SecurityFocus
1. IBM DB2 Multiple Command-line Format String Vulnerabilities
BugTraq ID: 8989
Remote: No
Date Published: Nov 07 2003
Relevant URL:
http://www.securityfocus.com/bid/8989
Summary:
DB2 is the database implementation maintained and distributed by IBM. It
is available for the UNIX, Linux, and Microsoft Windows platforms. The
db2govd, db2start, and db2stop database components are typically installed
setuid.
Multiple format string vulnerabilities have been discovered within the IBM
DB2 database specifically within the aforementioned components. The
problems occur due to erroneous usage of format-based functions and could
potentially allow an attacker to gain elevated privileges on a local
system.
The db2start and db2stop binaries are both prone to a format string bug
when handling a basic command-line argument, for example "./dbstart %x".
The db2govd binary is prone to the condition when handling parameters
passed as part of the 'validate garbage' and 'stop' options.
An attacker could potentially exploit one of these conditions by passing
specially calculated format string sequences to a target program. When
handled, the program may be controlled in such a way that arbitrary code
may be executed. All instructions executed would be run with the
privileges of the owner of the specific binary.
2. IBM DB2 Multiple Command-Line Argument Buffer Overflow Vulne...
BugTraq ID: 8990
Remote: No
Date Published: Nov 07 2003
Relevant URL:
http://www.securityfocus.com/bid/8990
Summary:
DB2 is the database implementation maintained and distributed by IBM. It
is available for the UNIX, Linux, and Microsoft Windows platforms. The
db2govd, db2start, and db2stop database components are typically installed
setuid/setgid.
IBM DB2 has been reported to be prone to multiple buffer overflow
vulnerabilities that present themselves in binaries that are shipped with
DB2. The vulnerabilities are likely caused due to a lack of sufficient
boundary checks performed on user-supplied command-line arguments before
they are copied into a reserved buffer in memory. By supplying data that
exceeds the size of the reserved memory buffer used to store command line
arguments, a local attacker may overflow the bounds of the affected buffer
and corrupt adjacent memory. Because this memory contains values that are
crucial to controlling program execution flow, the attacker may influence
the execution flow of the vulnerable binary into attacker-controlled
memory.
It has been reported that arguments between 65 and 9901 bytes in size may
trigger this issue in the respective vulnerable executables. Ultimately
this may lead to the execution of arbitrary attacker-supplied instructions
with elevated privileges.
Although this issue has been reported to affect IBM DB2 versions v7 and v8
other versions may also be affected.
3. TerminatorX Command-line Format String Vulnerability
BugTraq ID: 8992
Remote: No
Date Published: Nov 07 2003
Relevant URL:
http://www.securityfocus.com/bid/8992
Summary:
TerminatorX is a freely available, open source music manipulation program.
It is available for the Linux platform.
It has been reported that TerminatorX may be prone to a format string
vulnerability when handling command-line parameters. Specifically, due to
the erroneous usage of a format-based function, it is possible to have
format specifiers passed as the '-f' file argument interpreted by the
program.
As a result, an attacker may be capable of exploiting the application in a
way to execute arbitrary code with elevated privileges. It should be noted
that TerminatorX is not installed setuid by default, however the author
recommends that users make the application setuid root.
4. TerminatorX Multiple Command-Line and Environment Buffer Ove...
BugTraq ID: 8993
Remote: No
Date Published: Nov 07 2003
Relevant URL:
http://www.securityfocus.com/bid/8993
Summary:
terminatorX is a freely available, open source music manipulation program.
It is available for the Linux platform.
It has been reported that TerminatorX may be prone to multiple
vulnerabilities when handling command-line and environment variable data.
The problem specifically occurs due to insufficient bounds checking when
handling the LADSPA_PATH environment variable and the '-f' and '-r'
command-line parameters.
As a result, an attacker may be capable of exploiting the application in a
variety ways to execute arbitrary code with elevated privileges. It should
be noted that TerminatorX is not installed setuid by default, however the
author recommends that users make the application setuid root.
5. phpBB Profile.PHP SQL Injection Vulnerability
BugTraq ID: 8994
Remote: Yes
Date Published: Nov 08 2003
Relevant URL:
http://www.securityfocus.com/bid/8994
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
A SQL injection vulnerability has been reported for phpBB systems.
phpBB, in some cases, does not sufficiently sanitize user-supplied input,
which is used when constructing SQL queries to execute on the underlying
database. As a result, it is possible to manipulate SQL queries. This may
allow a remote attacker to modify query logic or potentially corrupt the
database.
This vulnerability was reported to exist in the profile.php script file. A
remote attacker can exploit this vulnerability by manipulating the $u URI
parameter to modify SQL query logic.
SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.
It should be noted that although this vulnerability has been reported to
affect phpBB version 2.0.5 and prior, it may also affect version 2.0.6.
6. WMAPM Privilege Escalation Vulnerability
BugTraq ID: 8995
Remote: No
Date Published: Nov 08 2003
Relevant URL:
http://www.securityfocus.com/bid/8995
Summary:
wmapm is a Window Maker Dock App that is used as a battery power status
monitor for laptops.
wmapm has been reported prone to a local privilege escalation
vulnerability. The vulnerability has been conjectured to result from a
lack of relative path use while the vulnerable dock app is calling the
'apm' binary. As a result of this, a local attacker may manipulate local
path settings and have the setuid wmapm dock app erroneously invoke a
trojan binary that is located in a directory that the attacker has
permissions to write to.
The code contained in the invoked binary will be executed with the
privileges of the vulnerable wmapm app; this may ultimately result in
elevating the privileges of the attacker.
It has been reported that wmapm is setUID operator in FreeBSD if it is
compiled via the ports collection, alternatively if wmapm is compiled from
source on FreeBSD or Linux it is reportedly setUID root.
It should be noted that although this issue has been reported to affect
wmapm version 3.1, previous versions might also be affected.
7. Conquest Unspecified Local Environment Variable Buffer Overf...
BugTraq ID: 8996
Remote: No
Date Published: Nov 10 2003
Relevant URL:
http://www.securityfocus.com/bid/8996
Summary:
conquest is a simple curses based strategy game developed for unix based
operating systems. It has been reported that on the Debian Linux
distribution, the conquest binary is setgid conquest.
A local buffer overrun vulnerability has been reported for conquest. The
problem occurs due to insufficient bounds checking when parsing
unspecified data contained in the user's environment. As a result, an
attacker may be capable of controlling the execution flow of the conquest
program and effectively executing arbitrary code with elevated privileges.
Exploiting this condition may allow an attacker to gain group 'conquest'
privileges that could be used to modify sensitive information or could be
used to leverage attacks against other previously inaccessible utilities.
10. Epic CTCP Nickname Server Message Buffer Overrun Vulnerabili...
BugTraq ID: 8999
Remote: Yes
Date Published: Nov 10 2003
Relevant URL:
http://www.securityfocus.com/bid/8999
Summary:
Epic is a freely available IRC client for Unix and Linux variants.
A remotely exploitable buffer overrun has been reported in Epic. This
issue may reportedly be exploited by a malicious server that supplies an
overly long nickname in a CTCP message. It may be also be possible for a
malicious client to send such a message, but it is likely that the server
will limit the length.
Reportedly if a nickname of over 512 bytes is supplied in such a message,
the client may attempt to call alloca() with a negative number, which
could potentially result in corruption of stack memory. In this manner,
it may be possible for a malicious IRC server to trigger this condition to
execute arbitrary code on the client system in the context of the client
user.
12. Bugzilla Javascript Buglists Remote Information Disclosure V...
BugTraq ID: 9001
Remote: Yes
Date Published: Nov 10 2003
Relevant URL:
http://www.securityfocus.com/bid/9001
Summary:
Bugzilla is a freely available, open source bug tracking system. It is
available for the Unix, Linux, and Microsoft Windows platforms.
A problem exists in the handling of buglists by Bugzilla when the lists
are implemented with Javascript. Because of this, a remote user may be
able to gain unauthorized access to sensitive information.
The problem is in the storage of information when placed in Javascript
arrays. It is possible for a remote user to create a buglink in their
page that correctly reflects information about a bug, including details
which may be restricted from the public due to sensitivity of information.
This may result in unauthorized disclosure of information.
This problem has also been reported to affect bookmarklets. The issue is
known to affect verion 2.7.15 only.
13. Winace UnAce Command Line Argument Buffer Overflow Vulnerabi...
BugTraq ID: 9002
Remote: Yes
Date Published: Nov 10 2003
Relevant URL:
http://www.securityfocus.com/bid/9002
Summary:
Winace is a file compression/decompression tool that was originally
developed for Microsoft Windows platforms. Winace was ported to Linux
platforms as UnAce.
UnAce has been reported to be prone to a buffer overflow vulnerability.
The issue presents itself when UnAce handles ace filenames that are
greater than 610 bytes in length including the ace file extension. When
this filename is passed to the UnAce utility as an argument for the 'e'
(extract command line switch), the string is copied into a reserved buffer
in memory. Data that exceeds the size of the reserved buffer will overflow
its bounds and will trample any saved data that is adjacent to the
affected buffer. Because variable that are crucial to controlling program
execution flow for UnAce are conjectured to be stored adjacent to the
affected buffer, an attacker may corrupt these values and influence UnAce
program execution flow into attacker controlled memory. Ultimately this
may lead to the execution of arbitrary instructions in the context of the
user who is running UnAce.
