SecurityFocus
3. Opera Oversized Image Width Denial Of Service Vulnerability
BugTraq ID: 5717
Remote: Yes
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5717
Summary:
Opera is a web browser created by Opera Software. It is available for a
range of operating systems including Windows and Linux.
It has been reported that Opera is prone to a denial of service
vulnerability, when processing overly wide images.
When Opera attempts to process a valid image containing a width of 32759
pixels, the condition is triggered, causing Opera to crash.
This vulnerability may result in memory corruption. If memory can be
corrupted with attacker-supplied data, then it may be possible to execute
arbitrary code within the context of the client.
Although not confirmed, it has been reported that this may actually be a
bug in QImage, which Opera uses to display image files.
This issue was reported in Opera on Linux platforms. Other versions may
also be affected.
4. ASMon Kernel Memory File Descriptor Leakage Vulnerability
BugTraq ID: 5720
Remote: No
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5720
Summary:
asmon is a freely available, open source system monitoring application for
the AfterStep desktop. It is available for Unix and Linux operating
systems. On FreeBSD it is installed setgid mem/kmem by default.
It has been reported that asmon is vulnerable to a leakage of open file
descriptors that may result in unauthorized disclosure of kernel memory.
It is allegedly possible for attackers to inherit the open file
descriptors for /dev/mem and /dev/kmem by executing a malicious program
through asmon. The program that is executed can be specified by the
attacker at the command line.
Upon exploiting this vulnerability, an attacker would have read-access to
kernel memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. It should be assumed
that total compromise is imminent if an attacker has read access to kernel
memory.
5. ASCPU Kernel Memory File Descriptor Leakage Vulnerability
BugTraq ID: 5716
Remote: No
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5716
Summary:
ascpu is a freely available, open source system monitoring application for
the AfterStep desktop. It is available for Unix and Linux operating
systems. On FreeBSD it is installed setgid mem/kmem by default.
It has been reported that ascpu is vulnerable to a leakage of open file
descriptors that may result in unauthorized disclosure of kernel memory.
It is allegedly possible for attackers to inherit the open file
descriptors for /dev/mem and /dev/kmem by executing a malicious program
through ascpu. The program that is executed can be specified by the
attacker at the command line.
Upon exploiting this vulnerability, an attacker would have read-access to
kernel memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. It should be assumed
that total compromise is imminent if an attacker has read access to kernel
memory.
6. BubbleMon Kernel Memory File Descriptor Leakage Vulnerability
BugTraq ID: 5714
Remote: No
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5714
Summary:
BubbleMon is a freely available, open source system monitoring application
for the Gnome desktop. It is available for Unix and Linux operating
systems. On FreeBSD it is installed setgid mem/kmem by default.
It has been reported that BubbleMon is vulnerable to a leakage of open
file descriptors that may result in unauthorized disclosure of kernel
memory. It is allegedly possible for attackers to inherit the open file
descriptors for /dev/mem and /dev/kmem by executing a malicious program
through BubbleMon. The program that is executed can be specified by the
attacker at the command line.
Upon exploiting this vulnerability, an attacker would have read-access to
kernel memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. It should be assumed
that total compromise is imminent if an attacker has read access to kernel
memory.
7. WMMon Memory Character File Open File Descriptor Read Vulnerability
BugTraq ID: 5718
Remote: No
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5718
Summary:
wmmon is a freely available, open source system monitoring application for
the WindowMaker desktop. It is available for Unix and Linux operating
systems. On FreeBSD it is installed setgid mem/kmem by default.
It has been reported that wmmon is vulnerable to a leakage of open file
descriptors that may result in unauthorized disclosure of kernel memory.
It is allegedly possible for attackers to inherit the open file
descriptors for /dev/mem and /dev/kmem by executing a malicious program
through wmmon. The program that is executed can be specified by the
attacker at the command line.
Upon exploiting this vulnerability, an attacker would have read-access to
kernel memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. It should be assumed
that total compromise is imminent if an attacker has read access to kernel
memory.
