LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-12-2002, 06:42 PM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
LQ weekly security rep - Tue Nov 12th 2002


Nov 15th 2002
19 issues handled (LAW)
PXE
libpng
python
html2ps
kdenetwork
masqmail
apache-perl
bind
kadmind
smrsh
resolver
perl-MailTools
nss_ldap
php
traceroute
kgpg
apache
kdelibs
syslog-ng

Nov 14th 2002
Trojan Horse tcpdump and libpcap Distributions (CERT)

Nov 12th 2002
Multiple Remote Vulnerabilities in BIND4 and BIND8 (ISS)

Nov 11th 2002
16 of 22 issues handled (SF)
1. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability
5. GlobalSunTech Access Point Information Disclosure Vulnerability
7. Multiple Vendor Sun RPC LibC TCP Time-Out Denial Of Service Vulnerability
8. PERL-MailTools Remote Command Execution Vulnerability
9. The Magic Notebook Invalid Username Denial Of Service Vulnerability
10. Networking_Utils Remote Command Execution Vulnerability
11. Cisco PIX Firewall Telnet/SSH Subnet Handling Denial Of Service Vulnerability
12. SnortCenter Insecure Temporary Filename Vulnerability
13. SnortCenter Insecure Sensor Configuration File Permissions Vulnerability
15. Safe.PM Unsafe Code Execution Vulnerability
17. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability
18. Apache mod_php File Descriptor Leakage Vulnerability
19. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability
20. Linuxconf mailconf Module Mail Relay Vulnerability
21. WindowMaker Image Handling Buffer Overflow Vulnerability
22. Pine From: Field Heap Corruption Vulnerability

Nov 11th 2002
22 of 36 issues handled (ISS)
Iomega NAS A300U FTP service could allow
Multiple vendor access point Embedded HTTP Server
AstroCam astrocam.cgi could allow remote command
Global Sun Technology IEEE802.11b+ access points
Com21 DOXport 1100 series cable modems allow an
The Magic Notebook invalid username denial of
SnortCenter creates an insecure temporary file
networking_utils.php ping command could be used to
pp_powerSwitch could allow an attacker to control
Cisco PIX Firewall TCP SYN packets denial of
perl-MailTools Mail::Mailer module command
LuxMan maped binary file could be used to read memory
Linuxconf sendmail.cf file allows mail relaying
Macromedia ColdFusion MX could allow an attacker to
Macromedia JRun Unicode encoded JSP file source
OpenBSD getrlimit(2) denial of service
Pine "From:" message header denial of service
CuteCast Forum stores passwords in plain text
Lotus Domino non-existent .nsf request could
Window Maker image file buffer overflow
Simple Web Server could allow an attacker to access
Zeus Admin Server index.fcgi script cross-site

Last edited by unSpawn; 11-17-2002 at 06:54 AM.
 
Old 11-12-2002, 06:44 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Original Poster
Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Nov 11th 2002 (ISS)

Internet Security Systems

Date Reported: 11/01/2002
Brief Description: Iomega NAS A300U FTP service could allow
unauthorized access to shared directories
Risk Factor: Medium
Attack Type: Network Based
Platforms: Unix Any version, Iomega NAS A300U Any version
Vulnerability: iomega-ftp-shared-directories
X-Force URL: http://www.iss.net/security_center/static/10530.php

Date Reported: 11/01/2002
Brief Description: Multiple vendor access point Embedded HTTP Server
denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linksys Access Points Any version, D-Link Access
Points Any version
Vulnerability: ap-embedded-http-dos
X-Force URL: http://www.iss.net/security_center/static/10537.php

Date Reported: 11/03/2002
Brief Description: AstroCam astrocam.cgi could allow remote command
execution
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, NetBSD Any version, OpenBSD Any
version, AstroCam prior to 2.1.3
Vulnerability: astrocam-cgi-command-execution
X-Force URL: http://www.iss.net/security_center/static/10538.php

