SecurityFocus
2. LSH Remote Buffer Overflow Vulnerability
BugTraq ID: 8655
Remote: Yes
Date Published: Sep 19 2003
Relevant URL:
http://www.securityfocus.com/bid/8655
Summary:
lsh is a free software implementation of the ssh version 2 protocol. It is
available for multiple platforms including Linux, Unix and Apple.
lsh has been reported prone to a remote buffer overflow vulnerability. The
condition is reported to present itself under fairly restrictive
circumstances; specifically the vulnerable server must receive malicious
exploit data before any other communications after it has been started.
The vulnerability has been reported to exist in read_line.c, inside an
error reporting function. It has been reported that the vulnerable
function does not return from a reporting procedure, and instead writes
arbitrary data past the end of a reserved buffer in heap-based memory.
This will eventually lead to the corruption of adjacent heap based
management structures.
This vulnerability has been reported to be exploitable pre-authentication,
resulting in the execution of arbitrary attacker supplied instructions in
the context of the affected daemon.
Although this issue has been reported to affect lsh versions 1.4.x, other
versions may also be affected.
3. Debian hztty Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 8656
Remote: No
Date Published: Sep 19 2003
Relevant URL:
http://www.securityfocus.com/bid/8656
Summary:
Debtian hztty is a program used to translate Chinese character encodings
in terminal sessions.
It has been reported that hztty is prone to multiple buffer overflow
issues that may allow an attacker to gain unauthroized access to a host
running the vulnerable software.
The conditions are present due to insufficient boundary checking. An
attacker may leverage the issues by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing the
affected procedures to return to an address of their choice. One of these
issues is due to insufficient bounds checking of data supplied via the
'-I' command line parameter.
It has also been reported that hztty is incorrectly installed as setuid
root by default instead of group utmp privileges.
Successful exploitation may allow an attacker to ultimately execute
arbitrary code in the context of the user who is running the vulnerable
software in order to gain unauthorized root access to a system.
hztty version 2.0-5.2 has been reported to be prone to these issue however
other versions may be affected as well.
4. Knox Arkeia Remote Stack Corruption Vulnerability
BugTraq ID: 8657
Remote: Yes
Date Published: Sep 19 2003
Relevant URL:
http://www.securityfocus.com/bid/8657
Summary:
Arkeia Server is an enterprise-based backup software solution distributed
and maintained by Knox Software.
A remote vulnerability has been reported for the Knox Arkeia server. The
issue is believed to occur due to insufficient bounds checking when
handling data contained within a type 74 packet. As a result of this
vulnerability, a remote attacker may be capable of triggering a buffer
overrun that could allow partial or complete corruption of sensitive stack
variables. This may allow for a saved frame pointer or saved return
address to be influenced in such a way that the execution flow of the
arkeiad process can be controlled.
Successful exploitation would ultimately allow for the execution of
arbitrary code with the privileges of arkeiad, typically root.
5. Midnight Commander Virtual File System Symlink Buffer Overfl...
BugTraq ID: 8658
Remote: Yes
Date Published: Sep 19 2003
Relevant URL:
http://www.securityfocus.com/bid/8658
Summary:
Midnight Commander is a popular file management tool for Unix systems.
Among other features, Midnight Commander is provided with a code layer to
access the file system; this code layer is known as the virtual file
system(VFS).
Midnight Commander has been reported prone to a buffer overflow
vulnerability, when handling symlinks in VFS.
The issue presents itself in the vfs_s_resolve_symlink() function,
reportedly due to an un-initialized buffer being used when Midnight
Commander is handling symlinks in the virtual file system code layer,
specifically in tar and cpio VFS procedures.
An attacker may reportedly trigger this issue, using malicious tar
archives as an attack vector; to overflow the bounds of an un-initialized
reserved buffer in stack based memory. Although unconfirmed, it has been
conjectured that this condition may be leveraged to execute arbitrary
code, however a denial of service condition that causes the affected
Midnight Commander application to crash has been demonstrated.
7. ColdFusionMX Error Handler Pages Cross-Site Scripting Vulner...
BugTraq ID: 8660
Remote: Yes
Date Published: Sep 19 2003
Relevant URL:
http://www.securityfocus.com/bid/8660
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a standalone
product for Unix, Linux, and Microsoft Operating Systems.
ColdFusionMX has been reported prone to a cross-site scripting
vulnerability, under some circumstances.
