LQ weekly security rep - Tue Jul 30th 2002
Aug 5th 2002
9 issues (LAW) Package: libmm Package: openssl Package: gallery Package: super Package: libpng Package: FreeBSD kernel Package: pppd Package: openssh Package: util-linux Aug 1st 2002 OpenSSH 3.4p1 package from ftp.openbsd.org is trojaned. Read Cartman's message, CERT or OpenSSH. Thnx Cartman Jul 30th 2002 OpenSSL came out with a few advisories today. View Jeremy's post here, or read the security advisory at www.openssl.org. Jul 28th 2002 10 issues (SF) 1. Geeklog HTML Attribute Cross Site Scripting Vulnerability 2. Geeklog Email Composition CRLF Injection Vulnerability 9. PHP HTTP POST Incorrect MIME Header Parsing Vulnerability 10. Pyramid BenHur Default Firewall Weakness 11. PHP Interpreter Direct Invocation Denial Of Service Vulnerability 14. Multiple SSH Client Protocol Change Default Warning Weakness 18. Multiple Vendor Web Browser JavaScript Modifier Keypress Event Subversion Vulnerability 19. DansGuardian Hex Encoding URL Content Filter Bypass Vulnerability 21. Mozilla JavaScript URL Host Spoofing Arbitrary Cookie Access Vulnerability 22. VMWare GSX Server Authentication Server Buffer Overflow Vulnerability Jul 26th 2002 3 issues (LAW) Package: bind Package: glibc Package: php |
Jul 26th 2002 (LAW)
Linux Advisory Watch
Package: bind Date: 07-24-2002 Description: There is a buffer overflow vulnerability in BIND4-derived resolver libraries which may be triggered by a malicious DNS server sending multiple CNAME records in a response. This may lead to arbitrary code execution or a denial of service attack. EnGarde Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2207.html Package: glibc Date: 07-22-2002 Description: A buffer overflow vulnerability has been found in the way the glibc resolver handles the resolution of network names and addresses via DNS (as per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are affected. A system would be vulnerable to this issue if the "networks" database in /etc/nsswitch.conf includes the "dns" entry. Red Hat Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2208.html Package: php Date: 07-22-2002 Description: A malformed POST request can trigger an error condition, that is not correctly handled. Due to this bug it could happen that an uninitialised struct gets appended to the linked list of mime headers. When the lists gets cleaned or destroyed PHP tries to free the pointers that are expected in the struct. Because of the lack of initialisation those pointers contain stuff that was left on the stack by previous function calls. On the IA32 architecture (aka. x86) it is not possible to control what will end up in the uninitialised struct because of the stack layout. All possible code paths leave illegal addresses within the struct and PHP will crash when it tries to free them. Unfortunately the situation is absolutely different if you look on a solaris sparc installation. Here it is possible for an attacker to free chunks of memory that are full under his control. This is most probably the case for several more non IA32 architectures. PHP Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2206.html |
Jul 28th 2002 (SF)
SecurityFocus
1. Geeklog HTML Attribute Cross Site Scripting Vulnerability BugTraq ID: 5270 Remote: Yes Date Published: Jul 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5270 Summary: Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL. A cross site scripting vulnerability has been reported for Geeklog 1.3.5sr1. Reportedly, Geeklog does not properly sanitize user supplied input before being included when posting comments or writing stories. Geeklog makes efforts to sanitize some malicious user supplied input by stripping out HTML elements that are used for scripting. However, Geeklog does not properly remove HTML attributes that are used for the same purpose. It is possible for an attacker to include malicious HTML code using the HTML attributes. As an example, if an attacker were to supply malicious HTML code as part of an onMouseOver JavaScript event, the malicious code would not be properly sanitized. An attacker may construct a link containing dangerous HTML code and send it to a vulnerable user. If a user of the site follows this link, the script code will be rendered, and execute within the context of the vulnerable site. It may be possible to access sensitive data such as authentication credentials, or to take actions as a validated user on the hosted forum. This issue may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users. 2. Geeklog Email Composition CRLF Injection Vulnerability BugTraq ID: 5271 Remote: Yes Date Published: Jul 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5271 Summary: Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL. A vulnerability has been reported for Geeklog that may allow an attacker to include extra email headers when composing email to other Geeklog users. Geeklog prevents the disclosure of a user's real email address for privacy reasons. However an attacker is able to obtain a user's real email address by including extra headers when composing an email using Geeklog's 'Send Email' facility. It is possible for an attacker to include extra email header fields when composing an email. An attacker does this by appending a CRLF sequence followed by an email header field to the subject field. An attacker can use this method to obtain a user's real email address. 