8. WMNet2 Kernel Memory File Descriptor Leakage Vulnerability
BugTraq ID: 5719
Remote: No
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5719
Summary:
wmnet2 is a freely available, open source system monitoring application
for the WindowMaker desktop. It is available for Unix and Linux operating
systems. On FreeBSD it is installed setgid mem/kmem by default.
It has been reported that wmnet2 is vulnerable to a leakage of open file
descriptors that may result in unauthorized disclosure of kernel memory.
It is allegedly possible for attackers to inherit the open file
descriptors for /dev/mem and /dev/kmem by executing a malicious program
through wmnet2. The program that is executed can be specified by the
attacker at the command line.
Upon exploiting this vulnerability, an attacker would have read-access to
kernel memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. It should be assumed
that total compromise is imminent if an attacker has read access to kernel
memory.
9. NetBSD Repeated TIOSCTTY IOCTL Buffer Overflow Vulnerability
BugTraq ID: 5722
Remote: No
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5722
Summary:
A vulnerability has been reported in NetBSD. Reportedly, flaws exist in
the TIOSCTTY (set controlling TTY) ioctl kernel calls. TIOSCTTY is used to
set the session controlling TTY.
A call to TIOSCTTY will increment the hold count of a kernel structure
shared between processes in the same session. Thus, repeated calls to
TIOSCTTY will cause an internal buffer to be incremented indefinitely and
overflow. The flaw will allow a local attacker to cause the memory
structure to be freed prematurely. This may cause a kernel panic or cause
faulty teminal sessions.
A local attacker can exploit this vulnerability to cause the system to
panic and experience a denial of service condition.
10. KDE Konqueror Oversized Image Width Denial of Service Vulnerability
BugTraq ID: 5721
Remote: Yes
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5721
Summary:
Konqueror is an Open Source web browser, shipped with the KDE desktop. It
is available on Linux platforms.
It has been reported that Konqueror is prone to a denial of service
vulnerability when processing overly wide images.
When Konqueror attempts to process a valid image containing a reported
width of 32759 pixels, the condition is triggered, causing Konqueror to
temporarily consume system resources and then crash.
This vulnerability may result in memory corruption. If memory can be
corrupted with attacker-supplied data, then it may be possible to execute
arbitrary code within the context of the client.
The problem reportedly exists on Mandrake 8.2 running KDE 3.0.2 Although
unconfirmed, it likely exists on all systems running KDE 3.0.2
11. DB4Web File Disclosure Vulnerability
BugTraq ID: 5723
Remote: Yes
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5723
Summary:
DB4Web is an application server that allows read and write access to
relational databases and other information sources, via the web. The
application is available for Windows, Linux, and various Unix platforms.
A directory traversal bug exists in DB4Web.
By passing a maliciously crafted query to the application, such as encoded
"dot-dot" sequences (../), an attacker can potentially gain access to
arbitrary system files. This is due to the application insufficiently
validating the user supplied input.
An attacker can access the DB4Web application binary via the 'cgi-bin'
directory on Unix and Linux servers, or the 'scripts' directory on windows
servers.
12. NetBSD LibC SetLocale Buffer Overflow Vulnerability
BugTraq ID: 5724
Remote: No
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5724
Summary:
A buffer overflow vulnerability has been discovered in NetBSD versions
1.5.3 and earlier.
The buffer overflow is reported to occur in the setlocale() function in
libc. The setlocale() function is used to query or set a program's
current locale. This vulnerability is reportedly exploitable when certain
specific conditions are met. The vulnerability when successfully
exploited, will give a local user root access to the system.
The buffer overflow condition occurs due to insufficient boundary checking
on the arguments to the setlocale() function. When an attacker calls the
setlocale() function using 'LC_ALL' category and an overly long second
argument, the buffer overflow condition is met.