Date Reported: 11/04/2002
Brief Description: Global Sun Technology IEEE802.11b+ access points
could disclose sensitive information
Risk Factor: Low
Attack Type: Network Based
Platforms: Wisecom GL2422AP-0T Any version, Linksys WAP11 2.2
Vulnerability: ieee80211b-ap-information-disclosure
X-Force URL: http://www.iss.net/security_center/static/10536.php

Date Reported: 11/04/2002
Brief Description: Com21 DOXport 1100 series cable modems allow an
attacker to load a malicious configuration file
Risk Factor: Medium
Attack Type: Network Based
Platforms: Com21 DOXport 1100 series 2.1.1.106
Vulnerability: com21-doxport-config-file
X-Force URL: http://www.iss.net/security_center/static/10543.php

Date Reported: 11/04/2002
Brief Description: The Magic Notebook invalid username denial of
service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, The Magic
Notebook prior to 1.2
Vulnerability: magic-book-username-dos
X-Force URL: http://www.iss.net/security_center/static/10562.php

Date Reported: 11/05/2002
Brief Description: SnortCenter creates an insecure temporary file
Risk Factor: Medium
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, SnortCenter
0.9.5
Vulnerability: snortcenter-tmp-file-insecure
X-Force URL: http://www.iss.net/security_center/static/10540.php

Date Reported: 11/05/2002
Brief Description: networking_utils.php ping command could be used to
read files
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, networking_utils 1.0
Vulnerability: networkingutils-ping-read-files
X-Force URL: http://www.iss.net/security_center/static/10541.php

Date Reported: 11/05/2002
Brief Description: pp_powerSwitch could allow an attacker to control
any port
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, pp_powerSwitch prior to 0.1.1
Vulnerability: pp-powerswitch-port-access
X-Force URL: http://www.iss.net/security_center/static/10552.php

Date Reported: 11/05/2002
Brief Description: Cisco PIX Firewall TCP SYN packets denial of
service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Cisco PIX Firewall 6.2.2
Vulnerability: cisco-pix-packet-dos
X-Force URL: http://www.iss.net/security_center/static/10566.php

Date Reported: 11/06/2002
Brief Description: perl-MailTools Mail::Mailer module command
execution
Risk Factor: High
Attack Type: Network Based
Platforms: SuSE Linux 7.1, SuSE Linux 7.2, SuSE Linux 7.3,
SuSE eMail Server III Any version, SuSE Linux 8.0,
Gentoo Linux Any version, SuSE eMail Server 3.1,
SuSE Linux 8.1, perl-MailTools Any version
Vulnerability: mail-mailer-command-execution
X-Force URL: http://www.iss.net/security_center/static/10548.php

Date Reported: 11/06/2002
Brief Description: LuxMan maped binary file could be used to read memory
Risk Factor: Medium
Attack Type: Host Based
Platforms: Debian Linux 3.0, LuxMan 0.41
Vulnerability: luxman-maped-read-memory
X-Force URL: http://www.iss.net/security_center/static/10549.php

Date Reported: 11/06/2002
Brief Description: Linuxconf sendmail.cf file allows mail relaying
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Linuxconf prior to 1.28
Vulnerability: linuxconf-sendmail-mail-relay
X-Force URL: http://www.iss.net/security_center/static/10554.php

Date Reported: 11/06/2002
Brief Description: Macromedia ColdFusion MX could allow an attacker to
view CFML source
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Windows NT Any
version, Windows 2000 Any version, ColdFusion MX
Vulnerability: coldfusion-mx-file-disclosure
X-Force URL: http://www.iss.net/security_center/static/10565.php

Date Reported: 11/06/2002
Brief Description: Macromedia JRun Unicode encoded JSP file source
disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, JRun 3.0, JRun
3.1, JRun 4.0
Vulnerability: jrun-unicode-source-disclosure
X-Force URL: http://www.iss.net/security_center/static/10570.php

