SecurityFocus
1. Multiple Atari800 Emulator Local Buffer Overflow Vulnerabili...
BugTraq ID: 8322
Remote: No
Date Published: Jul 31 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8322
Summary:
atari800 is multi platform Atari 800, 800XL, 5200 and 130XE emulator
software developed for Unix, WinCE, MS-DOS, Atari TT/Falcon, SDL and Amiga
platforms.
atari800 emulator has been reported prone to multiple local buffer overflow
vulnerabilities.
The issues are likely due to insufficient bounds checking performed on
user-supplied data before it is copied into reserved buffers in memory. A
local attacker may supply excessive data in a manner sufficient to trigger
these issues and in doing so corrupt arbitrary memory. Because atari800
requires direct access to graphic devices, it has been reported that one of
the affected applications is setuid root. Therefore, it has been reported
that a local attacker may exploit this condition to gain local root access.
It should be noted that although version 1.2.2 and prior have been reported
vulnerable, other versions are also likely to be prone to this issue.
7. CDRTools RSCSI Debug File Arbitrary Local File Manipulation ...
BugTraq ID: 8328
Remote: No
Date Published: Aug 01 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8328
Summary:
rscsi is a helper component of the cdrtools package.
It has been reported that a local attacker may invoke the rscsi utility
against an attacker specified file. The attacker may accomplish this by
supplying a rscsi 'debug file' argument that points to a file that already
exists, to the affected utility. This action will have the affect of
causing the group ownership of the target file to be modified. The changes
will reflect the group of which the individual invoking the rscsi utility
is a member. Additionally the target file contents will be corrupted with
data that may be influenced by the attacker.
Because the rscsi utility is installed with setuid 'root' permissions by
default, a local attacker may harness this vulnerability to achieve
elevated privileges.
This vulnerability has been reported to affect the version 2.x branch of
cdrtools, and all previous versions.
9. Linux Netfilter NAT Remote Denial of Service Vulnerability
BugTraq ID: 8330
Remote: Yes
Date Published: Aug 02 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8330
Summary:
The Netfilter project maintains the packet filter component of the Linux
kernel. A fix for a denial of service vulnerability has been reported by
the Netfilter project.
The vulnerability is present on systems with the ip_nat_ftp or ip_nat_irc
modules loaded or with a kernel built supporting options
CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC. These optional subcomponents
implement limited stateful inspection of the FTP and IRC application
protocols, allowing for features such as active mode FTP and DCC through NAT.
A remotely exploitable denial of service vulnerability exists when at least
one of these features are enabled and communication to FTP/IRC servers is
permitted.
Version 2.4.20 of the Linux kernel is confirmed vulnerable. A patch is
available. According to the Netfilter team, the 2.4.20 kernels shipped
with Red Hat Linux include the patch.
10. Netfilter Connection Tracking Denial of Service Vulnerabilit...
BugTraq ID: 8331
Remote: Yes
Date Published: Aug 02 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8331
Summary:
The Netfilter project maintains the packet filter component of the Linux
kernel. A fix for a denial of service vulnerability has been reported by
the Netfilter project.
The vulnerability is present on systems with support for connection
tracking enabled. Connection tracking allows for the firewall to identify
which packets belong to established connections. Linux 2.4.20 systems with
kernels built supporting the CONFIG_IP_NF_CONNTRACK option or with the
ip_conntrack module loaded are vulnerable. Other kernel versions are not
affected.
The vulnerability is due to the introduction into the Linux 2.4.20 kernel
of a new generic linked list implementation. The reliance on the previous
linked list implementation resulted in a condition which could result in a
denial of service.
A patch has been released that removes dependence on a specific kernel
linked list API.
11. mindi Temporary File Creation Vulnerabilities
BugTraq ID: 8332
Remote: No
Date Published: Aug 02 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8332
Summary:
Mindi is a program for creating boot/root disks that is maintained by Hugo
Robson.
Debian has reported that Mindi is affected by several temporary file
creation vulnerabilities that could allow for corruption of local files
and, possibly, elevation of privileges. Throughout it's operation, mindi
creates numerous files in /tmp with predictable filenames. Because /tmp is
world-writeable, symbolic link attacks are possible. Some of the temporary
file filenames are static and can be predicted with certainty and others
are based on process IDs.
