LQ weekly security rep - Sep 25th 2003
Sep 22nd 2003
16 of 39 issues handled (SF) 2. Man Utility MANPL Environment Variable Buffer Overrun Vulnerability 3. myServer cgi-lib.dll Remote Buffer Overflow Vulnerability 4. vbPortal Authentication SQL Injection Vulnerability 12. DSPAM Insecure Default Permissions Privilege Escalation Vulnerability 16. ChatZilla Remote Denial of Service Attack 17. OpenSSH Buffer Mismanagement Vulnerabilities 18. Liquid War HOME Environment Variable Buffer Overflow Vulnerability 19. Spider HOME Environment Variable Heap Overflow Vulnerability 20. Spider OPENWINHOME/XVIEWHOME Environment Variables Buffer Overflow 24. KDE KDM PAM Module PAM_SetCred Privilege Escalation Vulnerability 25. KDE KDM Session Cookie Generation Weakness 30. Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability 32. NetBSD Sysctl Argument Handling Vulnerabilities 35. Multiple Mambo Open Source 4.0.14 Server Vulnerabilities 37. Sendmail Ruleset Parsing Buffer Overflow Vulnerability 39. HLSW RCON Console Password Disclosure Weakness Sep 22nd 2003 25 of 49 issues handled (ISS) vbPortal auth.inc.php SQL injection Spider remove_newlines function HOME buffer OpenSSH large packet buffer overflow Spider spider_defaults_objects_initialize function Liquidwar buffer overflow ChatZilla overly long string causes denial of DSPAM insecure permissions could allow local KDM pam_krb5 module configuration may allow local Sendmail prescan function buffer overflow KDM weak session cookie encryption XFree86 weak session cookie encryption OpenSSH buffer management errors could allow an IBM DB2 dc2licm binary buffer overflow could allow IBM DB2 db2dart binary buffer overflow could allow Linux kernel proc.* sysctl tree denial of service Linux kernel sysctl helper could allow an attacker Mambo Site Server banners.php script could disclose Mambo Site Server banners.php SQL injection Mambo Site Server emailfriend scripts could allow a Mambo Site Server contact.php script allows email hztty multiple buffer overflows could allow IBM DB2 Discovery Service denial of service caused LSH heap overflow myPHPNuke SQL injection $aid SQL injection Midnight Commander vfs_s_resolve_symlink buffer Sep 19th 2003 11 issues handled, 43 instances, 14 distro's(LAW) OpenSSH Exim Gtkhtml KDE Kernel Mana MySQL Pine Sendmail Sysctl XFree86 |
Sep 19th 2003 (LAW)
Linux Advisory Watch
Distribution: SCO 9/15/2003 - mana local vulnerability There are multiple local environment variable vulnerabilities in mana. http://www.linuxsecurity.com/advisor...sory-3622.html Distribution: Conectiva 9/12/2003 - pine Multiple remote vulnerabilities A buffer overflow and an integer overflow that can be exploited by remote attackers through the sending of specially crafted messages have been fixed. http://www.linuxsecurity.com/advisor...sory-3616.html 9/12/2003 - gtkhtml Buffer overflow vulnerability Multiple buffer overflow vulnerabilities existed that could be exploited to at least crash programs linked to gtkhtml by using malformed HTML. In the case of Evolution, a remote attacker can use an HTML mail as an attack vector. http://www.linuxsecurity.com/advisor...sory-3617.html 9/16/2003 - openssh buffer management error This update fixes a potential remote vulnerability in the buffer handling code of OpenSSH. http://www.linuxsecurity.com/advisor...sory-3623.html 9/17/2003 - openssh Remote vulnerabilities This update fixes new vulnerabilities found in the code that handles buffers in OpenSSH. These vulnerabilities are similiar to the ones fixed in the CLSA-2003:739 announcement and can be exploited by a remote attacker to cause a denial of service condition and potentially execute arbitrary code http://www.linuxsecurity.com/advisor...sory-3648.html 9/18/2003 - sendmail buffer overflow vulnerabilities Michal Zalewski reported a remote vulnerability in sendmail versions 8.12.9 and earlier. http://www.linuxsecurity.com/advisor...sory-3656.html 9/18/2003 - MySQL Multiple vulnerabilities World writable configuration files, a double-free vulnerability, and a password handler buffer overflow have been fixed in this update. http://www.linuxsecurity.com/advisor...sory-3658.html Distribution: Debian 9/12/2003 - xfree86 Multiple vulnerabilities Four vulnerabilities have been identified and fixed in XFree86 including potential denial of service vulnerability. http://www.linuxsecurity.com/advisor...sory-3618.html 9/15/2003 - mysql buffer overflow vulnerability MySQL contains a buffer overflow condition which could be exploited by a user who has permission to execute "ALTER TABLE" commands on the tables in the "mysql" database. http://www.linuxsecurity.com/advisor...sory-3619.html 9/16/2003 - ssh buffer management error A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. http://www.linuxsecurity.com/advisor...sory-3624.html 9/17/2003 - openssh multiple vulnerabilities This advisory is an addition to the earlier DSA-382-1 advisory: two more buffer handling problems have been found in addition to the one described in DSA-382-1 http://www.linuxsecurity.com/advisor...sory-3633.html 9/17/2003 - openssh-krb5 buffer handling vulnerability multiple vulnerabilities Several bugs have been found in OpenSSH's buffer handling. It is not known if these bugs are exploitable, but as a precaution an upgrade is advised. http://www.linuxsecurity.com/advisor...sory-3634.html 9/18/2003 - sendmail buffer overlow vulnerabilities There