Date Reported: 11/06/2002
Brief Description: OpenBSD getrlimit(2) denial of service
Risk Factor: Low
Attack Type: Host Based
Platforms: OpenBSD 3.0, OpenBSD 3.1
Vulnerability: openbsd-getrlimit-dos
X-Force URL: http://www.iss.net/security_center/static/10572.php
Date Reported: 11/07/2002
Brief Description: Pine "From:" message header denial of service
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Pine 4.44
Vulnerability: pine-from-header-dos
X-Force URL: http://www.iss.net/security_center/static/10555.php

Date Reported: 11/07/2002
Brief Description: CuteCast Forum stores passwords in plain text
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, CuteCast Forum 1.2
Vulnerability: cutecast-forum-plaintext-passwords
X-Force URL: http://www.iss.net/security_center/static/10556.php

Date Reported: 11/07/2002
Brief Description: Lotus Domino non-existent .nsf request could
disclose version information
Risk Factor: Low
Attack Type: Network Based
Platforms: HP-UX Any version, Linux Any version, Solaris Any
version, Windows NT Any version, OS/2 Any version,
Windows 2000 Any version, Lotus Domino 5.0.8, Lotus
Domino 5.0.9, Lotus Domino 5.0.9a
Vulnerability: lotus-domino-version-disclosure
X-Force URL: http://www.iss.net/security_center/static/10557.php

Date Reported: 11/07/2002
Brief Description: Window Maker image file buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Debian Linux 3.0, Window Maker Any version
Vulnerability: window-maker-image-bo
X-Force URL: http://www.iss.net/security_center/static/10560.php

Date Reported: 11/08/2002
Brief Description: Simple Web Server could allow an attacker to access
password protected files
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Simple Web Server 0.5.1
Vulnerability: simple-server-file-access
X-Force URL: http://www.iss.net/security_center/static/10563.php

Date Reported: 11/08/2002
Brief Description: Zeus Admin Server index.fcgi script cross-site
scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Zeus Web
Server 4.1r2
Vulnerability: zeus-admin-index-xss
X-Force URL: http://www.iss.net/security_center/static/10567.php

Last edited by unSpawn; 11-12-2002 at 06:50 PM.
 
Old 11-12-2002, 06:48 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Original Poster
Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Nov 11th 2002(SF)

SecurityFocus


1. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability
BugTraq ID: 6096
Remote: Yes
Date Published: Nov 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6096
Summary:

Monkey is an open source Web server written in C, based on the HTTP/1.1
protocol. It is available for the Linux platform.

A denial of service vulnerability has been reported for Monkey HTTP
server. The vulnerability is due to inadequate checks being performed when
decoding POST requests.

An attacker can exploit this vulnerability by issuing a POST request with
an invalid Content-Length header, or without a Content-Length value. When
the server attempts to service the request, it will crash and lead to the
denial of service condition.

This vulnerability was reported for Monkey HTTP server 0.50. Earlier
versions are likely to be affected by this vulnerability.

5. GlobalSunTech Access Point Information Disclosure Vulnerability
BugTraq ID: 6100
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6100
Summary:

Global Sun Technology Inc. is a developer of Wireless Access Points
distributed to OEM partners.

An information disclosure vulnerability has been discovered in certain
GlobalSunTech access points.

It has been reported that a remote attacker is able to retrieve sensitive
information from vulnerable access points, including WEP keys, the MAC
filter, and the admin password.

It is possible to obtain this information by sending a specially
constructed broadcast message, to UDP port 27155, containing the
"gstsearch" string.

Information gained by exploiting this vulnerability may allow an attacker
to launch further attacks against the target network.

It should be noted that this vulnerability was reported for a WISECOM
GL2422AP-0T access point. Devices that use Global Sun Technology access
points may be affected by this issue.

It has been determined that D-Link DI-614+ and SMC Barricade 7004AWBR
access points are not affected by this issue.

It has been reported that Linksys WAP11-V2.2 is prone to this issue, but
to a lesser extent. It is possible to obtain AP firmware versions, but
other sensitive information is not accessible.