If malicious local attackers know that another user on the system is going
to run mindi, symbolic links with anticipated filenames can be created in
/tmp. If the file pointed to by the symbolic link is writeable by the user
running mindi, the file will be overwritten or deleted if the attacker
chose the correct filenames. If the contents can be controlled by the
attacker, privilege escalation may be possible. As there are numerous
temporary files, different attack channels may yield different consequences.
Debian has issued fixes.
12. Multiple Postfix Denial of Service Vulnerabilities
BugTraq ID: 8333
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8333
Summary:
Postfix is a free, open-source mailer that was designed to be an
alternative to Sendmail. It is written and maintained by Wietse Venema.
Debian has reported two vulnerabilities in the Postfix mail transfer agent.
The first vulnerability, CAN-2003-0468, can allow for an adversary to
"bounce-scan" a private network. It has also been reported that this
vulnerability can be exploited to use the server as a distributed denial of
service tool. This is reportedly possible through forcing the server to
connect to an arbitrary port on an arbitrary host.
The second vulnerability, CAN-2003-0540, is another denial of service. It
can be triggered by a malformed envelope address and can cause the queue
manager to lock up until the message is removed manually from the queue.
It is also reportedly possible to lock the SMTP listener, also resulting in
a denial of service.
This BID has been divided into BIDs 8361 and 8362 and is being retired.
14. Invision Board Overlapping IBF Formatting Tag HTML Injection...
BugTraq ID: 8335
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8335
Summary:
Invision Board is web forum software. It is implemented in PHP and is
available for Unix and Linux variants and Microsoft Windows operating systems.
Invision Board supports the use of formatting tags that allow users to
insert images and links into content as well as control certain aspects of
how content is rendered. These tags are referred to as IBF codes.
It may be possible to inject hostile HTML into Invision Board by using
overlapping IBF tags. This could cause the hostile code to be interpreted
in the context of the site hosting the software. Any input fields which
support inclusion of IBF code may be prone to this issue.
It should be noted that it may not be possible to inject arbitrary HTML
into Invision Board but it is more likely that this could be exploited to
spoof or manipulate links or include other abusive content.
16. Xtokkaetama Nickname Local Buffer Overflow Vulnerability
BugTraq ID: 8337
Remote: No
Date Published: Aug 04 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8337
Summary:
xtokkaetama, also known as xkaetama, is a puzzle game similar to Tetris
available for Linux.
xtokkaetama is prone to a locally exploitable buffer overflow
vulnerability. This is due to insufficient bounds checking of the
'-nickname' command line option. By supplying an excessive long parameter
for this command line option, it is possible to corrupt adjacent regions of
stack memory with attacker-supplied values. This could result in execution
of arbitrary code in the context of the software.
The software is typically installed setgid 'games'.
It should be noted that this issue was not patched in the updates provided
in BID 8312.
18. NetBSD Kernel OSI Packet Handler Remote Denial Of Service Vu...
BugTraq ID: 8340
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8340
Summary:
It has been reported that NetBSD systems that have OSI networking support
compiled into their kernel are prone to a remote denial of service
vulnerability.
The issue exists because error-reporting functions invoked by the netiso
enabled kernel, under some circumstances, are not implemented correctly to
abide by requisites of the BSD networking stack.
When the kernel processes an OSI packet that is sufficient to trigger the
generation of an error indication response packet one of two outcomes may
occur. If the kernel has been compiled with "options DEBUG" a kernel panic
may result and the kernel will report this condition. Otherwise the system
may crash unpredictably.
This is because the function that is responsible for crafting error
indication response packets was not converted to use a "PKTHDR" mbuf, which
is the standard for the BSD networking stack.
It has been reported that this issue does not affect systems that do not
have OSI networking support installed and an OSI network address assigned.
19. Man-db DEFINE Arbitrary Command Execution Vulnerability
BugTraq ID: 8341
Remote: No
Date Published: Aug 04 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8341
Summary:
man-db is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.
man-db could allow a local user to execute commands with elevated privileges.
This occurs because man-db allows commands to be executed through the
DEFINE directive even if it is running setuid "man". This would allow a
local user to execute any command with "man" privileges.