are multiple buffer overflow vulnerabilities in the sendmail package. http://www.linuxsecurity.com/advisor...sory-3651.html Distribution: EnGarde 9/16/2003 - OpenSSH buffer management error The OpenSSH daemon shipped with all versions of EnGarde Secure Linux contains a potentially exploitable buffer management error. http://www.linuxsecurity.com/advisor...sory-3621.html 9/18/2003 - Additional 'OpenSSH' buffer management bugs After the release of ESA-20030916-023, the OpenSSH team discovered more buffer management bugs (fixed in OpenSSH 3.7.1) of the same type. Additionally, Solar Designer fixed additional bugs of this class. His fixes are included in this update. http://www.linuxsecurity.com/advisor...sory-3649.html 9/18/2003 - 'MySQL' buffer overflow The MySQL daemon contains a buffer overflow which may be exploited by any user who has ALTER TABLE permissions on the "mysql" database. http://www.linuxsecurity.com/advisor...sory-3650.html Distribution: FreeBSD 9/16/2003 - buffer management error A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. http://www.linuxsecurity.com/advisor...sory-3625.html 9/17/2003 - sendmail Multiple overflow vulnerabilities A buffer overflow that may occur during header parsing was identified. An attacker could create a specially crafted message that may cause sendmail to execute arbitrary code with the privileges of the user running sendmail, typically root. http://www.linuxsecurity.com/advisor...sory-3647.html Distribution: Gentoo 9/15/2003 - mysql buffer overflow vulnerability Anyone with global administrative privileges on a MySQL server may execute arbitrary code even on a host he isn't supposed to have a shell on, with the privileges of the system account running the MySQL server. http://www.linuxsecurity.com/advisor...sory-3620.html 9/16/2003 - exim buffer overflow vulnerability There's a heap overflow in all versions of exim3 and exim4 prior to version 4.21. It can be exercised by anyone who can make an SMTP connection to the exim daemon. http://www.linuxsecurity.com/advisor...sory-3626.html 9/16/2003 - openssh Buffer management error All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. http://www.linuxsecurity.com/advisor...sory-3629.html 9/17/2003 - sendmail Buffer overflow vulnerabilities Fix a buffer overflow in address parsing. Fix a potential buffer overflow in ruleset parsing. This problem is not exploitable in the default sendmail configuration. http://www.linuxsecurity.com/advisor...sory-3646.html Distribution: Immunix 9/16/2003 - openssh buffer management error A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. http://www.linuxsecurity.com/advisor...sory-3627.html 9/17/2003 - openssh buffer management error This advisory has been updated to reflect that the OpenSSH team has found more instances of the programming idiom in question in their codebase. http://www.linuxsecurity.com/advisor...sory-3635.html 9/18/2003 - sendmail buffer overflow vulnerabilities Michal Zalewski discovered flaws in sendmail's prescan() function. http://www.linuxsecurity.com/advisor...sory-3652.html Distribution: NetBSD 9/17/2003 - openssh buffer overflow vulnerability A buffer overwrite with unknown consequences has been found in OpenSSH. http://www.linuxsecurity.com/advisor...sory-3636.html 9/17/2003 - kernel memory disclosure vulnerability The iBCS2 system call translator for statfs erroneously used the user-supplied length parameter when copying a kernel data structure into userland. http://www.linuxsecurity.com/advisor...sory-3637.html 9/17/2003 - sysctl multiple vulnerabilities Three unrelated problems with inappropriate argument handling were found in the kernel sysctl code, which could be exploited by malicious local user. http://www.linuxsecurity.com/advisor...sory-3638.html Distribution: RedHat 9/16/2003 - openssh buffer management error A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. http://www.linuxsecurity.com/advisor...sory-3628.html 9/16/2003 - KDE Multiple vulnerabilities Updated KDE packages that resolve a local security issue with KDM PAM support and weak session cookie generation are now available. http://www.linuxsecurity.com/advisor...sory-3631.html 9/17/2003 - OpenSSH Buffer manipulation vulnerabilities Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. http://www.linuxsecurity.com/advisor...sory-3644.html 9/17/2003 - sendmail Multiple overflow vulnerabilities Updated Sendmail packages that fix a potentially-exploitable vulnerability are now available. The sucessful exploitation of this bug can lead to heap and stack structure overflows. http://www.linuxsecurity.com/advisor...sory-3645.html Distribution: Slackware 9/16/2003 - openssh Buffer management error These fix a buffer management error found in versions of OpenSSH earlier than 3.7. The possibility exists that this error could allow a remote exploit, so we recommend all sites running OpenSSH upgrade to the new OpenSSH package immediately. http://www.linuxsecurity.com/advisor...sory-3630.html 9/17/2003 - openssh buffer management errors These packages fix additional buffer management errors that were not corrected in the recent 3.7p1 release. http://www.linuxsecurity.com/advisor...sory-3639.html 9/17/2003 - sendmail multiple vulnerabilities There are multiple vulnerabilities in the sendmail package. http://www.linuxsecurity.com/advisor...sory-3640.html Distribution: SuSE 9/16/2003 - openssh Buffer management