If UnAce is associated with a specific file type in for example an
Internet browser, clicking on a malicious ace filename may be sufficient
to result in the execution of arbitrary instructions on an affected host.
14. PureFTPd displayrate() Remote Denial of Service Vulnerabilit...
BugTraq ID: 9003
Remote: Yes
Date Published: Nov 10 2003
Relevant URL:
http://www.securityfocus.com/bid/9003
Summary:
PureFTPd is an FTP server based on Troll-FTPd and designed with a focus on
security. It is available for the BSD and Linux operating systems.
A denial of service vulnerability has been discovered in PureFTPd. The
problem occurs within the displayrate() function. When data returned from
the realpath() function is subsequently tested for a specific value, it
may be possible to trigger a procedure, which will ultimately cause
PureFTPd to crash.
Specifically, the realpath() function is passed two variables, name and
resolved_path. The resolved name is stored in resolved_path, which is then
tested for a zero byte as shown below:
if (resolved_path[sizeof_resolved_path - 1U] != 0)
If this condition is met, PureFTPd will enter an infinite for loop,
continuously writing a zero value to a pointer incremented each iteration.
This will ultimately result in an attempt to write to unpaged memory,
effectively triggering a segmentation violation and thus a denial of
service.
It should be noted that PureFTPd will typically fork a new process for
each new connection to the FTP service, specifically when running as a
standalone server, however it has not been confirmed whether this is
always the case.
If forking children is the only behavior under all configurations, this
condition may not have any implications beyond closing the session of a
malicious user. This BID will be updated, as further details regarding
this information are made available.
*** November 10, 2003 - The vendor has confirmed that the condition occurs
only within the individual session under which the condition occurs.
Furthermore, additonal details made available by the vendor state that
realpath() is designed in such a way that only a specific amount of data
can be filled. As such, the aforementioned test will always always fail.
As a result of this new information, this BID will subsequently be
retired.
15. nCube Server Manager Directory Traversal Vulnerability
BugTraq ID: 9004
Remote: Yes
Date Published: Nov 10 2003
Relevant URL:
http://www.securityfocus.com/bid/9004
Summary:
nCUBE Server Manager has been reported prone to a directory traversal
vulnerability. The issue presents itself likely due to a lack of
sufficient sanitization performed on user-supplied URI parameters. A
remote attacker may exploit this condition by supplying directory
traversal sequences as a value for the 'files' URI parameter passed to the
Server Manager 'nph-showlogs.pl' script. Ultimately this may allow the
attacker to break out of the webserver root and view arbitrary directory
listings and potentially arbitrary files on the vulnerable system.
An attacker may employ data harvested in this manner to aid in further
attacks launched against the target system.
It should be noted that although this issue has been reported to affect
nCUBE Server Manager version 1.0, other versions might also be affected.
16. Hylafax HFaxD Unspecified Format String Vulnerability
BugTraq ID: 9005
Remote: Yes
Date Published: Nov 10 2003
Relevant URL:
http://www.securityfocus.com/bid/9005
Summary:
Hylafax is a software package designed to handle the transmission of
Faxes.
Hylafax hfaxd (daemon) has been reported prone to an unspecified format
string vulnerability that may be exploited under non-standard
configurations to execute arbitrary instructions remotely as the root
user.
It has been conjectured that a remote attacker may design a string that
contains specially crafted format string specifiers, the attacker may then
transmit this string to the hfaxd server in a manner sufficient to trigger
the condition. The malicious format specifiers contained in this string
will be interpreted literally by the affected server; this may result in
arbitrary memory corruption and ultimately in the execution of arbitrary
attacker-supplied instructions in the context of the affected server.
This BID will be updated if and when explicit information regarding this
vulnerability is published.
17. Symbol Technologies PDT 8100 Default WEP Keys Configuration ...
BugTraq ID: 9006
Remote: No
Date Published: Nov 10 2003
Relevant URL:
http://www.securityfocus.com/bid/9006
Summary:
The PDT 8100 is a wireless access point solution distributed and
maintained by Symbol Technologies.
A problem has been identified in the default configuration of the Symbol
Technologies PDT 8100. Because of this, a local user may be able to gain
unauthorized access to network resources.
The problem is in the handling of WEP keys. When a PDT 8100 is configured
the party configuring the device is not prompted to change the default WEP
keys configuration. If this configuration is not changed, a user of the
device may access the WEP keys in plain text on the device.