9. PHP HTTP POST Incorrect MIME Header Parsing Vulnerability BugTraq ID: 5278 Remote: Yes Date Published: Jul 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5278 Summary: PHP is a general purpose scripting language that is used for Web development. It is available for various platforms including Linux and Unix variants as well as Microsoft Windows operating systems. A vulnerability has been reported for PHP versions 4.2.0 and 4.2.1. It is possible for a remote attacker to cause the PHP interpreter to crash the web server on a vulnerable system and execute malicious, attacker supplied code. The vulnerability is the result of the PHP interpreter incorrectly parsing MIME headers when HTTP POST commands are received. When PHP receives a malformed POST request, it generates an error condition that is improperly handled. When a HTTP POST command is received, a memory structure is appended to a linked list of MIME headers. The memory allocated for this structure is freed when the POST command is successful. When a malformed POST request is made, an uninitialised memory structure is appended to the list of MIME headers. Attempting to free this memory will have negative consequences for a vulnerable system. This vulnerability has different effects on different architectures. It has been reported that PHP will crash when it tries to free the memory structure on an IA32 (x86) architecture. The IA32 architecture has been verified to be safe from the execution of arbitrary code. However, it is still possible to crash PHP as well as the web server on vulnerable systems. It has also been reported that on Sparc architectures, an attacker may have greater control about how memory is freed. Arbitrary code execution on the Sparc architecture is possible. An attacker may take advantage of this vulnerability to cause the PHP interpreter to crash leading to a denial of service or cause the vulnerable web server to execute malicious, attacker supplied code. It may also be possible for the attacker to gain elevated privileges. 10. Pyramid BenHur Default Firewall Weakness BugTraq ID: 5279 Remote: Yes Date Published: Jul 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5279 Summary: Pyramid BenHur is a firewall appliance. It is based on Debian Linux using Linux kernel 2.2.x and ipchains firewalling capabilites. A vulnerability has been reported for the BenHur device. Reportedly, the device has a weak default firewall configuration ruleset. It is possible for an attacker to connect to any port between 1024 and 65096 on the device provided the source port is TCP port 20. This is due to a poorly designed rule that was put in place to support FTP data connections. Attackers may exploit this vulnerability to connect to potentially sensitive/vulnerable ports on the device such as the administration port (8888) or the the web proxy server. 11. PHP Interpreter Direct Invocation Denial Of Service Vulnerability BugTraq ID: 5280 Remote: Yes Date Published: Jul 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5280 Summary: It is possible, under some circumstances, for remote attackers to invoke the PHP interpreter from the web. When PHP is installed with Apache, an alias/virtual path is created for the PHP interpreter and this alias is used internally when a CGI path is resolved. To prevent the interpreter from being invoked remotely for malicious purposes the cgi.force_redirect directive was introduced, and it is enabled by default. However, it is still possible to invoke the interpreter by name without command line arguments from the web despite the cgi.force_redirect directive. When the interpreter is invoked with no command line options, it will hang. Attackers may repeatedly request the PHP interpreter to cause a denial of service via resource exhaustion. This is reported to be a problem with PHP and Apache on Microsoft Windows platforms. It may be possible to reproduce this condition in other environments as well. 14. Multiple SSH Client Protocol Change Default Warning Weakness BugTraq ID: 5284 Remote: Yes Date Published: Jul 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5284 Summary: A weakness has been reported in multiple SSH clients which may allow a man-in-the-middle attack to occur. SSH servers commonly support compatibility mode, which allows negotiation between the protocols SSH1 and SSH2 with a client when a connection is initiated. SSH communication with a given server normally occurs using a given protocol such as SSH2. A given client will record the server's public key. If a new key is ever reported, the client software will report to the end user that the event should be viewed with extreme suspicion. However, if the server negotiates an SSH connection with a protocol such as SSH1 which has not previously been used with a given client, the displayed message will only report that a new key is being presented. The fact that the host is already associated with a specific key under a different protocol is not mentioned. The end user can not be expected to understand the security implications of this event. This may allow a man-in-the-middle attack to pass undetected by the client user. A similar attack may be possible based on the SSH2 negotiation for a MAC algorithm. In this case, choosing an unusual algorithm may again fail to produce a warning on the client system, allowing a man-in-the-middle attack. |