vulnerability A programming error has been found in code responsible for buffer management. If exploited by a (remote) attacker, the error may lead to unauthorized access to the system, allowing the execution of arbitrary commands. http://www.linuxsecurity.com/advisor...sory-3632.html 9/18/2003 - openssh management errors A programming error has been found in code responsible for buffer management. http://www.linuxsecurity.com/advisor...sory-3657.html Distribution: Trustix 9/17/2003 - openssh buffer management error All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. http://www.linuxsecurity.com/advisor...sory-3641.html 9/17/2003 - mysql buffer overflow vulnerability Fixed buffer overflow in SET PASSWORD which could potentially be exploited by MySQL users with root privileges to execute random code or to gain shell access. http://www.linuxsecurity.com/advisor...sory-3642.html Distribution: TurboLinux 9/17/2003 - openssh buffer management error This vulnerability may allow a remote attacker to execute arbitrary code. http://www.linuxsecurity.com/advisor...sory-3643.html 9/18/2003 - sendmail buffer overflow vulnerabilities The potential buffer overflows are in ruleset parsing and address parsing for sendmail. http://www.linuxsecurity.com/advisor...sory-3653.html Distribution: YellowDog 9/18/2003 - openssh buffer management errors Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. http://www.linuxsecurity.com/advisor...sory-3654.html 9/18/2003 - sendmail buffer overflow vulnerabilities Michal Zalewski found a bug in the prescan() function of unpatched Sendmail versions prior to 8.12.10. http://www.linuxsecurity.com/advisor...sory-3655.html |
Sep 22nd 2003 (ISS)
Internet Security Systems
Date Reported: 09/12/2003 Brief Description: vbPortal auth.inc.php SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, vbPortal 2.0 alpha 8.1, Windows Any version Vulnerability: vbportal-authinc-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13181 Date Reported: 09/14/2003 Brief Description: Spider remove_newlines function HOME buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, Spider 1.1, Unix Any version Vulnerability: spider-removenewlinesfunction-home-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13190 Date Reported: 09/16/2003 Brief Description: OpenSSH large packet buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Cisco CatOS Any version, CiscoWorks 1105 HSE Any version, CiscoWorks 1105 WLSE Any version, CiscoWorks SN 5428 Storage Router 2-3.3.1-K9, CiscoWorks SN 5428 Storage Router 2-3.3.2-K9, CiscoWorks SN 5428 Storage Router 2.5.1-K9, CiscoWorks SN 5428 Storage Router 3.2.1-K9, CiscoWorks SN 5428 Storage Router 3.2.2-K9, CiscoWorks SN 5428 Storage Router 3.3.1-K9, CiscoWorks SN 5428 Storage Router 3.3.2-K9, Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva Linux 9.0, Debian Linux 3.0, EnGarde Secure Linux Community Edition, EnGarde Secure Linux Professional Edition, FreeBSD 4.0-Stable, Gentoo Linux Any version, Immunix OS 7+-beta, Immunix OS 7+-beta, Immunix OS 7+-beta, NetBSD 1.5, NetBSD 1.5.1, NetBSD 1.5.2, NetBSD 1.5.3, NetBSD 1.6, NetBSD 1.6.1, NetBSD-current pre20030917, OpenSSH prior to 3.7, Red Hat Advanced Workstation 2.1, Red Hat Enterprise Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Red Hat Enterprise Linux 2.1WS, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 7.x, Red Hat Linux 8.0, Red Hat Linux 9, Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux current, SuSE eMail Server 3.1, SuSE eMail Server III Any version, SuSE Linux 7.2, SuSE Linux 7.3, SuSE Linux 8.0, SuSE Linux 8.1, SuSE Linux 8.2, SuSE Linux Standard Server 8, SuSE Linux Connectivity Server Any version, SuSE Linux Database Server Any version, SuSE Linux Enterprise Server 7, SuSE Linux Enterprise Server 8, SuSE Linux Firewall Any version, SuSE Linux Office Server Any version, Trustix Secure Linux 1.2, Trustix Secure Linux 1.5, Trustix Secure Linux 2.0, Turbolinux 7 Server, Turbolinux 7 Workstation, Turbolinux 8 Server, Turbolinux 8 Workstation, TurboLinux Advanced Server 6, Turbolinux Server 6.1, Turbolinux Server 6.5, Turbolinux Workstation Vulnerability: openssh-packet-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13191 Date Reported: 09/14/2003 Brief Description: Spider spider_defaults_objects_initialize function OPENWINHOME or XVIEWHOME buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, Spider 1.1, Unix Any version Vulnerability: spider-spiderdefaultsobjectsinitalize-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13192 Date Reported: 09/16/2003 Brief Description: Liquidwar buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, Liquidwar 5.4.5 Vulnerability: liquidwar-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13193 Date Reported: 09/14/2003 Brief Description: ChatZilla overly long string causes denial of service Risk Factor: Low Attack Type: Network Based Platforms: ChatZilla 0.8.23 and earlier, Linux Any version Vulnerability: chatzilla-string-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13196 Date Reported: 09/16/2003 Brief Description: DSPAM insecure permissions could allow local attacker to gain elevated privileges Risk Factor: High Attack Type: Host Based Platforms: DSPAM 2.6.5, DSPAM 2.6.5.1, Unix Any version Vulnerability: dspam-insecure-permissions X-Force URL: http://xforce.iss.net/xforce/xfdb/13197 Date Reported: 09/16/2003 Brief Description: KDM pam_krb5 module