It is important to note that man-db is not installed setuid by default.
This vulnerability is only present if man-db was installed setuid "man".
23. FreezingCold Software aspBoard URL HTML Injection Vulnerabil...
BugTraq ID: 8345
Remote: Yes
Date Published: Aug 05 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8345
Summary:
aspBoard is a bulletin board system implemented in ASP.
aspBoard is prone to an HTML injection vulnerability. This issue is exposed
through inadequate sanitization of user input for the 'URL' variable. The
script that processes user supplied URLs used in posts to the message board
may allow attackers to embed HTML and script commands within the post. An
attacker may exploit this issue by including hostile HTML and script code
in posts to the bulletin board. This code may be rendered in the web
browser of a user who views these areas of the site. This would occur in
the security context of the site hosting aspBoard.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
26. gURLChecker HTML Parser Denial Of Service Vulnerability
BugTraq ID: 8348
Remote: Yes
Date Published: Aug 05 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8348
Summary:
gURLChecker is software that can validate web links. It is available for
Unix and Linux variants.
gURLChecker is reported to be prone to a denial of service vulnerability.
This issue is exposed when the HTML parser (html_parser.c) included with
the software encounters specifically malformed HTML tags of excessive
length. The issue appears to be present in the
uc_html_parser_get_attributes() function. This could be exploited to cause
gURLChecker to crash if the software is used to access an untrusted web
page that contains code designed to trigger the condition.
Though unconfirmed, this condition could result in memory corruption. Due
to the nature of memory corruption issues, it may be possible to exploit
this issue to execute arbitrary code in the context of the software.
27. Webware WebKit Cookie String Command Execution Vulnerability
BugTraq ID: 8349
Remote: Yes
Date Published: Aug 01 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8349
Summary:
Webware is an application suite which provides tools for development of
web-based applications. It is implemented in Python.
Webware ships with a component entitled WebKit that provides Python classes
for dynamically generating web server content.
The Webware WebKit component is prone to a vulnerability that may allow for
execution of malicious commands. This issue is due to usage of
SmartCookie, which is provided in the CookieEngine module. SmartCookie
will attempt to unpickle malicious client-supplied cookie strings. This
could result in the Python pickle module executing malicious code contained
in cookie-strings.
A remote attacker could potentially exploit this issue to execute malicious
commands with the privileges of the software.
28. ERoaster Local Insecure Temporary File Creation Vulnerabilit...
BugTraq ID: 8350
Remote: No
Date Published: Aug 06 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8350
Summary:
eroaster is a freely available graphical frontend to cdrecord. It is
available for the Linux operating system.
A problem has been reported in the secure creation of temporary files by
the eroaster application. This may allow an attacker to overwrite files
belonging to the eroaster user.
Few details are available about this vulnerability. However, it is
theorized that this issue results from inadequate checks on the existence
of a predictable temporary file prior to an attempt to create the file
during program execution. By creating a symbolic link, an attacker could
potentially destroy data at the end of the symbolic link, or perform other
nefarious deeds.
30. ManDB Compressor Binary Substitution Vulnerability
BugTraq ID: 8352
Remote: No
Date Published: Aug 06 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8352
Summary:
mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.
mandb is prone to a vulnerability that may permit local attackers to gain
elevated privileges. The source of this issue is that local users are able
to specify an arbitrary program as the location for a compressor utility
for cat files. In particular, the open_cat_stream() function call will be
made while the program still has privileges. By specifying a malicious
program, the attacker can cause arbitrary code execution with the
privileges of mandb. mandb typically executes with the privileges of user
'man'.
31. JSCI SSO URI Pattern Matching Access Validation Vulnerabilit...
BugTraq ID: 8353
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8353
Summary:
JCSI is a suite of Java components that offer solutions for data security
requirements. JCSI SSO (Single Sign-On) suite provides for authorization
and access control for Java applications using Microsoft Active Directory.
JSCI SSO has been reported prone to an access validation vulnerability
under certain circumstances.
The issue presents itself in pattern-matching tags contained in JSCI SSO
XML configuration files; these tags are used when controlling access to
Java applications. It has been reported that these pattern-matching tags
match an entire URI rather than the relative path to the secured Java
application. This may mean that if the protected Java application is moved
and has a different context root, JSCI SSO will no longer be protecting it.
