
BugTraq ID: 11100
Remote: Yes
Date Published: Sep 03 2004
Relevant URL: http://www.securityfocus.com/bid/11100
Summary:
A remotely exploitable buffer overflow exists in Oracle Database Server.
The issue can be triggered when an overly long string is passed to an internal logging function. Authorized users could exploit this issue to execute arbitrary code in the context of the server process or to cause a denial of service.
This issue corresponds to one of the unspecified vulnerabilities mentioned in BID 10871 and addressed by Oracle Alert #68.

38. Dynalink RTA 230 ADSL Router Default Backdoor Account Vulner...
BugTraq ID: 11102
Remote: Yes
Date Published: Sep 03 2004
Relevant URL: http://www.securityfocus.com/bid/11102
Summary:
The Dynalink RTA 230 ADSL router is reported susceptible to a default backdoor account vulnerability.
It is reported that the firmware contains a backdoor account. This account is not visible or modifiable from the web administration interface. Both the web configuration application and the telnet service are not listening on the WAN interface by default.
Attackers with network access to internal interfaces of the device can gain complete access to a vulnerable access point by using the default credentials.
Other devices utilizing similar firmware may also be affected, but this has not been confirmed. Other potential devices reported are:
- US Robotics 9105 and 9106
- Siemens SE515
- Buffalo WMR-G54

39. PhpMyBackupPro Unspecified Potential Input Validation Vulner...
BugTraq ID: 11103
Remote: Yes
Date Published: Aug 29 2004
Relevant URL: http://www.securityfocus.com/bid/11103
Summary:
phpMyBackupPro is reported prone to multiple unspecified input validation vulnerabilities. These issues were identified by the vendor. The cause and impact of these issues is currently unknown, however, they are reported to occur due to insufficient validation of some configuration entries and validation of mySQL username and password values. It is conjectured that these issues may allow an attacker to gain unauthorized access to the application. Disclosure of database backups is a possibility as well.
phpMyBackupPro versions 0.6.2 and prior are affected by these issues.
 
Old 09-11-2004, 10:38 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Original Poster
Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Sep 6th 2004 (SANS)

SANS



(1) HIGH: Oracle Products Multiple Vulnerabilities
Affected:
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
Oracle8i Database Server Release 3, version 8.1.7.4
Oracle Database 10g Release 1, version 10.1.0.2
Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
Oracle9i Application Server Release 1, version 1.0.2.2
Oracle Collaboration Suite
Oracle E-Business Suite 11i

Description: The Oracle Database server, the Oracle Application server,
the Oracle Enterprise Manager, the Oracle E-Business and the Oracle
Collaboration suites contain multiple buffer overflows (numbering over
40) and SQL injection vulnerabilities, which may be exploited to execute
arbitrary code on the server(s). Some of the flaws in the Database and
the Application server can be exploited by a remote unauthenticated
attacker, whereas the flaws in the Enterprise Manager can be exploited
only with valid user credentials. The Collaboration and the E-Business
suite customers have been advised to apply the appropriate Database and
Application server patches; hence, the flaws in these applications could
also be exploited by remote unauthenticated attackers. In the
configurations using Oracle as a back-end database, the flaws may be
leveraged via SQL injection vulnerabilities in the front-end web
scripts. The default accounts provide another avenue for exploitation.
The technical details regarding many of the buffer overflows have been
publicly posted. Further details are expected to be released in the
upcoming months.

Status: Oracle has released patches listed in the Oracle Security Alert
#68. Given the fact that relevant technical information regarding some
of the overflows has been posted, and that some of the flaws may be
exploited by remote unauthenticated attackers, the patches should be
applied on a priority basis. The Center for Internet Security (CIS) has
released security benchmarking tools for Oracle, which may help in
hardening the database security.

Council Site Actions: A majority of the reporting council sites that
have Oracle implementations and are responding to this vulnerability.
Most of these sites are currently evaluating and testing the patches.
Some sites plan to patch the systems as soon as possible, while other
sites will patch during their next regularly scheduled system update
process. Several sites commented that their Oracle database servers are
isolated from external networks and thus the threat is greatly reduced.
One site is monitoring for any unusual network connections to systems
that are running Oracle products.

References:
Oracle Advisory
http://www.oracle.com/technology/dep...004alert68.pdf
CERT Advisories
http://www.us-cert.gov/cas/techalerts/TA04-245A.html
http://www.kb.cert.org/vuls/id/170830
http://www.kb.cert.org/vuls/id/435974
http://www.kb.cert.org/vuls/id/316206
Application Security Advisory
http://www.appsecinc.com/resources/a...cle/2004-0001/
Integrigy Advisory
http://www.integrigy.com/alerts/OraA...AppsImpact.htm
NGS Advisory
http://www.nextgenss.com/advisories/oracle-01.txt
PeteFinnigan Advisory
http://www.petefinnigan.com/alerts.htm
iDefense Advisories
http://archives.neohapsis.com/archiv...4-09/0064.html
http://archives.neohapsis.com/archiv...4-09/0075.html
Oracle Security Hardening Tools
http://www.cisecurity.org/bench_oracle.html
SecurityFocus BID
http://www.securityfocus.com/bid/10871

(2) MODERATE: MIT Kerberos 5 Double Free Vulnerabilities
Affected:
All releases of Kerberos 5 prior to and including krb5-1.3.4
Cisco VPN 3000 Series Concentrators using KDC for user authentication

Description: Kerberos, a network protocol created at MIT, is used to
provide strong authentication for client/server applications. The MIT
Kerberos implementation is widely used by many network vendors and
Linux/Unix flavors. The protocol uses Abstract Syntax Notation (ASN.1)
encoded data for communications. The libraries that handle the ASN.1
decoding contain multiple "double free" vulnerabilities. The problem
occurs because when an error is encountered in decoding an invalid ASN.1
object, the memory allocated for that ASN.1 object is freed twice. The
double free vulnerabilities affect the Kerberos Key Distribution Center
(KDC), krb524d daemon etc.