configuration may allow local attacker to gain root privileges Risk Factor: High Attack Type: Host Based Platforms: Conectiva Linux 8.0, Conectiva Linux 9.0, Debian Linux 3.0, K Desktop Environment (KDE) 3.1.3 and earlier, K Desktop Environment (KDE) 3.1.3 and earlier, K Desktop Environment (KDE) 3.1.3 and earlier, Linux Any version, Red Hat Advanced Workstation 2.1, Red Hat Enterprise Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9 Vulnerability: kdm-pamkrb5-gain-privileges X-Force URL: http://xforce.iss.net/xforce/xfdb/13203 Date Reported: 09/17/2003 Brief Description: Sendmail prescan function buffer overflow Risk Factor: High Attack Type: Host Based / Network Based Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva Linux 9.0, Debian Linux 3.0, Gentoo Linux Any version, Immunix OS 7+-beta, Immunix OS 7+-beta, Immunix OS 7+-beta, Red Hat Advanced Workstation 2.1, Red Hat Enterprise Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Red Hat Enterprise Linux 2.1WS, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9, Sendmail 8.12.9 and earlier, Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux current, SuSE Linux 7.2, SuSE Linux 7.3, SuSE Linux 8.0, SuSE Linux 8.1, SuSE Linux 8.2, SuSE Linux Connectivity Server Any version, SuSE Linux Database Server Any version, SuSE Linux Enterprise Server 7, SuSE Linux Enterprise Server 8, SuSE Linux Firewall Any version, SuSE Linux Office Server Any version, Turbolinux 7 Server, Turbolinux 7 Workstation, Turbolinux 8 Server, Turbolinux 8 Workstation, TurboLinux Advanced Server 6, Turbolinux Server 6.1, Turbolinux Server 6.5, Turbolinux Workstation 6.0 Vulnerability: sendmail-prescan-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13204 Date Reported: 09/16/2003 Brief Description: KDM weak session cookie encryption Risk Factor: Low Attack Type: Network Based Platforms: Conectiva Linux 8.0, Conectiva Linux 9.0, Debian Linux 3.0, K Desktop Environment (KDE) 3.1.3 and earlier, K Desktop Environment (KDE) 3.1.3 and earlier, K Desktop Environment (KDE) 3.1.3 and earlier, Linux Any version, Red Hat Advanced Server 2.1AS, Red Hat Advanced Workstation 2.1, Red Hat Enterprise Linux 2.1ES, Red Hat Enterprise Linux 2.1WS, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9 Vulnerability: kdm-cookie-weak-encryption X-Force URL: http://xforce.iss.net/xforce/xfdb/13205 Date Reported: 09/17/2003 Brief Description: XFree86 weak session cookie encryption Risk Factor: Low Attack Type: Host Based Platforms: Linux Any version, Unix Any version, XFree86 4.x Vulnerability: xfree-cookie-weak-encryption X-Force URL: http://xforce.iss.net/xforce/xfdb/13213 Date Reported: 09/17/2003 Brief Description: OpenSSH buffer management errors could allow an attacker to execute code Risk Factor: High Attack Type: Network Based Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva Linux 9.0, Debian Linux 3.0, EnGarde Secure Linux 1.0.1, EnGarde Secure Linux Community Edition, EnGarde Secure Linux Professional Edition, OpenPKG 1.2, OpenPKG 1.3, OpenPKG CURRENT, OpenSSH prior to 3.7.1, Red Hat Advanced Workstation 2.1, Red Hat Enterprise Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Red Hat Enterprise Linux 2.1WS, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9, Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux current, SuSE eMail Server 3.1, SuSE eMail Server III Any version, SuSE Linux 7.2, SuSE Linux 7.3, SuSE Linux 8.0, SuSE Linux 8.1, SuSE Linux 8.2, SuSE Linux Standard Server 8, SuSE Linux Connectivity Server Any version, SuSE Linux Database Server Any version, SuSE Linux Enterprise Server 7, SuSE Linux Enterprise Server 8, SuSE Linux Firewall Any version, SuSE Linux Office Server Any version, Trustix Secure Linux 1.2, Trustix Secure Linux 1.5, Trustix Secure Linux 2.0 Vulnerability: openssh-buffer-code-execution X-Force URL: http://xforce.iss.net/xforce/xfdb/13215 Date Reported: 09/18/2003 Brief Description: IBM DB2 dc2licm binary buffer overflow could allow execution of code Risk Factor: High Attack Type: Host Based Platforms: IBM DB2 7.2 for Linux, Linux Any version Vulnerability: ibm-db2-db2licm-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13217 Date Reported: 09/18/2003 Brief Description: IBM DB2 db2dart binary buffer overflow could allow execution of code Risk Factor: High Attack Type: Host Based Platforms: IBM DB2 7.2 for Linux, Linux Any version Vulnerability: ibm-db2-db2dart-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13218 Date Reported: 09/18/2003 Brief Description: Linux kernel proc.* sysctl tree denial of service Risk Factor: Low Attack Type: Host Based Platforms: Linux kernel Any version, NetBSD 1.5, NetBSD 1.5.1, NetBSD 1.5.2, NetBSD 1.5.3, NetBSD 1.6, NetBSD 1.6.1, NetBSD-current pre20030825 Vulnerability: linux-proc-sysctl-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13235 Date Reported: 09/18/2003 Brief Description: Linux kernel sysctl helper could allow an attacker to read kernel memory Risk Factor: Medium Attack Type: Host Based Platforms: Linux kernel Any version, NetBSD 1.5, NetBSD 1.5.1, NetBSD 1.5.2, NetBSD 1.5.3, NetBSD 1.6, NetBSD 1.6.1, NetBSD-current pre20030825 Vulnerability: linux-helper-read-memory X-Force URL: http://xforce.iss.net/xforce/xfdb/13236 Date Reported: 09/18/2003 Brief Description: Mambo Site Server banners.php script could disclose sensitive information Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Mac OS X Any