SecurityFocus
1. PADL Software nss_ldap DNS Query Response Denial of Service Vulnerability
BugTraq ID: 6130
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6130
Summary:
nss_ldap is a module offered by Padl Software that allows a system to use
LDAP directories as the source of information for user attributes and
related data.
A vulnerability has been discovered in nss_ldap related to the handling of
DNS queries.
It has been reported that nss_ldap fails to verify whether data returned
in DNS query responses has been truncated by resolver libraries. When
processing a DNS query response containing truncated data, nss_ldap will
attempt to parse more data than is available. This could cause the
nss_ldap process to crash.
It is unlikely that this is exploitable to execute arbitrary code, however
this is not confirmed.
14. Zeus Web Server Admin Interface Cross Site Scripting Vulnerability
BugTraq ID: 6144
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6144
Summary:
Zeus Web Server is a proprietary webserver for Unix, Linux, Sun, BSD,
HP-UX, and Apple OS X platforms.
The web based administration interface included in Zeus Web Server is
vulnerable to cross site scripting attacks. Due to insufficient
sanitization of user-supplied input it is possible for an attacker to
construct a malicious link which contains arbitrary HTML and script code.
Attacker-supplied HTML and script code may be executed on a web client
visiting the malicious link in the context of the vulnerable server.
Attacks of this nature may make it possible for attackers to steal
cookie-based authentication credentials.
It is important to note that the user must supply a username and password
for the administrative interface before the script will execute. This
also compounds the problem, since it is now likely that an attacker
exploiting this vulnerability may be able to steal the administrative
user's credentials.
15. Simple Web Server File Disclosure Vulnerability
BugTraq ID: 6145
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6145
Summary:
Simple Web Server is a simple lightweight webserver available for the
Linux platform.
It has been reported that Simple Web Server does not properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
containing a slash-slash sequence ('//'), it is possible for a remote
attacker to disclose files, effectively bypassing any access control
measures in place.
Disclosure of sensitive files may aid the attacker in launching further
attacks against the target system.
17. Sun Solaris Network Interface Denial Of Service Vulnerability
BugTraq ID: 6147
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6147
Summary:
Sun has reported a denial of service vulnerability in Solaris 8/9.
It has been reported that it is possible for an unprivileged local or
remote attacker to cause some network interfaces to stop responding to TCP
traffic.
If this condition is exploited, then the affected network interfaces must
be manually brought back up for normal functionality to resume.
Further details about the nature of this vulnerability are not known at
this time. This record will be updated if further details become
available.
18. MailScanner Attachment Filename Validation Vulnerability
BugTraq ID: 6148
Remote: Yes
Date Published: Nov 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6148
Summary:
MailScanner is an e-mail security product. It is designed to be deployed
on gateway systems and provides the ability to detect e-mail based attacks
such as viruses. It will run on Unix and Linux variants and provides
support for a number of anti-virus products.
A vulnerability has been reported in how MailScanner handles filenames for
attachments. MailScanner does not sufficiently validate certain types of
malformed filenames.
It may be possible to bypass MailScanner security with attachment
filenames that contain excessive trailing/leading whitespace, are blank,
or use character encodings that are unknown to MailScanner.
The exact consequences of this vulnerability are not known, but it is
possible that some attachments with malicious filenames may slip through
MailScanner or that a malformed filename may cause other aspects of
MailScanner to fail.
19. CVSup-Mirror Insecure Temporary Files Vulnerability
BugTraq ID: 6150
Remote: No
Date Published: Nov 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6150
Summary:
cvsup-mirror is included in the FreeBSD ports collection and is intended
to be used in combination with cvsup to create easily maintainable FreeBSD
mirrors.
cvsup-mirror is prone to a vulnerability which may enable local attackers
to corrupt critical system files.
This issue is present in the 'cvsupd.sh' shell script. The source of this
issue is that 'cvsupd.sh' creates temporary files in a directory which
malicious local users may potentialy have access to.
The vulnerable shell script creates a file entitled 'cvsupd.out' in the
/var/tmp/ directory. A local attacker could create a symbolic link in
/var/tmp with the same name, pointing to critical system files. Any
actions performed by cvsup-mirror on 'cvsupd.out' will instead be
performed on files pointed to by the symbolic link. Files that are
writeable by the user running the vulnerable software may be overwritten
in this manner.
This may result in a denial of service if critical files are overwritten,
and may potentially allow for privilege escalation.
21. KGPG Key Generation Empty Passphrase Vulnerability
BugTraq ID: 6152
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6152
Summary:
KGPG is a KDE graphical front-end for GPG (GNU Privacy Guard). It is
designed for use with the KDE Desktop Environment and GPG. It is available
for Unix and Linux variant operating systems.