The 8146-T2B940US model is known to be affected by this issue. Other
models may also be affected.
27. Omega-RPG Environment Variable Buffer Overrun Vulnerability
BugTraq ID: 9016
Remote: No
Date Published: Nov 11 2003
Relevant URL:
http://www.securityfocus.com/bid/9016
Summary:
omega-rpg is a game for Linux/Unix variants.
omega-rpg is prone to a locally exploitable buffer overrun. This is due
to insufficient bounds checking of environment variables, which will be
copied into an internal buffer. By supplying an environment variable of
excessive length, it is possible to corrupt memory with attacker-supplied
values, potentially allowing the attacker to control execution flow of the
program and execute arbitrary code. omega-rpg may be installed setgid,
which could allow for execution of arbitrary code in the context of group
'games' if this issue were successfully exploited.
29. PHP-Coolfile Unauthorized Administrative Access Vulnerabilit...
BugTraq ID: 9018
Remote: Yes
Date Published: Nov 11 2003
Relevant URL:
http://www.securityfocus.com/bid/9018
Summary:
PHP-Coolfile is a website manager application implemented in PHP. It
allows users to manage files on a website.
PHP-Coolfile allows unprivileged users to gain access to the
administrative username and software for the site.
This is due to a coding error in the way the action.php file evaluates
access permission. Because of this error, any user can use the 'edit'
action in action.php to view the contents of the config.php file which
contains the administrator username and password.
30. Opera Multiple MIME Type File Dropping Weakness
BugTraq ID: 9019
Remote: Yes
Date Published: Nov 12 2003
Relevant URL:
http://www.securityfocus.com/bid/9019
Summary:
Opera includes support for multiple MIME types used for configuration and
installation of browser skins that potentially could be abused by a
malicious web page to drop files onto a client system in a predictable
location. The following is a list of MIME types that may be abused in
this manner, and the location that files will be dropped (in a default
installation of the browser):
"application/x-opera-skin" - File is dropped into C:\Program
Files\Opera7\profile\Skin
"application/x-opera-configuration-skin" - File is dropped into C:\Program
Files\Opera7\profile\skin.
"application/x-opera-configuration-keyboard" - File is dropped into
C:\Program Files\Opera7\profile\keyboard.
"application/x-opera-configuration-mouse" - File is dropped into
C:\Program Files\Opera7\profile\mouse.
"application/x-opera-configuration-menu" - File is dropped into C:\Program
Files\Opera7\profile\menu.
"application/x-opera-configuration-toolbar - File is dropped into
C:\Program Files\Opera7\profile\toolbar.
Through exploitation of another reported vulnerability (BID 9021), further
attacks may result, such as execution of script code or information
disclosure.
32. Opera Web Browser Opera: URI Handler Directory Traversal Vul...
BugTraq ID: 9021
Remote: Yes
Date Published: Nov 12 2003
Relevant URL:
http://www.securityfocus.com/bid/9021
Summary:
Opera is a web browser available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
Opera uses an internal URI handler called 'Opera:' or 'about
:' to display
help files and other documentation. Common uses for this command include
"opera:history", "opera:plugins", "opera:cache", and "opera:drives". A
vulnerability has been reported to exist in the software that may allow an
attacker to access information outside the intended directories for help
files and documentation. The problem exists due to insufficient
sanitization of user-supplied data through the 'Opera:' URI handler. The
issue may allow an attacker to traverse the client file system by using
'..%5c' or '..%2f' character sequences.
Successful exploitation of this vulnerability may allow an attacker to
gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
It has been reported that this issue may be exploited with another issue
described in BID 9019 to drop files onto a client system in a predictable
location and cause these files to be executed.
Opera Web Browser versions 7.21 and prior are reported to be prone to this
issue. This issue was reported to exist in Windows versions of the web
browser. It is not known if versions for other platforms are similarly
affected.
35. Multiple Vendor Bluetooth Device Unspecified Information Dis...
BugTraq ID: 9024
Remote: Yes
Date Published: Nov 12 2003
Relevant URL:
http://www.securityfocus.com/bid/9024
Summary:
Bluetooth is a wireless communication protocol which, amongst other
functions, is designed to allow interoperability between devices produced
by different vendors, such as a cellphone and headset.
Under certain configurations Bluetooth devices will allow an anonymous
user to establish a connection and carry out various actions. These modes
are typically called "discoverable" and "visible". It has been reported
that, even when the aforementioned modes have been disabled an anonymous
user may be capable of connecting to a Bluetooth device and accessing
sensitive information stored therein. This could allow an attacker to
expose phone book, calendar, and other sensitive information.
The precise technical details regarding this vulnerability have not yet
been made available. This BID will be updated as further information is
made available.