version, Mambo Site Server 4.0.14, Solaris Any version, Windows Any version Vulnerability: mambo-bannersphp-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/13237 Date Reported: 09/18/2003 Brief Description: Mambo Site Server banners.php SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Mac OS X Any version, Mambo Site Server 4.0.14, Solaris Any version, Windows Any version Vulnerability: mambo-banners-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13238 Date Reported: 09/18/2003 Brief Description: Mambo Site Server emailfriend scripts could allow a remote attacker to obtain sensitive information Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Mac OS X Any version, Mambo Site Server 4.0.14, Solaris Any version, Windows Any version Vulnerability: mambo-emailfriend-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/13239 Date Reported: 09/18/2003 Brief Description: Mambo Site Server contact.php script allows email to be sent anonymously Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Mac OS X Any version, Mambo Site Server 4.0.14, Solaris Any version, Windows Any version Vulnerability: mambo-contact-anonymous-email X-Force URL: http://xforce.iss.net/xforce/xfdb/13240 Date Reported: 09/19/2003 Brief Description: hztty multiple buffer overflows could allow execution of code with root privileges Risk Factor: High Attack Type: Host Based Platforms: Debian Linux 3.0, hztty Any version, Linux Any version, Unix Any version Vulnerability: hztty-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13243 Date Reported: 09/19/2003 Brief Description: IBM DB2 Discovery Service denial of service caused by specially-crafted packet Risk Factor: Low Attack Type: Network Based Platforms: IBM DB2 7.2, Linux Any version Vulnerability: db2-discoveryservice-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13244 Date Reported: 09/20/2003 Brief Description: LSH heap overflow Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, LSH 1.5, LSH 1.5.1, LSH 1.5.2, LSH prior to 1.4.3, Unix Any version Vulnerability: lsh-heap-overflow X-Force URL: http://xforce.iss.net/xforce/xfdb/13245 Date Reported: 09/20/2003 Brief Description: myPHPNuke SQL injection $aid SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, myPHPNuke 1.8.8, Unix Any version, Windows Any version Vulnerability: myphpnuke-aid-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13246 Date Reported: 09/19/2003 Brief Description: Midnight Commander vfs_s_resolve_symlink buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, Midnight Commander 4.5.52 through 4.6.0, Unix Any version Vulnerability: midnight-commander-vfssresolvesymlink-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13247 |
Sep 22nd 2003 (SF)
SecurityFocus
2. Man Utility MANPL Environment Variable Buffer Overrun Vulner... BugTraq ID: 8602 Remote: No Date Published: Sep 12 2003 Relevant URL: http://www.securityfocus.com/bid/8602 Summary: The man utility is used for formatting and displaying various system manuals and documentation. It is possible to specify the length of lines to display using the MANPL environment variables. It has been reported that the man utility may be prone to a buffer overrun conditon, when handling environment variable data. The problem is said to specifically occur due to insufficient bounds checking when handling data stored within the MANPL variable. As a result of this issue, a local attacker may be capable of executing arbitrary code with the privileges of man, typically setgid 'man'. This could be accomplished by placing approximately 128 or more bytes of data, within the affected environment variable, and invoking man. It should be noted that some vendors are said to apply a patch to affected man releases, however some systems may still deploy the vulnerable version with setgid privileges. 3. myServer cgi-lib.dll Remote Buffer Overflow Vulnerability BugTraq ID: 8612 Remote: Yes Date Published: Sep 12 2003 Relevant URL: http://www.securityfocus.com/bid/8612 Summary: myServer is an application and web server for Microsoft Windows and Linux operating systems. myServer has been reported prone to a remote buffer overflow vulnerability. This issue is reported to exist in the cgi-lib.dll file. The issue presents itself when the software attempts to process string values of excessive length for URI variables. This will cause adjacent regions of memory to be corrupted with data contained in the malicious string. This will likely result in a crash due to the server attempting to dereference an invalid memory address. However, it is possible that this vulnerability may also allow the execution of arbitrary instructions since the attacker may be able to leverage memory corruption to control execution flow of the server process. Any instructions carried out through this vulnerability would be with the privileges of the web server process. However, the possibility of code execution has not been confirmed. This vulnerability was reported for myServer version 0.4.3 and earlier. 