7. Multiple Vendor Sun RPC LibC TCP Time-Out Denial Of Service Vulnerability
BugTraq ID: 6103
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6103
Summary:

A vulnerability has been reported in multiple libc implementations which
are based on Sun RPC. This may affect implementations on a number of
different platforms and products.

A denial of service condition is reported to occur when data is read from
a TCP connection. As a result, remote attackers may cause some services
and daemons to hang. The cause of this issue is a failure of vulnerable
libc implementations to provide a sufficient time-out mechanism when data
is read from TCP connections.

Further details about what causes this condition are not known at this
time. This record will be updated if further details about this
vulnerability become available.

8. PERL-MailTools Remote Command Execution Vulnerability
BugTraq ID: 6104
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6104
Summary:

The perl-MailTools package is a collection of PERL modules related to mail
applications.

A vulnerability has been reported for the Mail::Mailer module, included in
the perl-MailTools package, which may allow remote attackers to execute
arbitrary commands on the underlying shell with the privileges of the
mailx process.

User-supplied input is passed to the mailx mailer, a simple MUA (Mail User
Agent), but is not sufficiently sanitized of shell metacharacters before
being passed through the shell.

Any applications that use Mail::Mailer directly or indirectly, like custom
auto reply programs or spam filters, are vulnerable to attack.
9. The Magic Notebook Invalid Username Denial Of Service Vulnerability
BugTraq ID: 6106
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6106
Summary:

The Magic Notebook is a web-based application for creating and organizing
notes. It will run on Unix and Linux variants.

The Magic Notebook is prone to a denial of service vulnerability. The
Magic Notebook reportedly crashes when attempting to handle an invalid
username.

Remote attackers may be able to exploit this condition to deny service to
legitimate users of the web application.

10. Networking_Utils Remote Command Execution Vulnerability
BugTraq ID: 6107
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6107
Summary:

Networking_Utils is an application for supplying web access to networking
tools such as ping, traceroute and nslookup. Networking_Utils is
implemented in PHP and intended to run on Unix and Linux variants.

Networking_Utils is prone to a remote command execution vulnerability.

The issue exists in the implementation of the ping command. Shell
metacharacters are not sufficiently sanitized from the domain name or IP
address fields. This input will be passed directly through the shell.
An attacker may exploit this issue by supplying malicious input which
includes shell metacharacters and arbitrary commands, which will be
interpreted by the underlying shell. The attacker may execute commands
with the privileges of the webserver.

Exploitation of this issue will allow a remote attacker to gain local,
interactive access to the underlying host.

Implementations of the other commands may also be affected by this
vulnerability.
11. Cisco PIX Firewall Telnet/SSH Subnet Handling Denial Of Service Vulnerability
BugTraq ID: 6110
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6110
Summary:

Cisco PIX Firewalls are reported to be prone to a denial of service
condition.

The vulnerable condition occurs when telnet/SSH access has been enabled on
the firewall for hosts on the internal network. If TCP SYN packets are
sent repeatedly to the subnet address, this may cause a denial of service
condition, as the PIX firewall may respond to connection requests sent to
the subnet address. Large numbers of these types of requests are reported
to cause memory fragmentation on the device. It may be necessary to
restart the device to regain normal functionality.

This vulnerability is reportedly due to incorrect handling of requests to
the subnet address by the PIX operating system TCP/IP stack.

This issue was reported for Cisco PIX Firewall 6.2.2. Other versions of
the PIX operating system may also be affected.

12. SnortCenter Insecure Temporary Filename Vulnerability
BugTraq ID: 6108
Remote: No
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6108
Summary:

SnortCenter is a web-based client-server management system written in PHP
and Perl. It assists in the configuration of Snort configuration and
signature files.

A vulnerability has been discovered in SnortCenter v0.9.5.

It has been reported that SnortCenter creates temporary files using
predictable file names. When SnortCenter is used to aggregate Snort rules
for a particular sensor, a file is created in the /tmp directory using the
same name as the sensor.

By anticipating the name of a temporary file a local attacker may be able
to corrupt sensitive data by creating a symbolic link to a system resource
which is writeable by SnortCenter.