The issue has been reported to present itself in web sites that harness
the default ColdFusionMX Site-Wide Error Handler page, the default
ColdFusionMX Missing Template Handler has additionally been reported
vulnerable.
The vendor has reported that a HTTP header, containing malicious content
in the 'referer' field, may be used as an attack vector to inject
malicious content into the aforementioned Error handler pages of
ColdFusionMX.
This vulnerability may be exploited by malicious attackers, to execute
arbitrary HTML or Script code in the context of the affected site, in the
browsers of unsuspecting users.
This vulnerability has been reported to affect ColdFusion MX 6.0, 6.1(All
editions), 6.0 J2EE (All editions), 6.1 J2EE (All editions),and ColdFusion
5.0 and prior versions.
10. myPHPNuke auth.inc.php SQL Injection Vulnerability
BugTraq ID: 8663
Remote: Yes
Date Published: Sep 20 2003
Relevant URL:
http://www.securityfocus.com/bid/8663
Summary:
myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operating systems.
A vulnerability has been reported to exist in myPHPNuke that may allow a
remote attacker to inject malicious SQL syntax into database queries. The
source of this issue is insufficient sanitization of user-supplied input.
The problem is reported to exist in the $aid variable contained within the
auth.inc.php module. It has been reported that $aid is not sanitized for
user-supplied input before it is included in the database. A remote
attacker may exploit this issue to influence SQL query logic.
A malicious user may influence database queries in order to view or modify
sensitive information, potentially compromising the software or the
database.
myPHPNuke version 1.8.8 has been reported to be prone to this issue,
however other versions may be affected as well.
11. ipmasq Incorrect Packet Forwarding Default Ruleset Vulnerabi...
BugTraq ID: 8664
Remote: Yes
Date Published: Sep 20 2003
Relevant URL:
http://www.securityfocus.com/bid/8664
Summary:
ipmasq is a package that is used to initialize and simplify the
configuration of Linux IP Masquerade. IP Masquerade is a feature of linux
that allows multiple hosts to share a single IP address.
Debian has reported that the firewall rules configured by ipmasq may
result in incorrect (and potentially insecure) forwarding of traffic on
the gateway host. According to the report, any traffic destined for
internal hosts arriving at the external interface of the gateway will be
forwarded to the destination host on the internal network regardless of
whether the packet can be associated with an established connection or
not. This behavior is incorrect and may result in attackers gaining
unauthorized access to internal and potentially more vulnerable hosts.
ipmasq 3.5.10 has been reported to be prone to this vulnerability.
12. Imatix Xitami Long Header Denial Of Service Vulnerability
BugTraq ID: 8665
Remote: Yes
Date Published: Sep 22 2003
Relevant URL:
http://www.securityfocus.com/bid/8665
Summary:
Xitami is a web server product that is available for Microsoft Windows and
other platforms.
Xitami is prone to a denial of service vulnerability. This condition is
known to occur when a .shtm file is requested with an overly long HTTP
header. In particular, a header that is greater than or equal to 5154
bytes followed by a colon (:) will trigger this condition. Exploitation
will cause a runtime error in XIWIN32.EXE, resulting in a server crash.
The server will need to be restarted to regain normal functionality.
The server crash may be the result of a boundary condition error, though
this has not been confirmed. If this is the case, it may also be possible
to exploit this issue to execute arbitrary code.
This vulnerability is reported to affect Xitami on Windows platforms. It
is not currently known if releases for other platforms are similarly
affected.
13. Sun Java XML Document Nested Entity Denial Of Service Vulner...
BugTraq ID: 8666
Remote: No
Date Published: Sep 22 2003
Relevant URL:
http://www.securityfocus.com/bid/8666
Summary:
A problem has been identified in Sun Java when handling XML documents with
specific constructs. Because of this, an attacker with the ability to
cause the software to parse malicious XML documents may have the ability
to crash a system hosting Sun Java.
The problem is in the handling of nested entities. By default Sun Java
does not permit recursive entity definitions. This default design
prevents resource consumption and denial of service through looping entity
definitions.
However, by using multiple deeply nested entity definitions, it is
possible to cause excessive consumption of system resources. By creating
maliciously nested entity definitions, it is possible to force the Java
engine to spend excessive amounts of processor and memory resources
attempting to reach the end of nested entities, making all system
resources unavailable for a period of time. This attack could be launched
continuously to launch a prolonged denial of service.
This problem is known to affect the Sun Java Runtime Environment. Otherversions may also be affected.