A vulnerability has been reported for KGPG. Reportedly, KGPG generates
secret keys in an unsafe manner. The vulnerability is the result of how
KGPG sends command line arguments to GPG. The vulnerability occurs when
keys are generated using the key generation graphical wizard. All keys
generated using the wizard will have an empty passphrase.
An attacker can exploit this vulnerability to obtain access to some
potentially sensitive information.
This vulnerability was reported for KGPG versions 0.6 to 0.8.2.
22. EZ Systems HTTPBench Information Disclosure Vulnerability
BugTraq ID: 6153
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6153
Summary:
eZ Systems httpbench is a benchmarking utility implemented in PHP. It is
available for Unix and Linux variant as well as Microsoft Windows
operating environments.
An information disclosure vulnerability has been reported for httpbench.
Reportedly, httpbench may disclose the contents of web server readable
files to remote attackers.
This vulnerability can be exploited by a remote attacker to obtain
potentially sensitive information on a vulnerable system. Information
obtained in this manner may be used to launch further, destructive attacks
against a vulnerable system.
This vulnerability was reported for httpbench 1.1. It is not known whether
other versions are affected.
26. KDE Network RESLISA Buffer Overflow Vulnerability
BugTraq ID: 6157
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6157
Summary:
LISa (LAN Information Server) is a service designed for Linux variant
operating systems. It provides LAN browsing capabilities on Linux systems.
resLISa is a restricted version of LISa and is distributed with LISa.
A buffer overflow vulnerability has been reported for resLISa. The
vulnerability results due to inadequate checks on the LOGNAME environment
variable.
An attacker can exploit this vulnerability by setting a LOGNAME
environment variable with an overly long value. When the attacker invokes
resLISa, it will result in the service crashing and will result in the
attacker obtaining control over the execution of the vulnerable service.
resLISa is typically installed as a setUID root binary.
27. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability
BugTraq ID: 6159
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6159
Summary:
BIND is a server program that implements the domain name service protocol.
It is used widely on the Internet.
A denial of service vulnerability has been reported for ISC BIND 8. The
vulnerability is due to caching of SIG RR (resource records) with invalid
expiry times.
An attacker who controls an authoritative name server may be able to cause
vulnerable BIND 8 servers to cache invalid SIG RR elements. When the
vulnerable DNS server attempts to reference the SIG RR elements it will
result in the denial of service condition.
It has been reported that ISC BIND 8 versions up to 8.3.3 are vulnerable
to this issue.
28. ISC BIND OPT Record Large UDP Denial of Service Vulnerability
BugTraq ID: 6161
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6161
Summary:
BIND is a server program that implements the domain name service protocol.
It is in extremely wide use on the Internet, in use by most of the DNS
servers.
Recursive BIND 8 servers are vulnerable to a denial of service condition.
Requesting a DNS lookup on a non-existant sub-domain of a valid domain may
cause BIND to fail.
The attacker would have to attach an OPT resource record with a large UDP
payload size in order to exploit this vulnerability.
The denial of service may also occur when a domain is queried and the
authoritative DNS servers are unreachable.
29. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability
BugTraq ID: 6160
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6160
Summary:
BIND is a server program that implements the domain name service protocol.
It is widely used on the Internet.
It has been reported that DNS servers, running BIND with recursive DNS
functionality enabled, are prone to a buffer overflow condition. This
issue is triggered when the vulnerable DNS server is constructing DNS
responses for cached information.
An attacker-controlled authoritative DNS server may cause BIND to cache
information into an internal database, when recursion is enabled. Cached
information is accessed when a DNS client request is received. A
vulnerability exists when creating a DNS response containing, SIG resource
records (RR), which may lead to the buffer overflow condition.
By causing the vulnerable DNS server to cache information, and sending a
malicious client request, it may be possible for a remote attacker to
cause a buffer to be overrun. Exploitation of this issue could result in
the execution of arbitrary attacker-supplied code with the privileges of
the vulnerable BIND daemon.
32. TinyHTTPD Directory Traversal Vulnerability
BugTraq ID: 6158
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6158
Summary:
It has been reported that TinyHTTPD fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
33. MasqMail Buffer Overflow Vulnerability
BugTraq ID: 6164
Remote: No
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6164
Summary:
MasqMail is a MTA (mail transport agent) designed for systems without a
permanent Internet connection.
A buffer overflow vulnerability has been reported for MasqMail. The
vulnerability may be exploited by an attacker to execute arbitrary
commands with root privileges.