4. vbPortal Authentication SQL Injection Vulnerability BugTraq ID: 8613 Remote: Yes Date Published: Sep 12 2003 Relevant URL: http://www.securityfocus.com/bid/8613 Summary: vbPortal is a portal application which can be used in conjunction with vbBulletin forums. It has been reported that vbPortal is prone to SQL injection attacks when authentication users. The problem occurs due to insufficient sanitization of the $aid variable, used to store the name of the authenticating user. Specifically, slashes are not placed into the value of $aid to terminate any control characters after the data has been base64 decoded. The exploitable SQL query can be seen below: $result=mysql_query("SELECT password as pwd FROM user WHERE username = '$aid'"); As a result, an attacker may supply data within the username designed to prematurely terminate the string, and influence the logic of this SQL query. This may be exploited to expose sensitive information, or potentially to launch attacks against the underlying database. This issue can be exploited by making a malicious HTTP request to the auth.inc.php script, including a base64 encoded payload embedded within the 'admin' URI parameter. 12. DSPAM Insecure Default Permissions Privilege Escalation Vuln... BugTraq ID: 8623 Remote: No Date Published: Sep 15 2003 Relevant URL: http://www.securityfocus.com/bid/8623 Summary: DSPAM is an anti-spam application designed for use with most Unix mail applications. Beginning with DSPAM 2.6.5, an option was included in the program that allows a user to supply a delivery agent and quarantine agent via the command-line. A vulnerability has been reported for DSPAM that may allow an attacker to execute arbitrary code with elevated privileges. The issue lies in the fact that DSPAM is installed world-executable and setgid by default. As a result, an unprivileged attacker may supply a malicious executable to the application, as an argument when specifying a delivery or quarantine agent. When invoked, the executable will be run with the group privileges of DSPAM, typically mail. This privilege escalation could assist in further attacks launched against a target system. 16. ChatZilla Remote Denial of Service Attack BugTraq ID: 8627 Remote: Yes Date Published: Sep 15 2003 Relevant URL: http://www.securityfocus.com/bid/8627 Summary: ChatZilla is an IRC-client for Linux operating systems. ChatZilla is based on JavaScript and XUL and it is shipped with Mozilla web browser. A vulnerability has been reported to exist in the software, that may allow a remote attacker to cause a denial of service condition in ChatZilla. The issue presents itself when a remote attacker posing as an IRC server sends specially crafted requests containing long string values to a vulnerable system. The attack may cause the software to behave in an unstable manner leading to a crash. Successful exploitation of this vulnerability may allow a remote attacker to cause the vulnerable software to crash. It is not known if this condition could also be exploited to execute arbitrary code on the client. ChatZilla versions 0.8.23 and prior are reported to be prone to this issue. 17. OpenSSH Buffer Mismanagement Vulnerabilities BugTraq ID: 8628 Remote: Yes Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8628 Summary: A buffer mismanagement vulnerability has been reported in OpenSSH. This issue exists in the 'buffer.c' source file. The source of a problem is that a buffer structure size value may be expanded before the program attempts to reallocate the buffer using this size. If the expanded buffer size triggers a call to fatal(), a series of cleanup functions registered by the daemon will be called prior to exiting the program. As one of these functions may then reference the data within the buffer, including the unused expanded value, a miscalculation could potentially occur. Depending on how the cleanup functions reference this data, it may be theoretically possible for heap-based memory to be corrupted. This condition can reportedly be triggered by an overly large packet. External sources, including the vendor, do not believe that this issue could be exploited to execute arbitrary code though it may potentially be used to cause a denial of service. There are also unconfirmed rumors of an exploit for this vulnerability circulating in the wild. The impact may be reduced by the implementation of privilege separation on affected versions of OpenSSH. OpenSSH has revised their advisory, pointing out a similar issue in the channels.c source file and an additional issue. Solar Designer has also reportedly pointed out additional instances of the problem that may also present vulnerabilities. Individual BIDs will be created for these additional issues when further analysis is complete. 18. Liquid War HOME Environment Variable Buffer Overflow Vulnera... BugTraq ID: 8629 Remote: No Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8629 Summary: Liquid War is multiplayer computer game available for multiple platforms. Liquid War has been reported prone to a buffer overflow condition when handling HOME environment variables of excessive length. The issue presents itself, due to a lack of sufficient boundary checks performed on data contained in the HOME environment variable before it is copied into a reserved buffer in stack based memory. Data that exceeds the size of the affected buffer may overrun its bounds and corrupt adjacent memory. It has been reported that a local attacker may exploit this condition to execute arbitrary instructions with GID Games privileges. It should be noted that although this vulnerability has been reported to affect Liquid War version 5.4.5 other versions might also be affected. 