Jul 28th (SF)
18. Multiple Vendor Web Browser JavaScript Modifier Keypress Event Subversion Vulnerability
BugTraq ID: 5290 Remote: Yes Date Published: Jul 23 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5290 Summary: An issue has been reported with the JavaScript implementation of multiple web browsers, including Microsoft Internet Explorer and Opera. Malicious JavaScript may subvert some keypress events, with consequences including the disclosure of arbitrary local files to a remote server. Through JavaScript, it is possible to define an event handler for the 'onkeydown' event, which fires when a key is pressed by the end user. It is possible to have this event recognize the usage of the 'Control' modifier key. When this condition occurs, malicious script code may modify the event property indicating which primary key has been pressed. By changing this key to 'V', it is possible to create the 'Ctrl-V' key combination, normally associated with the paste operation. As the script also has control over the clipboard contents for the page, and the document element with current focus, it is possible to further subvert the event and place arbitrary content in an HTML form element. In particular, an arbitrary local filename may be pasted into a file upload form field. If the form is then submitted through JavaScript, the attacker specified file will be uploaded to the specified server without further user interaction. Exploitation of this vulnerability may result in the disclosure of sensitive information to a remote attacker. It may also be possible to discover the full path of the temporary file directory used by Internet Explorer, by downloading the file '..\LOCALS~1\TEMPOR~1\CONTENT.IE5\index.dat'. In this case, the information may be used in conjunction with the issues discussed in BID 3867 to execute arbitrary code as the vulnerable user. Other attacks based on script interaction with the cut and paste functionality of Windows may also be possible. It has been reported that it is also possible to recognize and subvert keypress events based on the 'Shift' key. In particular, Shift-Ins is a common keyboard shortcut for the paste operation. This may simplify the social engineering aspect of this vulnerability by exploiting a more commonly used key. It is likely that modifiers such as 'Alt' may also be intercepted. It has been reported that the Opera Web Browser 6.0.1 is also vulnerable to this issue. It is possible that other versions of Opera share this vulnerability, this has not however been confirmed. 19. DansGuardian Hex Encoding URL Content Filter Bypass Vulnerability BugTraq ID: 5291 Remote: Yes Date Published: Jul 23 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5291 Summary: DansGuardian is a web content filter based on the Squid HTTP proxy server. It is available for various Unix based operating systems, including Linux. A vulnerability in DansGuardian may allow malicious users to bypass some filter rules. URLs which contain hex encoded characers are not processed before the URL is checked against patterns. A user may specify a URL including several such characters in an attempt to bypass restrictions impossed by DansGuardian. Under some installations, this may violate security policy, or allow users to inadvertantly access malicious web content. 21. Mozilla JavaScript URL Host Spoofing Arbitrary Cookie Access Vulnerability BugTraq ID: 5293 Remote: Yes Date Published: Jul 24 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5293 Summary: Mozilla is an open source web browser available for a number of platforms, including Microsoft Windows and Linux. An issue has been reported in the Mozilla web browser which may allow script code to access cookie data associated with arbitrary domains. Mozilla supports javascript: URLs, which can be used to execute JavaScript functions directly. Normally the domain of such functions is restricted, and cookie data associated with other sites may not be accessed. It has been reported possible to create a javascript: URL which appears to start with a valid domain. Malicious script code may specify an arbitrary domain, and will be able to access cookie data associated with that domain. It is possible to exploit this vulnerability by creating a javascript: URL which starts with a javascript comment of the form '//host\n', followed by arbitrary script code. Other avenues of exploitation may, however, be possible. Exploitation of this vulnerability may result in a remote attacker gaining access to sensitive cookie data, including authentication credentials. 