A successful exploit requires that the second argument is derived from
externally supplied data, such as environment variables or command line
arguments, from a setuid/setgid application. NetBSD has stated that most
applications using Xt, including the setuid program, xterm, may satisfy
this condition. As well, the zsh package is another program that may
satisfy these conditions.
A local attacker may be able to exploit this vulnerability by invoking the
setlocale() function with malformed arguments and obtain elevated
privileges.
13. DB4Web Connection Proxy Vulnerability
BugTraq ID: 5725
Remote: Yes
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5725
Summary:
DB4Web is an application server that allows read and write access to
relational databases and other information sources, via the web. The
application is available for Windows, Linux, and various Unix platforms.
By requesting a specially crafted URL, it is possible to initiate a TCP
connect from the vulnerable server to a remote IP address and arbitrary
port.
The application will send TCP SYN requests which will produce information
displayed in a debug error page. Information displayed such as "connect()
ok" or "connect() failed: Connection refused", can be used to determine
port status information on the specified host.
14. NetBSD IPv4 Multicast Tools Buffer Overflow Vulnerability
BugTraq ID: 5727
Remote: No
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5727
Summary:
NetBSD has reported buffer overflow vulnerabilities in several of its IPv4
multicast tools as well as the pppd service. The mrinfo(1), mtrace(1) and
the pppd(8) daemon are affected by this vulnerability.
The buffer overflow vulnerability is a result of improper boundary
checking when performing FD_SET() operations. An attacker is able to
exploit this vulnerability by filling the file descriptor table and then
invoking the tools. The tools make use of select() which supports only
FD_SETSIZE (256) file descriptors. Thus, when executed and select is
allocated a file descriptor equal to or larger than FD_SETSIZE (256), the
buffer overflow condition is met.
The multicast tools and the pppd service are setuid root applications. An
attacker can exploit this vulnerability to obtain root privileges on
vulnerable systems.
15. Lycos HTMLGear guestGear CSS HTML Injection Vulnerability
BugTraq ID: 5728
Remote: Yes
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5728
Summary:
Lycos htmlGEAR is a set of web-based applications which are available to
users of the Lycos network, but may also be used for other websites.
guestGEAR is guestbook software.
guestGEAR does not sanitize HTML from CSS (Cascading Style-Sheets)
elements in guestbook fields. An attacker could capitalize on this
situation to include arbitrary HTML and script code in a guestbook
entries, which would be rendered in the web client of users who view the
malicious guestbook entry.
Code injected in this manner will be executed in the security context of
the website hosting the guestbook. Exploitation of this vulnerability may
allow an attacker to steal cookie-based authentication credentials,
redirect users to other sites, manipulate content or launch other attacks.
It has also been reported that it is possible, in some versions of the
software, to inject HTML into image tags.
16. Heimdal Kerberos Forwarding Daemon File Overwriting Vulnerability
BugTraq ID: 5729
Remote: Yes
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5729
Summary:
Heimdal Kerberos is an implementation of the Kerberos protocol distributed
and maintained by the Center for Parallel Computers, KTH. It is open
source, and available for Unix and Linux operating systems.
A problem with the implementation could make it possible for remote users
to overwrite files on a vulnerable system.
The Heimdal Kerberos Forwarding Daemon does not properly protect some
information sent from a client to a server. Because of this, it may be
possible to overwrite files accessible via the authenticated user's id.
This could result in a denial of service, or potential loss of data.
It should be noted that this vulnerability may be exploited to overwrite
files that are write-accessible by the victim.
No further details are known at this time.
17. Heimdal Kerberos Forwarding Daemon Zero Terminated String Passing Buffer Overflow Vulnerability
BugTraq ID: 5731
Remote: Yes
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5731
Summary:
Heimdal Kerberos is an implementation of the Kerberos protocol distributed
and maintained by the Center for Parallel Computers, KTH. It is open
source, and available for Unix and Linux operating systems.
A problem with the implementation could make it possible for remote users
to launch remote buffer overflow attacks.