This may lead a system administrator into a false sense of security and may
allow remote attackers to access restricted Java applications that were
presumed secured.
32. vBulletin Register.PHP HTML Injection Vulnerability
BugTraq ID: 8354
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8354
Summary:
vBulletin is a message board system implemented in PHP.
vBulletin may be prone to an HTML injection vulnerability. This issue is
exposed through inadequate sanitization of user input for fields marked
"optional" within the register.php script. This may allow attackers to
embed HTML and script commands within their user profile. An attacker may
exploit this issue by including hostile HTML and script code in fields that
may be viewable by other users. This code may be rendered in the web
browser of a user who views posts to the message board which will have this
user information automatically appended. This would occur in the security
context of the site hosting vBulletin.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
33. D-Link DI-704P Long URL Denial Of Service Vulnerability
BugTraq ID: 8355
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8355
Summary:
The D-Link DI-704P is an Internet Broadband Gateway device. The DI-704P
provides a method to share a single broadband Internet connection and share
a single printer among systems connected to the local network.
D-Link DI-704P has been reported prone to a remote denial of service
vulnerability.
The issue presents itself when a request of excessive length is sent to the
router. It has been reported that when a URL of excessive length is
requested, the device behaves in an unstable manner. This may result in a
complete denial of service condition requiring a device reboot, or the loss
of the ability to log in to the administration interface.
Although unconfirmed, it should be noted that other D-Link devices that use
related firmware might also be affected.
39. Postfix Connection Proxying Vulnerability
BugTraq ID: 8361
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8361
Summary:
Postfix is a free, open-source mailer that was designed to be an
alternative to Sendmail. It is written and maintained by Wietse Venema.
A vulnerability has been reported in Postfix that may allow an adversary to
"bounce-scan" a private network.
The problem is in handling an attempt to deliver a message to an address
with the following format:
<[server_ip]:service!@local-host-name>
This will cause the server to make a connection to the port and IP address
that is specified. Such an address can be included in the "RCPT TO" or
"MAIL FROM" / Errors-To SMTP header fields. By designing requests that
create bounces, an adversary can abuse this issue to proxy scans to
networks that the adversary would not normally have direct access to.
It has been reported that this vulnerability can be exploited to use the
server as a distributed denial of service tool. This is reportedly
possible through forcing the server to connect repeatedly to an arbitrary
port on an arbitrary host.
This issue was described in BID 8333 and is now being assigned an
individual BID.
40. Postfix SMTP Malformed E-mail Envelope Address Denial of Ser...
BugTraq ID: 8362
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8362
Summary:
Postfix is a free, open-source mailer that was designed to be an
alternative to Sendmail. It is written and maintained by Wietse Venema.
Postfix is reported to be prone to a denial of service attack. It can be
triggered by a malformed envelope address and can cause the queue manager
to lock up until the message is removed manually from the queue. It is also
reportedly possible to lock the SMTP listener, also resulting in a denial
of service. The vulnerability is present in the address parser code.
Evidence of exploitation of this vulnerability can be detected in the mail
server logs. Deleting the malicious message in the queue that is
associated to the "resolve_clnt_query: null recipient" error message
contained in Postfix logs and restarting the service can restore normal
functionality.
This issue was described in BID 8333 and is now being assigned an
individual BID.
42. VMware Workstation For Linux File Deletion Vulnerability
BugTraq ID: 8364
Remote: No
Date Published: Aug 07 2003 12:00A
Relevant URL:
http://www.securityfocus.com/bid/8364
Summary:
VMWare Workstation is virtualization software that allows for multiple
virtual servers to run on a single host.
VMWare Workstation for Linux platforms is reported to be prone to an issue
that may allow unprivileged users on the host operating systems to delete
privileged files via manipulation of symbolic links. This could result in
a denial of service if critical system files are deleted. An attacker may
also exploit this issue to destroy data contained in sensitive files. This
issue is likely due an insecure temporary file handling problem.
This issue is reported to affected VMWare Workstation for Linux 4.0.1 build
5289 and earlier releases. Windows versions are not affected.