It is not yet known whether versions prior to v0.9.5 are affected by this
issue.
13. SnortCenter Insecure Sensor Configuration File Permissions Vulnerability
BugTraq ID: 6109
Remote: No
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6109
Summary:

SnortCenter is a web-based client-server management system written in PHP
and Perl. It assists in the configuration of Snort configuration and
signature files.

A vulnerability has been discovered in SnortCenter v0.9.5

When SnortCenter is used to aggregate Snort rules for a particular sensor,
a file is created in the /tmp directory which are 'world' accessible. The
temporary sensor configuration files created may contain sensitive alert
database server access credentials.

Information disclosed by accessing this file may aid a malicious user in
launching attacks against alert database servers. The ability to modify
sensitive information contained within these files may result in the
corruption of typical SnortCenter functionality.

15. Safe.PM Unsafe Code Execution Vulnerability
BugTraq ID: 6111
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6111
Summary:

Safe.pm is a Perl module that is included in the distribution of Perl.
This module is used to compile and execute code in restricted
compartments. These compartments are used verify the safety of potentially
rogue Perl code.

A vulnerability has been reported in the Safe.pm module. Reportedly, the
vulnerability may allow an attacker to bypass the security settings of the
secured compartment and execute code in an unsafe manner.

The vulnerability affects the reval() and rdo() subroutines in Safe.pm. It
is possible for a malicious program to modify a compartment variable used
by the subroutines. When a subroutine is called a second time with the
same compartment, it may be possible to bypass the security settings of
the compartment.
17. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability
BugTraq ID: 6113
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6113
Summary:

Frank McIngvale LuxMan is a video game similar to Pac Man for Linux based
systems.

A vulnerability exists in LuxMan that could allow a local user read and
write access to the Memory.

It has been reported that the 'maped' setuid binary in LuxMan is
vulnerable to a leakage of open file descriptors that may result in
unauthorized disclosure of memory. It is allegedly possible for attackers
to inherit open file descriptors with read/write access to /dev/mem by
executing a malicious program through maped. Since maped calls gzip
without using the explicit path, an attacker could create a malicious
binary named gzip and add its directory to the PATH environment variable.
When gzip is called by maped, the malicious gzip will be called rather
than the legitimate version.

Upon exploiting this vulnerability, an attacker would have read and write
access to memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. Additionally, an
attacker could remap system calls. It should be assumed that total
compromise is imminent if an attacker has read or write access to memory.
18. Apache mod_php File Descriptor Leakage Vulnerability
BugTraq ID: 6117
Remote: Yes
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6117
Summary:

Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. Mod_PHP is an Apache
module which allows for PHP functionality in websites.

A vulnerability has been discovered in the mod_php module available for
Apache web servers that may, under some circumstances, leak file
descriptor information. By exploiting this vulnerability it may be
possible for a remote attacker to reuse file descriptors used by the httpd
daemon, effectively emulating the web server.

Exploitation of this issue may allow an attacker to bind a malicious
server instead of Apache httpd server. This will allow the attacker to
pose as a web server and distribute false information to legitimate users
attempting to connect to the server. It may also be possible to obtain
user credentials, or other sensitive information.

It should be noted that this issue is exploitable only if the 'safe_mode'
PHP option is disabled.

19. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability
BugTraq ID: 6115
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6115
Summary:

A denial of service vulnerability has been reported for the Linux kernel.
Reportedly, it is possible to cause the kernel from responding by
triggering a system call with the TF flag enabled.

When a native Linux binary makes a system call, the 'int 0x80' instruction
is called, effectively triggering a trap into kernel mode. Non-native
Linux binaries use the 'lcall7' instruction to trigger a kernel trap. If
the TF (TRAP FLAG) bit is set when a trap is triggered using the 'lcall7'
instruction, the kernel will hang.

An attacker can exploit this vulnerability by executing a malicious
application that uses the lcall7/lcall27 functions to execute system
calls. By ensuring that the TF flag is set when the kernel attempts to
execute the system call, it is possible to cause the kernel to hang and
cause the denial of service condition. A reboot is necessary to restore
functionality.