19. Spider HOME Environment Variable Heap Overflow Vulnerability... BugTraq ID: 8630 Remote: No Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8630 Summary: Spider is a solitaire game for the X Window System. It is distributed as part of the Debian Linux distribution. Spider has been reported prone to a heap overflow condition when handling HOME environment variables of excessive length. The issue presents itself, because a call to calloc() allocates '(strlen(str) + 256)' bytes as a buffer size, it is possible for an attacker to trigger the allocation of an insufficient buffer, by crafting a value for the 'str' variable that contains, '~/' sequences, these sequences will later be expanded to equal the data contained in the 'HOME' environment variable. An attacker may lever this condition to corrupt adjacent malloc chunk headers with attacker-supplied data. Although unconfirmed ultimately it may be possible that a local attacker may exploit this condition to execute arbitrary instructions with GID Games privileges. It should be noted that although this vulnerability has been reported to affect Spider version 1.1 other versions might also be affected. 20. Spider OPENWINHOME/XVIEWHOME Environment Variables Buffer Ov... BugTraq ID: 8631 Remote: No Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8631 Summary: Spider is a solitaire game for the X Window System. It is distributed as part of the Debian Linux distribution. Spider has been reported prone to a buffer overflow condition when handling OPENWINHOME or XVIEWHOME environment variables of excessive length. The issue presents itself, due to a lack of sufficient boundary checks performed on data contained in the OPENWINHOME or XVIEWHOME environment variables before they are copied as part of an interpolated string into a reserved 256 byte buffer in stack based memory. Data that exceeds the size of the affected buffer may overrun its bounds and corrupt adjacent memory. It has been reported that a local attacker may exploit this condition to execute arbitrary instructions with GID Games privileges. It should be noted that although this vulnerability has been reported to affect Spider version 1.1 other versions might also be affected. 24. KDE KDM PAM Module PAM_SetCred Privilege Escalation Vulnerab... BugTraq ID: 8635 Remote: Yes Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8635 Summary: KDM is the KDE Display Manager, a component of the KDE Desktop Environment. It is available for Linux/Unix operating systems. KDM provides a graphical login interface for KDE. A problem has been reported in the KDE Display Manager (KDM) when used in combination with Pluggable Authentication Modules (PAM). Because of this, an attacker may be able to gain unauthorized access to systems. The problem is in the handling of specific authentication requests passed through pam_setcred. Under some circumstances, the results of the pam_setcred call is not checked. An attacker could create a malicious request that circumvents authentication checking to gain unauthorized access to a system. It should be noted that this problem occurs when KDM is used in combination with the pam_krb5 module. 25. KDE KDM Session Cookie Generation Weakness BugTraq ID: 8636 Remote: Yes Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8636 Summary: KDM is the KDE Display Manager, a component of the KDE Desktop Environment. It is available for Linux/Unix operating systems. KDM provides a graphical login interface for KDE. KDM uses a weak algorithm to generate session cookies. In particular, the session cookie generation algorithm is not sufficient for generating 128 bits of entropy. This may potentially make brute-forcing of session cookies a practical endeavor, inevitably enabling an adversary to hijack a KDM user session. For exploitation to be successful, the adversary must also be able to bypass any host-based restrictions. It is most likely that a malicious local user could potentially exploit this to gain unauthorized access to another user's existing session. 30. Sendmail Prescan() Variant Remote Buffer Overrun Vulnerabili... BugTraq ID: 8641 Remote: Yes Date Published: Sep 17 2003 Relevant URL: http://www.securityfocus.com/bid/8641 Summary: Sendmail is prone to a buffer overrun vulnerability in the prescan() function. This issue is different than the vulnerability described in BID 7230. The issue exists in the parseaddr.c source file and could allow for corruption of stack or heap memory depending on where in the code the function is called from. One possible attack vector is if the function is indirectly invoked via parseaddr(), though others may also exist. This vulnerability could permit remote attackers to execute arbitrary code via vulnerable versions of Sendmail. This would occur with the privileges of the server. The vendor has reported that versions prior to version 8.12.10, are vulnerable. Additionally it has been reported that commercial releases including all versions of Sendmail Advanced Message Server, Sendmail Pro, Sendmail Switch and Sendmail for NT are also vulnerable. 32. NetBSD Sysctl Argument Handling Vulnerabilities BugTraq ID: 8643 Remote: No Date Published: Sep 18 2003 Relevant URL: http://www.securityfocus.com/bid/8643 Summary: Multiple vulnerabilities have been reported in the sysctl system call for NetBSD systems. A kernel panic could be the result of some sysctl nodes attempting to dereference a NULL pointer. In particular, a pointer variable was mistakenly used for pointing to a user-level and a kernel level address. A NULL pointer could be set to the variable by a user, potentially causing a kernel panic and denying service to legitimate users of the system. If the process ID of a zombie process is passed to the system call, this could cause a kernel panic. This could occur if the proc.