Although not yet confirmed, it is speculated that the vulnerability may be
triggered through malicious entries in a user-supplied configuration file.
Precise technical details regarding the cause of this issue are not yet
known. This BID will be updated as further information becomes available.
34. Xoops WebChat Module Remote SQL Injection Vulnerability
BugTraq ID: 6165
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6165
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.
A vulnerability exists in the WebChat module included with Xoops. The
vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'index.php' script. Specifically, the
'roomid' variable is not sanitized of malicious SQL input. It is possible
to modify the logic of SQL queries through malformed query strings in
requests for the vulnerable script.
By injecting SQL code into the 'roomid' variable, it may be possible for
an attacker to corrupt database information.
35. Traceroute-nanog Local Buffer Overflow Vulnerability
BugTraq ID: 6166
Remote: No
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6166
Summary:
Traceroute is a tool that is used to track packets in a TCP/IP network to
determine the path of network connections.
Traceroute-nanog fails to drop root privileges after obtaining a RAW
socket. Because of this, it is possible for a local attacker to gain root
privileges by triggering a buffer overflow. Exploiting this issue may
allow a local attacker to overwrite sensitive memory with malicious
values, thereby redirecting typical program flow to execute
attacker-supplied commands with elevated privileges.
Precise technical details regarding the cause of this issue are not yet
known. This BID will be updated as more information becomes available.
36. APBoard Protected Forum Thread Posting Vulnerability
BugTraq ID: 6167
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6167
Summary:
APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.
It is possible for any registered APBoard user to create a new thread in a
password protected forum.
The source code of the 'Neues Thema' page contains the following line:
<INPUT TYPE="hidden" NAME="insertinto" VALUE="1">
By changing VALUE= to the value of a password protected forum, then
submitting the page, the thread will be posted to that forum, bypassing
authentication.
Note that it may be possible to modify other variable values to cause
unpredictable results. This has not yet been tested.
37. APBoard Protected Forum Plaintext Password Weakness
BugTraq ID: 6169
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6169
Summary:
APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.
When a user is logged into an APboard password protected forum, their
plaintext password is included in the URL:
http://www.your-domain.com/apboard/t...hepasswordhere
By creating a script that logs refering URLs, an attacker could post a
link to the script within the password protected forum. This would allow
the attacker to steal the user's forum password.
38. W3Mail File Disclosure Vulnerability
BugTraq ID: 6170
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6170
Summary:
W3Mail is a full featured open source web mail application implemented as
a collection of Perl scripts that runs on Linux and Unix systems. It
includes support for fetching mail from POP3 servers, MIME attachments,
and for sending outgoing mail.
To fix the vulnerability described as BID 5314, the email attachments
directory was moved out of the webroot tree. To view attachments, the
script "viewAttachment.cgi" accepts the parameter "file". The value of
this parameter is passed to the open() function as the filename argument
without being sanitized. Attackers may cause any file on the filesystem
to open by specifying its relative path using directory traversal
characters.
As a result, attackers may retrieve any file and download its contents if
it is readable by the webserver process.
It should be noted that a valid session ID is required to exploit this
vulnerability.
39. TCPDump / LIBPCap Trojan Horse Vulnerability
BugTraq ID: 6171
Remote: Yes
Date Published: Nov 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6171
Summary:
tcpdump is a freely available , open source tool for analyzing network
traffic. libpcap provides network packet sniffing libraries used by many
popular network intrusion detection systems. Both tools are available for
the Unix and Linux operating systems.
It has been announced that the server hosting tcpdump and libpcap,
www.tcpdump.org, was compromised recently. It has been reported that the
intruder made modifications to the source code of tcpdump and libpcap to
include trojan horse code. Downloads of the source code of tcpdump and
libpcap from
www.tcpdump.org, and numerous mirrors, likely contain the
trojan code.
Reports say that the trojan will run once upon compilation of tcpdump or
libpcap. Once the trojan is executed, it attempts to connect to host
212.146.0.34 on port 1963.
The trojan horse modifications can be found in the configure script and
the 'gencode.c' source file. The 'gencode.c' modification affects only
libpcap. Reportedly, 'gencode.c' is modified to force libpcap to ignore
packets to and from the backdoor program. This is an attempt to hide the
back door program's traffic.
The MD5 sums of the trojaned versions are reported to be:
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The MD5 sums of the non-trojaned versions are:
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
The non-trojaned versions of these tools are available at the following locations:
http://www.ibiblio.org/pub/Linux/dis...p-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/dis...p-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/dis...p-3.7.1.tar.gz
Additionally, the trojan displays similarity to those found in irssi,
fragroute, fragrouter, BitchX, OpenSSH, and Sendmail.