This vulnerability was fixed in the Linux Kernel 2.4.19.
20. Linuxconf mailconf Module Mail Relay Vulnerability
BugTraq ID: 6118
Remote: Yes
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6118
Summary:

Linuxconf is an administration system which is divided in several modules.
The mailconf module is responsible for the configuration of Sendmail.

A vulnerability has been discovered in the mailconf module included with
Linuxconf.

It has been reported that the sendmail.cf configuration file created by
the mailconf module, contains a bug which could allow message relaying. By
specifying a recipient in the format of "user%domain@", it is possible to
relay messages outside of the mail daemon's served network.

Exploitation of this issue could allow an attacker to send unauthorized
messages from the vulnerable server.

It should be noted that the default configuration file distributed with
Sendmail is not vulnerable to this issue. It must have been created by
Linuxconf for this vulnerability to be introduced.

21. WindowMaker Image Handling Buffer Overflow Vulnerability
BugTraq ID: 6119
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6119
Summary:

WindowMaker is a popular window manager for X11 systems. A buffer
overflow vulnerability has been reported in WindowMaker.

The condition occurs when processing malformed images. According to the
report, a buffer for the image data is allocated based on the length and
width fields in the file. Allegedly, there is no bounds checking against
the buffer size when reading the actual image data from the file. As a
result, it may be possible to overrun the allocated buffer and corrupt
adjacent memory.

Exploitation of this vulnerability requires that the victim process a
specially constructed image file. This may be accomplished by including
the file in a malicious "theme" and then transmitting it to the victim or
placing it on a distribution HTTP/FTP server (in hopes that a victim will
download it and use/preview it).
22. Pine From: Field Heap Corruption Vulnerability
BugTraq ID: 6120
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6120
Summary:

Pine is an open source mail user agent distributed by the University of
Washington. It is freely available for Unix, Linux, and Microsoft
operating systems.

It is possible to cause a denial of service in Pine by sending an email
message with a specially crafted "From:" address. According to the
report, the crash can be reproduced by setting the "From:" address to a
value such as:

"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.tld

A stack trace suggests that this behaviour may be due to corruption of
data in the heap. If that is the case, execution of arbitrary code may be
possible.

Note that the user does not have to view the message in order for the
denial of service to take place; the message simply has to be present in
the user's Inbox. While a message with this address is present in the
Pine Inbox, it is not possible to start Pine again. The message
containing this address must be manually removed from the spool or by
using another MUA.

It is important to note that this specially crafted "From:" address is RFC
legal.

This issue will reportedly be fixed in Pine 4.50.
 
Old 11-12-2002, 06:49 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Original Poster
Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Nov 12th 2002 (ISS)

Synopsis:
ISS X-Force has discovered several serious vulnerabilities in the Berkeley
Internet Name Domain Server (BIND). BIND is the most common implementation of
the DNS (Domain Name Service) protocol, which is used on the vast majority of
DNS servers on the Internet. DNS is a vital Internet protocol that maintains
a database of easy-to-remember domain names (host names) and their
corresponding numerical IP addresses.

Impact:
The vulnerabilities described in this advisory affect nearly all currently
deployed recursive DNS servers on the Internet. The DNS network is considered
a critical component of Internet infrastructure. There is no information
implying that these exploits are known to the computer underground, and there
are no reports of active attacks. If exploits for these vulnerabilities are
developed and made public, they may lead to compromise and DoS attacks against
vulnerable DNS servers. Since the vulnerability is widespread, an Internet
worm may be developed to propagate by exploiting the flaws in BIND. Widespread
attacks against the DNS system may lead to general instability and inaccuracy
of DNS data.