The KDC authenticates a client, and provides the client with "tickets"
that can be used to access other kerberized services. The double-free
vulnerabilities in the KDC may be exploited by an unauthenticated
attacker to possibly execute arbitrary code on the KDC server or to
cause a denial-of service to the KDC server. The KDC server compromise
may result in compromising the entire organization ("Kerberos realm").
An attacker controlled KDC server can be further used to compromise the
Kerberos clients.

The krb524d daemon converts a Kerberos version 5 ticket to a Kerberos
version 4 ticket. An unauthenticated attacker may leverage the double
free flaws in krb524d daemon to execute arbitrary code. In many cases,
the krb524d daemon runs on the KDC. Hence, this compromise may also
result in compromising the KDC and the entire Kerberos realm.

The double free vulnerabilities are also present in the "krb5_rd_cred()"
function; however, an attacker would require authentication credentials
to exploit these flaws. Note that the double free memory bugs are
generally harder to leverage to execute arbitrary code, and the exploit
code tends to be platform dependent (as opposed to be universal). Hence,
a widespread exploitation of these flaws is less probable. Exploit code
is not currently available. The technical details required to leverage
the flaws can be obtained by examining the patch files.

Status: MIT has released patches for multiple Kerberos versions. Apply
the appropriate patches, and rebuild the software. Version krs5-1.3.5
release will fix all these flaws. Multiple Linux vendors, Sun and Cisco
have released patches. For the status of other vendors, please refer to
the CERT advisories.

Council Site Actions: Three of the reporting council sites are using
the affected software. Two of these sites will patch their systems
during the next regularly scheduled system update process. The third
site has a very large implementation of Kerberos. They began patching
critical servers on August 31st with a second round of patching to begin
early next week.

References:
MIT Security Advisories
http://web.mit.edu/kerberos/advisori...02-dblfree.txt
http://web.mit.edu/kerberos/advisori...4-003-asn1.txt
CERT Advisories
http://www.us-cert.gov/cas/techalerts/TA04-247A.html
http://www.kb.cert.org/vuls/id/795632
http://www.kb.cert.org/vuls/id/866472
http://www.kb.cert.org/vuls/id/350792
Kerberos RFC
ftp://ftp.isi.edu/in-notes/rfc1510.txt
Cisco Advisory
http://www.cisco.com/warp/public/707...831-krb5.shtml
Sun Security Alert
http://sunsolve.sun.com/search/docum...&searchclause=
Mandrake Update
http://www.mandrakesoft.com/security...MDKSA-2004:088
RedHat Update
http://rhn.redhat.com/errata/RHSA-2004-350.html
Fedora Update
http://download.fedora.redhat.com/pu...core/updates/1
Debian Update
http://www.debian.org/security/2004/dsa-543
Trustix Update
http://www.trustix.org/errata/2004/0045
SecurityFocus BID
http://www.securityfocus.com/bid/11078
http://www.securityfocus.com/bid/11079

(5) LOW: LHA Multiple Remote Code Execution Vulnerabilities
Affected:
All versions of LHA up to version 1.14

Description: LHA is a file compression utility similar to zip and gzip.
It ships with many Linux distributions and has been ported to BSD,
Solaris and other operating systems. The software contains a stack-based
overflow that may be exploited to execute arbitrary code with the
privileges of the LHA process. In addition, the software contains a
remote command execution vulnerability that is triggered upon opening a
specially crafted archive, which has a directory name containing shell
meta-characters. Note that the software is used by many virus scanners
to unpack LHA archives, and web browsers to automatically uncompress LHA
archives upon download. Hence, an attacker can exploit the flaw via a
specially crafted email or a malicious web page. Limited technical
details about the flaws have been posted.

Status: Official vendor patches are not yet available. Red Hat has
released updated LHA packages.

Council Site Actions: Two of the reporting council sites are running the
affected software on either Red Hat or Debian Linux systems. One site
has already made the patches available via their Up2date server. The
other site has a large installation of Red Hat and Debian systems. The
Red Hat systems have already been updated and the Debian systems will
be updated once the patch is released. Any systems which need a manual
update will be patched later this month.

References:
Red Hat Advisory
http://rhn.redhat.com/errata/RHSA-2004-323.html
Vendor Homepages
http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/
http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm
SecurityFocus BID
http://www.securityfocus.com/bid/11093
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ Security Report - September 19th 2005 Capt_Caveman Linux - Security 3 09-19-2005 11:18 PM
LQ Security Report - May 8th 2005 Capt_Caveman Linux - Security 3 05-08-2005 10:08 PM
LQ Security Report - September 26th 2004 unSpawn Linux - Security 2 09-26-2004 07:10 AM
LQ Security Report - September 18th 2004 unSpawn Linux - Security 2 09-18-2004 07:55 AM
LQ Security Report - May 8th 2004 Capt_Caveman Linux - Security 3 05-08-2004 11:39 AM


All times are GMT -5. The time now is 12:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration