SecurityFocus
1. XChat Server Strings Buffer Overflow Vulnerability
BugTraq ID: 7089
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7089
Summary:
XChat is a freely available, open source IRC client. It is available for
the the Unix, Linux, and Microsoft Windows platforms.
XChat IRC client has been reported vulnerable, under certain
circumstances, to a buffer overflow condition.
It has been reported that due to a lack of both, sufficient bounds
checking and string termination, two malformed non-terminated server
supplied strings may be stored contiguously in a fixed internal memory
buffer.
As a result of this, a malicious IRC server may be used to pass excessive
data to the client and overwrite memory adjacent to the deficient buffer.
If this memory contains crucial saved program state values the attacker
may be able to influence the programs' flow and execute arbitrary code.
Any code successfully executed would be in the context of the user running
the vulnerable IRC application.
This vulnerability was reported to affect XChat version 2.0.1 other
versions may also be affected.
2. EPIC PRIVMSG Remote Heap Corruption Vulnerability
BugTraq ID: 7088
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7088
Summary:
Epic is a freely available, open source IRC client. It is maintained by
the Epic project.
A vulnerability has been discovered in EPIC4 1.1.7.20020907. The problem
occurs due to insufficient bounds checking data interchanged between
clients. Specifically, by using the PRIVMSG command to send a message of
excessive length to a vulnerable client, it may be possible to corrupt the
processes heap memory.
It should be noted that this issue might only be exploitable when the
'mangle_inbound' option is set. Secondly, the data which can be written to
sensitive memory is limited to a defined character set, making remote code
execution unlikely.
Successful exploitation of this issue would likely cause the vulnerable
client to crash.
3. TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability
BugTraq ID: 7090
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7090
Summary:
tcpdump is a freely available, open source network monitoring tool. It is
available for the Unix, Linux, and Microsoft Windows operating systems.
A vulnerability in the processing of some packet types may result in an
inability to further use the tcpdump application.
It has been reported that tcpdump is vulnerable to a denial of service
when some packet types are received. By sending a maliciously formatted
packet to a system using a vulnerable version of tcpdump, it is possible
for a remote user to cause tcpdump to ignore network traffic from the time
the packet is received until the application is terminated and restarted.
The problem is in the handling of RADIUS packets. When tcpdump receives a
maliciously crafted RADIUS packet, the application enters an infinite loop
and ceases to further monitor network traffic. This could allow the
passing of undetected network traffic that would typically be seen by
tcpdump.
4. ircII Make_Status_One Memory Corruption Vulnerability
BugTraq ID: 7093
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7093
Summary:
ircII is an IRC and ICB client for Unix and Linux platforms.
A buffer overflow vulnerability has been reported in ircII. The
vulnerability is related to the way ircII refreshes its status bar.
Specifically, the make_status_one() function in the status.c source file
does not properly account for some control characters when attempting to
refresh the status bar.
This issue is exploitable by a malicious IRC server that sends an overly
long response to the vulnerable ircII client. As the client does not make
proper checks for control characters when updating the status bar, it will
result in the corruption of sensitive memory.
This will cause the client to crash thus resulting in a denial of service
condition.
This issue was reported in ircII build 20020912. Other versions may also
be affected.
This issue was originally described in BID 7087 "Multiple IrcII Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
5. ircII Client-Side Private Message Handling Memory Corruption Vulnerability
BugTraq ID: 7094
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7094
Summary:
ircII is an IRC and ICB client for Unix and Linux platforms.
A buffer overflow vulnerability has been reported for ircII. This issue is
due to insufficient bounds checking of server-supplied data and may
potentially result in denial of service in the IRC client. This overflow
occurs during client handling of private message data supplied by an IRC
server, allowing for the 'ctcp_buffer' to be overrun. Though unconfirmed,
exploitation may also allow for execution of arbitrary code in the context
of the client.
This could result in corruption of sensitive regions of memory with
attacker-supplied data. It may be possible for another client to trigger
this condition, though this is also unconfirmed.
This issue was originally described in BID 7087 "Multiple IrcII Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
This issue was reported in ircII build 20020912. Other versions may also
be affected.
6. ircII Client-Side Cannot_Join_Channel Memory Corruption Vulnerability
BugTraq ID: 7095
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7095
Summary:
ircII is an IRC and ICB client for Unix and Linux platforms.
A buffer overflow vulnerability has been reported in ircII. This issue is
due to insufficient bounds checking of server-supplied data and may
potentially result in denial of service in the IRC client. This issue
exists in the cannot_join_channel() function and could be triggered by a
channel length of excessive length.
This could result in corruption of memory (including stack variables) with
attacker-supplied data.
This issue was originally described in BID 7087 "Multiple IrcII Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
7. ircII Status_Make_Printable Memory Corruption Vulnerability
BugTraq ID: 7098
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7098
Summary:
ircII is an IRC and ICB client for Unix and Linux platforms.
A buffer overflow vulnerability has been reported in ircII. The
vulnerability is related to the way ircII refreshes its status bar.
Specifically, the status_make_printable() function in the status.c source
file does not properly account for some control characters when attempting
to refresh the status bar.
This issue is exploitable by a malicious IRC server that sends an overly
long response to the vulnerable ircII client. As the client does not make
proper checks for control characters when updating the status bar, it will
result in the corruption of sensitive memory with attacker-supplied
values.
This will cause the client to behave in an unpredictable manner and
possibly execute attacker-supplied code.
This issue was reported in ircII build 20020912. Other versions may also
be affected.
This issue was originally described in BID 7087 "Multiple IrcII Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
8. OpenSSL Timing Attack RSA Private Key Information Disclosure Vulnerability
BugTraq ID: 7101
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7101
Summary:
OpenSSL is an open source implementation of the SSL protocol.
A side-channel attack in the OpenSSL implementation has been published in
a recent paper that may ultimately result in an active adversary gaining
the RSA private key of a target server. The attack involves analysis of
the timing of certain operations during client-server session key
negotiation.
Session negotiation occurs using the RSA PKCS 1 type public key
cryptography standard. During the client-server negotiation, the client
constructs a proto-session-key using PKCS 1 formatted random bytes and
encrypts it with the RSA public key of the server. The client then
transmits this value to the server, which uses it to compute the shared
session key. The server will generate a session key on its own and send
an alert message to the client if the client-supplied proto-key decrypted
by the server using its RSA private key is not properly PKCS 1 formatted.
It is possible for an adversary, acting as a client, to obtain bits of
information about the server RSA private key by observing the time elapsed
between the transmission of an invalid proto-key value and reception of
the alert message from the server that is sent in response. The
information is leaked during the decryption process and may, through
successive observations, reveal the factorization of the private key to
the adversary. An attacker may perform this attack by repeatedly
establishing sessions with invalid proto-key values.
Upon successful compromise of a RSA private key, it is possible for an
attacker to monitor the establishing of all future sessions with the
server. This may additionally allow an attacker to impersonate the server
based on the compromised private key. This problem also affects other SSL
implementations that do not implement RSA blinding by default.
9. BitchX Remote Send_CTCP() Memory Corruption Vulnerability
BugTraq ID: 7097
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7097
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A memory corruption vulnerability has been reported in the send_ctcp()
function which is used when handling server-supplied data. The function
takes the length of an argument, char *to, and uses it to allocate a
buffer on the stack. This occurs by calling the alloca() function with an
argument of 512 - (12 + strlen(to)). Delimiter characters are later
appended to the buffer returned by alloca().
If a hostile IRC server were to supply a 'to' argument containing a
length, -12, which is larger then 512 bytes, it would be possible to
supply a negative value as the argument to alloca(). If this were to occur
the negative value would be interpreted and a stack address used by a
previous frame will be returned. This may allow for delimiter characters
and a NULL value to be written to arbitrary stack memory.
Successful exploitation of this issue may allow a malicious server to
execute arbitrary commands on the client system with the privileges of the
user running the vulnerable client.
This vulnerability has been reported to affect BitchX 1.0c19. Other
versions may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
10. BitchX Remote cannot_join_channel() Buffer Overflow Vulnerability
BugTraq ID: 7099
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7099
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A memory corruption vulnerability has been discovered in BitchX 1.0c19.