The Heimdal Kerberos Forwarding Daemon does not properly check information
sent from a client to a server for the termination of strings. As this
information is often passed to additional programs that may be executed
with elevated privileges, it could be possible to exploit a buffer
overflow in one of these programs.
This could lead to the execution of arbitrary code with elevated
privileges, and potential compromise of administrative access.
18. Joe Text Editor Backup SetUID Executable Editing Permission Elevation Vulnerability
BugTraq ID: 5732
Remote: No
Date Published: Sep 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5732
Summary:
Joe is a freely available, open source text editor. It is available for
Unix and Linux operating systems.
A problem with Joe could make it possible for local users to gain elevated
privileges.
When joe is used to edit a file, joe automatically creates a backup of the
file with the name filename~ where filename represents the name of the
file being edited.
When joe is used to edit a setuid file, joe automatically creates a copy
of the setuid file. The permissions on the file are preserved with the
exception of ownership. This could result in an arbitrary copy of a
setuid file being created with the permissions of the joe user.
It should be noted that this vulnerability is limited in it's application,
as it would require social engineering, and the editing of a setuid file
by either a privileged user, or a user in a world-writeable directory.
19. Purity Local Buffer Overflow Vulnerabilities
BugTraq ID: 5702
Remote: No
Date Published: Sep 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5702
Summary:
Purity is an automated version of the purity test. It will run on most
Unix and Linux variants and ships with Debian.
Purity is reported to be prone to a number of buffer overflows, making it
possible for local attackers to corrupt memory with attacker-supplied
data. As a result, it is possible for an attacker to execute arbitrary
code. This issue is due to insufficient bounds checking of input supplied
via the command line when the program is invoked.
The game is installed setgid, and successful exploitation of these issues
may allow for elevation of privileges. In most installations the program
is owned by the games group.
20. Enterasys SSR8000 SmartSwitch Port Scan Denial Of Service Vulnerability
BugTraq ID: 5703
Remote: Yes
Date Published: Sep 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5703
Summary:
The SSR8000 is a SmartSwitch distributed and maintained by Enterasys.
A problem with the switch may make it possible for remote users to crash
the system. The problem is in the handling of some types of traffic.
SSR8000 SmartSwitches listen on ports 15077 and 15078 to provide
Multiprotocol Over ATM (MPOA). MPOA is designed to carry IP traffic at
layers two and three over ATM links.
It has been discovered that SSR8000 switches react unpredictably when
portscanned. When these switches are scanned using specific types of TCP
traffic, and scanned on certain ports, the switch becomes unstable. It
has been reported that this can be reproduced consistently to cause the
switch to crash.
This problem could be exploited to cause a denial of service attack.
21. Avaya IP Office Malformed Packets Denial Of Service Vulnerability
BugTraq ID: 5704
Remote: Yes
Date Published: Sep 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5704
Summary:
Avaya IP Office is an IP telephony solution.
A vulnerability has been reported in IP office that may be exploited to
cause a denial of service condition.
Avaya IP Office devices crash when handling malformed packets on the ports
for the user and administrative applications. It has been reported that
this may be exploited by attackers in the local network.
No further details are known.
26. BRU XBRU Insecure Temporary File Vulnerability
BugTraq ID: 5708
Remote: No
Date Published: Sep 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5708
Summary:
BRU is a backup and restore utility distributed by The Tolis Group. This
problem affects the utility on the Linux platform.
Under some circumstances, it may be possible for a local user to gain
elevated privileges.
xbru does not properly check for the existence of temporary files prior to
execution. Because of this, it is possible for a local user to create
symbolic links to other files, which will be overwritten by the BRU user.
As BRU is typically run by the root user, this could result in the
overwriting of root-owned files.
It is possible that this vulnerability could be exploited to execute
arbitrary commands. This problem could also be exploited to overwrite
critical system files, such as the passwd file. In this situation, it
would be possible for a local user to gain administrative access if
successfully exploited.