15. Wu-Ftpd SockPrintf() Remote Stack-based Buffer Overrun Vulne...
BugTraq ID: 8668
Remote: Yes
Date Published: Sep 22 2003
Relevant URL:
http://www.securityfocus.com/bid/8668
Summary:
Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by
Washington University. Wu-Ftpd includes an option 'MAIL_ADMIN', which
allows the administrator to be e-mailed when a specific event occurs on
the server. One such event may be the uploading of a remote file.
A remote vulnerability has been discovered in Wu-Ftpd, when configured
using the 'MAIL_ADMIN' option to report file uploads, that could allow for
the execution of arbitrary code. It should be noted that Wu-Ftpd servers
running the default configuration are not affected by this vulnerability.
The problem is present within the SockPrintf() function, located within
the ftpd.c source file, and occurs due to insufficient bounds checking.
When SockPrintf() is called, a number of formatted arguments are passed to
the svprintf() function and are stored within the local stack buffer. Due
to insufficient bounds checking prior to calling svprintf(), an attacker
capable of influencing data passed to SockPrintf() may be capable of
overrunning the 32768 byte buffer with malicious data.
This issue may be exploitable through the store() function defined in
ftpd.c, which invokes the SockPrintf() function using an uploaded filename
as the 'name' argument. If an attacker was somehow capable of influencing
the size of the path used to store the uploaded file, possibly by creating
nested directories, it may be possible to construct a 'name' argument
greater then 32768 bytes. This would effectively result in the allocated
stack buffer being overrun, and could ultimately allow for the corruption
of sensitive stack variables such as a saved frame pointer or a return
address.
It should be noted that specific operating systems place a limit on the
available size of filenames. For instance, Linux limits the size to 4096
bytes. Due to this limit, this bug may not be exploitable on certain
systems. However, if the aforementioned nested directory creation is
possible, exploitation may still be possible on systems that set smaller
size limits.
Successful exploitation of this vulnerability could result in the
execution of arbitrary code with the privileges of the Wu-Ftpd server,
typically root.
18. NetUP UTM Web Interface Session ID SQL Injection Vulnerabili...
BugTraq ID: 8671
Remote: Yes
Date Published: Sep 22 2003
Relevant URL:
http://www.securityfocus.com/bid/8671
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in NetUp UTM that may allow a
remote attacker to inject malicious SQL syntax into specific database
queries. The source of this issue is insufficient sanitization of
user-supplied input.
The problem is reported to exist in the $sid variable, used to supply a
current session id. It has been reported that potential control characters
stored within the $sid variable are not escaped prior to being included
within a SELECT statement. As a result, an attacker may be capable of
hijacking a users session by supplying malicious SQL data within a request
to the NetUp UTM web interface. This could be accomplished by including
commands designed to escape the context of the expected data and influence
the logic of the query.
Successful exploitation of this issue could allow an attacker to gain
access to the account of another user whose has an active session. It
should be noted that a malicious user might also be capable of influencing
database queries in order to view or modify sensitive information,
potentially compromising the software or underlying database.
19. NetUP UTM Web Interface utm_stat Script SQL Injection Vulner...
BugTraq ID: 8672
Remote: Yes
Date Published: Sep 22 2003
Relevant URL:
http://www.securityfocus.com/bid/8672
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in NetUp UTM that may allow a
remote attacker to inject malicious SQL syntax into specific database
queries. The source of this issue is insufficient sanitization of
user-supplied input.
The problem is reported to exist when handling data passed to the
'utm_stat' script. It has been reported that potential control characters
stored within variables passed to this script are not escaped prior to
being included within various SQL queries. As a result, an attacker may
be capable of modifying sensitive attributes of their user account. This
may include current money balance and bill status. It may also be possible
to influence the configuration behavior of the server, potentially making
it possible to execute arbitrary shell commands with 'nobody' privileges.
This could be accomplished by including commands designed to escape the
context of the expected data and influence the logic of the query.
It should be noted that the implications of this vulnerability might be
exaggerated by the issue described in BID 8671. If used in conjunction,
these issues may allow an attacker to modify the account data of arbitrary
ISP users.
20. NetUp UTM Web Interface Local Privilege Escalation Vulnerabi...
BugTraq ID: 8673
Remote: No
Date Published: Sep 22 2003
Relevant URL:
http://www.securityfocus.com/bid/8673
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been discovered in NetUP UTM that may allow a user who
is capable of executing code locally, gain elevated privileges. The
problem occurs due to the 'nobody' users sudoers entry allowing the use of
the '/bin/mv' utility with root privileges. As a result, a malicious user
with 'nobody' privileges may be capable of gaining root privileges on a
target system.
The implications of this vulnerability may be exaggerated by the issues
described in BID 8671, and BID 8672. If used in conjunction with these
issues an unauthorized remote attacker may be capable of gaining root
privileges on a target system.
21. Man Utility Local Compression Program Privilege Elevation Vu...
BugTraq ID: 8675
Remote: No
Date Published: Sep 22 2003
Relevant URL:
http://www.securityfocus.com/bid/8675
Summary:
The man utility is used for formatting and displaying various system
manuals and documentation. The optional .manpath file is used by man to
locate various applications used by the user.
A vulnerability has been reported in man that may allow an attacker to
gain elevated privileges. The problem lies in man failing to carry out
sufficient sanity checks before executing a user-defined compression
program. As a result, it may be possible for an attacker to execute
arbitrary code with user 'man' privileges.
An attacker could exploit this issue by creating a malicious executable,
designed to spawn a shell, and specify it as the compression program.
22. Multiple Vendor VPN Implementation Vulnerabilities
BugTraq ID: 8676
Remote: Yes
Date Published: Sep 22 2003
Relevant URL:
http://www.securityfocus.com/bid/8676
Summary:
Multiple VPN implementations, including CIPE, vtun, and tinc are prone to
security vulnerabilities.
The CIPE implementation is prone to a number of cryptographic flaws. The
flaws include lack of data integrity assurance due to the use of CRC-32
checksums, no inherent measures to protect against message
insertion/deletion attacks and incompatibilities with recent 128-bit block
cipher implementations due to use of 3-bit padding lengths.
Follow-up information has been provided regarding these reported
implementation flaws in CIPE. It appears that the use of CRC-32 checksums
is a legitimate concern, which may be configurable in future versions of
CIPE. Incompatibilities with recent 128-bit block cipher implementations
such as AES do present a possibility for cryptographic attacks on inherent
weaknesses that may exist in algorithms that are supported by CIPE. Other
reported issues such as no inherent protection against message
insertion/deletion attacks are perceived as the result of limitations in
underlying network protocols and it is reported that some of these attacks
may be impractical.
vtun is prone to flaws including weak key generation and lack of inherent
message insertion/deletion protection mechanisms.
tinc is prone to minor cryptographic weaknesses that could expose the
first encrypted block of packets to attacks, potentially exposing
encrypted data. Additional flaws have been reported in the handshake
protocol that could expose VPN communications to man-in-the-middle attacks
and threaten the integrity of the VPN.
Exploitation of these issues could compromise the security of the VPN.
Replay and man-in-the-middle attacks may be possible, in addition to
attacks which allow adversaries to partially decrypt VPN communications or
abuse trust relationships. Many of these issues may be exploited in
combination.
These issues are pending further analysis. This BID will be divided into
individual BIDs when further analysis of the issues is complete.
23. Multiple Portable OpenSSH PAM Vulnerabilities
BugTraq ID: 8677
Remote: Yes
Date Published: Sep 23 2003
Relevant URL:
http://www.securityfocus.com/bid/8677
Summary:
Multiple vulnerabilities have been reported to affect Portable OpenSSH
with PAM support enabled. It has been reported that at least one of these
vulnerabilities may be exploitable, under a non-standard configuration
with privsep disabled, by a remote attacker.
Explicit technical details regarding this vulnerability is not currently
available, this BID will be updated, as further analysis of these
conditions is complete.
This vulnerability has been reported to affect Portable OpenSSH versions
3.7p1 and 3.7.1p1. OpenBSD releases of OpenSSH do not contain the
vulnerable code and so are not reported to be affected.
24. wzdftpd Login Remote Denial of Service Vulnerability
BugTraq ID: 8678
Remote: Yes
Date Published: Sep 23 2003
Relevant URL:
http://www.securityfocus.com/bid/8678
Summary:
wzdftpd is an FTP server implementation that is available for the Unix,
Linux, and Microsoft Windows platforms.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to cause a denial of service condition. The issue
presents itself when a remote attacker sends a single CRLF character to
the program during the login process. The attack may cause the software
to act in an unstable manner.
This issue occurs due to improper sanitizing of user-supplied input and a
successful attack may allow a remote attacker to cause the vulnerable
process to crash.
wzdftpd version 0.1rc5 has been reported to be prone to this
vulnerability, however other versions across various platforms may be
affected as well.