* sysctl tree is invoked on a zombie process, which would have invalid or non-existent process information. This could potentially be exploited by a user to cause a kernel panic, denying service to legitimate users of the system. Some sysctl nodes do not implement sufficient range checking, potentially allowing kernel memory to be read. The proc.curproc.rlimit subtree has a number of nodes that contain information about process limits. sysctl provides a helper that is used to manipulate these values, which does not implement sufficient range checking, potentially allowing values outside of the rlimit structure to be read. This could permit a local user to browse kernel memory, potentially gaining access to sensitive information such as credentials. This issue may be similar to the vulnerability described in BID 2364, which affects the Linux kernel. It is not known if other BSD derivatives are similarly affected by these issues. These issues will be separated into individual BIDs when further analysis is complete. 35. Multiple Mambo Open Source 4.0.14 Server Vulnerabilities BugTraq ID: 8647 Remote: Yes Date Published: Sep 18 2003 Relevant URL: http://www.securityfocus.com/bid/8647 Summary: Mambo Open Source is a web based content management system. Several issues have been identified in Mambo Open Source Server. Because of these issues, an attacker may be able to gain unauthorized access to sensitive data and/or send e-mail/spam to arbitrary recipients. The vulnerabilities are caused by insufficient sanitization of user-supplied data. The following problems have been reported to exist: Multiple SQL injection vulnerabilities may exist in the banners.php and emailfriend/emailarticle.php modules of the software allow a remote attacker to inject malicious SQL syntax into database queries. A remote attacker may exploit the issues to influence SQL query logic. These issues may allow an attacker to gain access to sensitive data stored in the database. Other attacks on the underlying database are possible as well. An input validation issue has been reported in the sendmail function of contact.php module of the software. It is possible for a remote attacker to exploit this lack of input validation to send anonymous e-mail to arbitrary recipients, possibly in large volumes. The may be accomplished by passing URL arguments to the following parameters in order to send email to recipients: $text, $from, $name, $email_to, and $sitename. This issue may allow an attacker to conceal their identity and send e-mail/spam to arbitrary recipients. Mambo Open Source Server 4.0.14 has been reported to be prone to this problem, however other versions may be affected as well. This BID will be divided into individual BIDs when further analysis of the issues is complete. 37. Sendmail Ruleset Parsing Buffer Overflow Vulnerability BugTraq ID: 8649 Remote: Unknown Date Published: Sep 17 2003 Relevant URL: http://www.securityfocus.com/bid/8649 Summary: Sendmail is a widely used MTA for Unix and Microsoft Windows systems. Sendmail has been reported prone to a buffer overflow condition when parsing non-standard rulesets. It has been reported that an attacker may trigger a buffer overflow condition in Sendmail, when Sendmail parses specific rulesets. Non-standard rulesets recipient(2), final(4) and mailer-specific envelope recipient may be used as an attack vector to trigger this vulnerability. It should be noted that Sendmail under a default configuration is not vulnerable to this condition. It is not currently known, if this vulnerability may potentially be exploited to execute arbitrary code. However due to the nature of the condition, although unconfirmed, it has been conjectured that ultimately an attacker may exploit this condition to execute arbitrary code in the context of the affected Sendmail server. It is not currently known if this vulnerability is restricted to local exploitation or if the issue may also be exploited remotely. Explicit technical details regarding this vulnerability are not currently available; this BID will be updated as further details are disclosed. 39. HLSW RCON Console Password Disclosure Weakness BugTraq ID: 8651 Remote: Yes Date Published: Sep 18 2003 Relevant URL: http://www.securityfocus.com/bid/8651 Summary: HLSW RCON Console is used to remotely administer Half-Life and Counter-Strike game servers. It has been reported that RCON game server console is prone to a plaintext password disclosure weakness because user passwords are not encrypted when exchanged between a client and a server. This issue may allow an attacker who is in a position to eavesdrop on client-server network traffic to harvest user authentication information. Successful exploitation of this weakness may allow a remote attacker to steal authentication information. The attacker could use this information to compromise the console. Latent vulnerabilities in the console which require authentication may also be exploited if the console is compromised. Although unconfirmed HLSW versions 1.0.0.8 beta and prior could be prone to this issue. |
All times are GMT -5. The time now is 05:32 AM. |