Affected Versions:
BIND SIG Cached RR Overflow Vulnerability
BIND 8, versions up to and including 8.3.3-REL
BIND 4, versions up to and including 4.9.10-REL

BIND OPT DoS
BIND 8, versions 8.3.0 up to and including 8.3.3-REL

BIND SIG Expiry Time DoS
BIND 8, versions up to and including 8.3.3-REL

For the complete ISS X-Force Security Advisory, please visit:
http://bvlive01.iss.net/issEn/delive....jsp?oid=21469
 
Old 11-14-2002, 06:08 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Original Poster
Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Nov 14th 2002 (CERT CA-2002-30)

Full report: CERT Advisory CA-2002-30 Trojan Horse tcpdump and libpcap Distributions

Overview
The CERT/CC has received reports that several of the released source code distributions of the libpcap and tcpdump packages were modified by an intruder and contain a Trojan horse.
We strongly encourage sites that use, redistribute, or mirror the libpcap or tcpdump packages to immediately verify the integrity of their distribution.

I. Description
The CERT/CC has received reports that some copies of the source code for libpcap, a packet acquisition library, and tcpdump, a network sniffer, have been modified by an intruder and contain a Trojan horse.
The following distributions were modified to include the malicious code:

tcpdump
md5sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz

md5sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz

libpcap
md5sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz

These modified distributions began to appear in downloads from the HTTP server www.tcpdump.org on or around Nov

11 2002 10:14:00 GMT. The tcpdump development team disabled download of the distributions containing the Trojan horse on Nov 13 2002 15:05:19 GMT. However, the availability of these distributions from mirror sites is unknown. At this time, it does not appear that related projects such as WinPcap and WinDump contain this Trojan horse.
 
Old 11-17-2002, 06:55 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Original Poster
Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
November 15th, 2002 (LAW)

Linux Advisory Watch

Package: PXE
Date: 11-11-2002
Description:
The PXE server can be crashed by using corrupt DHCP packets. This bug
could be used to cause a denial-of-service attack.
Caldera Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2551.html

Package: libpng
Date: 11-12-2002
Description:
There are two buffer overflow vulnerabilities in the libpng codene
of which can allow attackers to cause a denial of service, and the
other that can cause a denial of service with the possibility of
executing arbitrary code.
Caldera Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2558.html

Package: python
Date: 11-14-2002
Description:
os._execvpe from os.py in Python creates temporary files with
predictable names, which could allow local users to execute arbitrary
code via a symlink attack.
Caldera Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2573.html

Package: html2ps
Date: 11-08-2002
Description:
The SuSE Security Team found a vulnerability in html2ps, a HTML to
PostScript converter, that opened files based on unsanitized input
insecurely. This problem can be exploited when html2ps is installed
as filter within lrpng and the attacker has previously gained access
to the lp account.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2545.html

Package: kdenetwork
Date: 11-11-2002
Description:
It is possible for a local attacker to exploit a buffer overflow
condition in resLISa, a restricted version of KLISa. The
vulnerability exists in the parsing of the LOGNAME environment
variable, an overly long value will overwrite the instruction pointer
thereby allowing an attacker to seize control of the executable.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2549.html
SuSE Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2553.html

Package: masqmail
Date: 11-12-2002
Description:
A set of buffer overflows have been discovered in masqmail, a mail
transport agent for hosts without permanent internet connection. In
addition to this privileges were dropped only after reading a user
supplied configuration file. Together this could be exploited to
gain unauthorized root access to the machine on which masqmail is
installed.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2555.html

Package: apache-perl
Date: 11-13-2002
Description:
These vulnerabilities could allow an attacker to enact a denial of
service against a server or execute a cross site scripting attack, or
steal cookies from other web site users.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2563.html

Package: bind
Date: 11-14-2002
Description:
A buffer overflow in BIND 8 versions 8.3.3 and earlier allows a
remote attacker to execute arbitrary code via a certain DNS server
response containing SIG resource records (RR). This buffer overflow
can be exploited to obtain access to the victim host under the
account the named process is running with, usually root
FreeBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2566.html
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2572.html
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2559.html
SuSE Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2568.html
EnGarde Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2564.html
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2570.html