This issue occurs when calling the cannot_join_channel() function. If a
channel of excessive length is supplied a buffer overflow could occur
which may result in predefined strings being written over sensitive stack
memory.
As a result, it may be possible for a malicious IRC server to crash a
vulnerable client. Although unconfirmed this vulnerability could
potentially be leveraged to execute arbitrary commands within a target
client.
This vulnerability has been reported to affect BitchX 1.0c19. Other
versions may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
11. BitchX Remote BX_compress_modes() Buffer Overflow Vulnerability
BugTraq ID: 7100
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7100
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
BitchX has been reported prone to a buffer overflow vulnerability.
Reportedly, when the BitchX option 'compress_modes' is activated a
potential circumstance for a buffer overflow condition may be created. If
an excessive amount of data is supplied to the BitchX
'BX_Compress_modes()' function an internal memory buffer, 'nmodes[16]',
will be overflowed. This action may cause adjacent memory to be corrupted
with attacker-supplied values.
There is a potential that this issue could be exploited to corrupt crucial
program management variables on the stack and thus seize control of
program flow. As a result, a hostile IRC server may be capable of
executing arbitrary code on a target client.
Any arbitrary code executed would be in the context of the user running
the vulnerable software.
This vulnerability was reported to affect BitchX 1.0c19 earlier versions
may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
12. BitchX Remote Cluster() Heap Corruption Vulnerability
BugTraq ID: 7096
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7096
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
BitchX has been reported prone to a heap based memory corruption
vulnerability. Reportedly when an excessively long hostname is supplied to
the BitchX 'cluster()' function an internal static memory buffer is
overflowed.
It has been reported that 1500 bytes of data may be written past the
buffer, potentially corrupting sensitive values located in the heap.
Although unconfirmed, due to the nature of heap corruption
vulnerabilities, there is a potential that this issue could be exploited
to corrupt memory management information. As a result, a hostile IRC
server may be capable of executing arbitrary code on a target client.
This vulnerability was reported to affect BitchX 1.0c19 earlier versions
may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
13. Epic Status Bar Writing Buffer Overflow Vulnerability
BugTraq ID: 7103
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7103
Summary:
Epic is a freely available, open source IRC client. It is maintained by
the Epic project.
A problem with the software may make it possible for an attacker to gain
access to a vulnerable client system.
It has been reported that Epic does not properly handle some types of
server replies. This particular problem occurs when the status bar is
written to by the server. Because of this, an attacker may be able to
gain access to a vulnerable client system with the privileges of the Epic
user.
The client does not perform sufficient bounds checking on the data
returned by the server. Because of this, data that is passed by the
server that may be written to the status bar may make it is possible for a
malicious server to send a response of arbitrary length that will result
in a client-side overflow, and potentially the execution of arbitrary
code.
This issue was originally described in BID 7077 "Multiple Epic Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
14. Epic Userhost_Cmd_Returned Buffer Overflow Vulnerability
BugTraq ID: 7091
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7091
Summary:
Epic is a freely available, open source IRC client. It is maintained by
the Epic project.
A problem with the software may make it possible for an attacker to gain
access to a vulnerable client system.
It has been reported that Epic does not properly handle some types of
server replies. This particular problem occurs in the userhost returned by
the server. Because of this, an attacker may be able to gain access to a
vulnerable client system with the privileges of the Epic user.
The client does not perform sufficient bounds checking on the data
returned by the server when the userhost is sent. Because of this, it is
possible for a malicious server to send a response of arbitrary length
that will result in a client-side overflow, and potentially the execution
of arbitrary code.
This issue was originally described in BID 7077 "Multiple Epic Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
15. Filebased Guestbook 'Comment' HTML Injection Vulnerability
BugTraq ID: 7104
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7104
Summary:
Filebased Guestbook is a text-based guestbook written in PHP.
It has been reported that Filebased Guestbook is prone to HTML injection
attacks. This problem occurs due to Filebased Guestbook insufficiently
sanitizing user-supplied input. Specifically, embedded HTML and script
code is not filtered from the 'comment' guestbook field.
As a result, attackers may embed malicious script code or HTML into forum
posts. When a malicious post is viewed by another user, the
attacker-supplied code will be interpreted in their web browser in the
security context of the site hosting the software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.
17. Samba SMB/CIFS Packet Assembling Buffer Overflow Vulnerability
BugTraq ID: 7106
Remote: Yes
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7106
Summary:
Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.
A buffer overflow vulnerability has been reported for Samba. The
vulnerability occurs when the smbd service attempts to re-assemble
specially crafted SMB/CIFS packets.
An attacker can exploit this vulnerability by creating a specially
formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The
overflow condition will be triggered when smbd attempts to re-assemble the
malformed packet fragments. smbd will overwrite sensitive areas of memory
with attacker-supplied values resulting in the execution of malicious
code.
This vulnerability is further exacerbated by the fact that the smbd
service runs with root privileges.
This vulnerability affects Samba 2.0.0 to 2.2.7a. Additionally, HP
CIFS/9000 server versions up to A.01.09.01 on HP-UX 11.0, 11.11(11i), and
11.22 are vulnerable.
18. Samba REG File Writing Race Condition Vulnerability
BugTraq ID: 7107
Remote: No
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7107
Summary:
Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.
A race condition vulnerability has been reported for Samba. The
vulnerability occurs when Samba attempts to write reg files. However, it
may be possible to create a symbolic link in a crucial point of program
execution that would result in the overwriting of files pointed to by the
link. This will only occur if the files are writeable by the Samba
process.
Successful exploitation may cause local files to be corrupted. If files
can be corrupted with custom data, this may result in privilege elevation.
Full details of this vulnerability are not currently known. The BID will
be updated as further details are disclosed.
This vulnerability is reported to exist for Samba 2.0.0 to 2.2.7a.
19. RSA ClearTrust Login Page Cross Site Scripting Vulnerability
BugTraq ID: 7108
Remote: Yes
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7108
Summary:
RSA ClearTrust is a Web-based access management application that provides
secure access to resources.
A cross-site scripting vulnerability has been discovered in ClearTrust.
Specifically, the login page for the management application is not
properly sanitized of some user-supplied values. The login page is called
ct_logon.asp and the values for the 'CTLoginErrorMsg' parameter is not
properly sanitized of malicious HTML code.
An attacker can exploit this vulnerability by creating a specially crafted
URL that includes malicious HTML code for the login page used by
ClearTrust.
This may allow for theft of cookie-based authentication credentials and
other attacks.
20. Qpopper Username Information Disclosure Weakness
BugTraq ID: 7110
Remote: Yes
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7110
Summary:
Qpopper is a POP3 mail server available for Linux and Unix based systems.
An information disclosure weakness has been reported for Qpopper when
authenticating. The weakness is due to the fact that if a valid username
is sent with a bad password, Qpopper will wait a small amount of time
prior to disconnecting the client. If the username that is sent is
invalid, Qpopper immediately disconnects the client.
A determined attacker can exploit this weakness to gather a list of valid
usernames on a vulnerable system using Qpopper.
Any information obtained in this manner may be used by the attacker to
launch other attacks against a victim user or system.
This weakness was reported for Qpopper 3.1 and 4.0.4. It is not known
whether other versions are affected.
21. Multiple Vendor Java Virtual Machine java.util.zip Null Value Denial Of Service Vulnerability
BugTraq ID: 7109
Remote: Yes
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7109
Summary:
Several implementations of the Java Virtual Machine have been reported to
be prone to a denial of service condition.
This vulnerability occurs in several methods in the java.util.zip class. The following native methods have been reported to be vulnerable to this issue:
java.util.zip.Adler32().update();
java.util.zip.Deflater().setDictionary();
java.util.zip.CRC32().update();
java.util.zip.Deflater().deflate();
java.util.zip.CheckedOutputStream().write();
java.util.zip.CheckedInputStream().read();
The methods can be called with certain types of parameters however, there
does not appear to be proper checks to see whether the parameters are NULL
values. When these native methods are called with NULL values, this will
cause the JVM to reach an undefined state which will cause it to behave in
an unpredictable manner and possibly crash.
This BID will be separated into individual entries where appropriate.