22. VMWare GSX Server Authentication Server Buffer Overflow Vulnerability BugTraq ID: 5294 Remote: Yes Date Published: Jul 24 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5294 Summary: VMWare GSX Server is virtualization software that allows for multiple virtual servers to run on a single host. GSX Server ships with an authentication server. The server implements checks to ensure that client-supplied strings do not cause overflow conditions. This is allegedly done by checking the length of supplied strings against internally specified maximum-length values before using them in sensitive operations. It has been reported that an error exists in the implementation of this mechanism for the argument to the "GLOBAL" command. The internal maximum length value is greater than the size of the buffer allocated to store the value. As a result, attackers may cause an overflow condition without exceeding the maximum-length value and causing an error. It is believed that the "GLOBAL" command can only be executed after authentication. This may prevent attackers without valid credentials from exploiting this vulnerability; however this is unconfirmed. It is not known if there are any default or guest accounts. This condition may be exploited to execute arbitrary code on the GSX server host. The code likely executes on the underlying, native system and may compromise the host entirely (including all virtual systems). |
Aug 5th (LAW)
Linux Advisory Watch
Package: libmm Date: 07-30-2002 Description: The OSSP mm library (libmm) allows a local Apache user to gain privileges via temporary files, possibly via a symbolic link. Caldera Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2224.html Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2220.html Mandrake Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2212.html Package: openssl Date: 07-30-2002 Description: The OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan. Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2214.html FreeBSD Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2221.html EnGarde Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2213.html Trustix Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2218.html Gentoo Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2227.html SuSE Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2223.html Conectiva Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2226.html Package: gallery Date: 08-01-2002 Description: A problem was found in gallery (a web-based photo album toolkit): it was possible to pass in the GALLERY_BASEDIR variable remotely. This made it possible to execute commands under the uid of web-server. Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2229.html Package: super Date: 08-01-2002 Description: The included program super is intended to provide access to certain system users for particular users and programs, similar to the program super. Exploiting this format string vulnerability a local user can gain unauthorized root accesss. Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2230.html Package: libpng Date: 08-01-2002 Description: Developers of the PNG library have fixed a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications which could potentially allow an attacker to execute malicious code. Programs such as Galeon, Konquerer and various others make use of these libraries. Debian Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2231.html Package: FreeBSD kernel Date: 08-01-2002 Description: Some programs are set-user-id or set-group-id, and therefore run with increased privileges. If such a program is started with some of the stdio file descriptors closed, the program may open a file and inadvertently associate it with standard input, standard output, or standard error. The program may then read data from or write data to the file inappropriately. If the file is one that the user would normally not have privileges to open, this may result in an opportunity for privilege escalation. FreeBSD Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2222.html Package: pppd Date: 07-30-2002 Description: A malicious local user may exploit the race condition to acquire write permissions to a critical system file, such as /etc/crontab, and leverage the situation to acquire escalated privileges. FreeBSD Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2225.html Package: openssh Date: 08-01-2002 Description: Anyone who has installed OpenSSH from the OpenBSD ftp server or any mirror within that time frame should consider his system compromised. The trojan allows the attacker to gain control of the system as the user compiling the binary. Arbitrary commands can be executed. OpenSSH Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2232.html Package: util-linux Date: 07-30-2002 Description: The chfn feature of the util-linux package shipped with all versions of TSL suffers from a locally exploitable file locking problem. With some interference from the system administrator a attacker could gain escalated privilegies. Trustix Vendor Advisory: http:http://www.linuxsecurity.com/advisor...sory-2219.html Red Hat Vendor Advisory: http:www.linuxsecurity.com/advisories/ redhat_advisory-2211.html |
All times are GMT -5. The time now is 04:38 PM. |