Package: kadmind
Date: 11-14-2002
Description:
A remote attacker may send a specially formatted request to k5admind
or kadmind, triggering the stack buffer overflow and potentially
causing the administrative server to execute arbitrary code as root
on the KDC. The attacker need not be authenticated in order to
trigger the bug. Compromise of the KDC has an especially large
impact, as theft of the Kerberos database could allow an attacker to
impersonate any Kerberos principal in the realm(s) present in the
database.
FreeBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2560.html

Package: smrsh
Date: 11-11-2002
Description:
Users with a local account and the ability to create or modify their
`.forward' files can circumvent the smrsh restrictions. This is
mostly of consequence to systems which have local users that are not
normally allowed access to a login shell, as such users may abuse
this bug in order to execute arbitrary commands with normal
privileges.
FreeBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2561.html

Package: resolver
Date: 11-12-2002
Description:
A malicious attacker could spoof DNS queries with specially crafted
responses that will not fit in the supplied buffer. This might cause
some applications to fail (denial-of-service).
FreeBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2562.html

Package: perl-MailTools
Date: 11-13-2002
Description:
A vulnerability was discovered in Mail::Mailer perl module by the
SuSE security team during an audit. The vulnerability allows remote
attackers to execute arbitrary commands in certain circumstances due
to the usage of mailx as the default mailer, a program that allows
commands to be embedded in the mail body.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2546.html

Package: nss_ldap
Date: 11-07-2002
Description:
A buffer overflow vulnerability exists in nss_ldap versions prior to
198. When nss_ldap is configured without a value for the "host"
keyword, it attempts to configure itself using SRV records stored in
DNS. nss_ldap does not check that the data returned by the DNS query
will fit into an internal buffer, thus exposing it to an overflow.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2546.html

Package: php
Date: 11-11-2002
Description:
PHP versions up to and including 4.2.2 contain vulnerabilities in the
mail() function allowing local script authors to bypass safe mode
restrictions and possibly allowing remote attackers to insert
arbitrary mail headers and content into the message.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2550.html
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2565.html

Package: traceroute
Date: 11-12-2002
Description:
Traceroute-nanog requires root privilege to open a raw socket. It
does not relinquish these privileges after doing so. This allows a
malicious user to gain root access by exploiting a buffer overflow at
a later point.
SuSE Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2554.html

Package: kgpg
Date: 11-10-2002
Description:
A bug in Kgpg's key generation affects all secret keys generated
through Kgpg's wizard. (Bug does not affect keys created in
console/expert mode). All keys created through the wizard have an
empty passphrase, which means that if someone has access to your
computer and can read your secret key, he/she can decrypt your files
whitout the need of a passphrase.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2548.html

Package: apache
Date: 11-11-2002
Description:
A vulnerability exists in the SSI error pages of Apache 2.0 that
involves incorrect filtering of server signature data. The
vulnerability could enable an attacker to hijack web sessions,
allowing a range of potential compromises on the targeted host.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2552.html

Package: kdelibs
Date: 11-11-2002
Description:
The vulnerability potentially enables local or remote attackers to
compromise a victim's account and execute arbitrary commands on the
local system with the victim's privileges, such as erasing files,
accessing data or installing trojans.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2567.html

Package: syslog-ng
Date: 11-14-2002
Description:
When dealing with this expansion, syslog-ng fails to account for
characters which are not part of the macro, which leads to incorrect
bounds checking and a possible buffer overflow if there are enough
non-macro characters being used.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2571.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ weekly security rep - Mon Nov 25th 2002 unSpawn Linux - Security 3 11-29-2002 07:16 PM
LQ weekly security rep - Mon Nov 18th 2002 unSpawn Linux - Security 3 11-25-2002 05:03 AM
LQ weekly security rep - Mon Nov 04th 2002 unSpawn Linux - Security 3 11-11-2002 07:56 AM
LQ weekly security rep - Tue Aug 20th 2002 unSpawn Linux - Security 6 08-24-2002 09:36 AM
LQ weekly security rep - Tue Jul 30th 2002 unSpawn Linux - Security 4 08-04-2002 05:34 PM


All times are GMT -5. The time now is 07:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration