SecurityFocus
1. Monkey HTTP Server Invalid POST Request Denial Of Service Vulnerability
BugTraq ID: 6096
Remote: Yes
Date Published: Nov 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6096
Summary:
Monkey is an open source Web server written in C, based on the HTTP/1.1
protocol. It is available for the Linux platform.
A denial of service vulnerability has been reported for Monkey HTTP
server. The vulnerability is due to inadequate checks being performed when
decoding POST requests.
An attacker can exploit this vulnerability by issuing a POST request with
an invalid Content-Length header, or without a Content-Length value. When
the server attempts to service the request, it will crash and lead to the
denial of service condition.
This vulnerability was reported for Monkey HTTP server 0.50. Earlier
versions are likely to be affected by this vulnerability.
5. GlobalSunTech Access Point Information Disclosure Vulnerability
BugTraq ID: 6100
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6100
Summary:
Global Sun Technology Inc. is a developer of Wireless Access Points
distributed to OEM partners.
An information disclosure vulnerability has been discovered in certain
GlobalSunTech access points.
It has been reported that a remote attacker is able to retrieve sensitive
information from vulnerable access points, including WEP keys, the MAC
filter, and the admin password.
It is possible to obtain this information by sending a specially
constructed broadcast message, to UDP port 27155, containing the
"gstsearch" string.
Information gained by exploiting this vulnerability may allow an attacker
to launch further attacks against the target network.
It should be noted that this vulnerability was reported for a WISECOM
GL2422AP-0T access point. Devices that use Global Sun Technology access
points may be affected by this issue.
It has been determined that D-Link DI-614+ and SMC Barricade 7004AWBR
access points are not affected by this issue.
It has been reported that Linksys WAP11-V2.2 is prone to this issue, but
to a lesser extent. It is possible to obtain AP firmware versions, but
other sensitive information is not accessible.
7. Multiple Vendor Sun RPC LibC TCP Time-Out Denial Of Service Vulnerability
BugTraq ID: 6103
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6103
Summary:
A vulnerability has been reported in multiple libc implementations which
are based on Sun RPC. This may affect implementations on a number of
different platforms and products.
A denial of service condition is reported to occur when data is read from
a TCP connection. As a result, remote attackers may cause some services
and daemons to hang. The cause of this issue is a failure of vulnerable
libc implementations to provide a sufficient time-out mechanism when data
is read from TCP connections.
Further details about what causes this condition are not known at this
time. This record will be updated if further details about this
vulnerability become available.
8. PERL-MailTools Remote Command Execution Vulnerability
BugTraq ID: 6104
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6104
Summary:
The perl-MailTools package is a collection of PERL modules related to mail
applications.
A vulnerability has been reported for the Mail::Mailer module, included in
the perl-MailTools package, which may allow remote attackers to execute
arbitrary commands on the underlying shell with the privileges of the
mailx process.
User-supplied input is passed to the mailx mailer, a simple MUA (Mail User
Agent), but is not sufficiently sanitized of shell metacharacters before
being passed through the shell.
Any applications that use Mail::Mailer directly or indirectly, like custom
auto reply programs or spam filters, are vulnerable to attack.
9. The Magic Notebook Invalid Username Denial Of Service Vulnerability
BugTraq ID: 6106
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6106
Summary:
The Magic Notebook is a web-based application for creating and organizing
notes. It will run on Unix and Linux variants.
The Magic Notebook is prone to a denial of service vulnerability. The
Magic Notebook reportedly crashes when attempting to handle an invalid
username.
Remote attackers may be able to exploit this condition to deny service to
legitimate users of the web application.
10. Networking_Utils Remote Command Execution Vulnerability
BugTraq ID: 6107
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6107
Summary:
Networking_Utils is an application for supplying web access to networking
tools such as ping, traceroute and nslookup. Networking_Utils is
implemented in PHP and intended to run on Unix and Linux variants.
Networking_Utils is prone to a remote command execution vulnerability.
The issue exists in the implementation of the ping command. Shell
metacharacters are not sufficiently sanitized from the domain name or IP
address fields. This input will be passed directly through the shell.
An attacker may exploit this issue by supplying malicious input which
includes shell metacharacters and arbitrary commands, which will be
interpreted by the underlying shell. The attacker may execute commands
with the privileges of the webserver.
Exploitation of this issue will allow a remote attacker to gain local,
interactive access to the underlying host.
Implementations of the other commands may also be affected by this
vulnerability.
11. Cisco PIX Firewall Telnet/SSH Subnet Handling Denial Of Service Vulnerability
BugTraq ID: 6110
Remote: Yes
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6110
Summary:
Cisco PIX Firewalls are reported to be prone to a denial of service
condition.
The vulnerable condition occurs when telnet/SSH access has been enabled on
the firewall for hosts on the internal network. If TCP SYN packets are
sent repeatedly to the subnet address, this may cause a denial of service
condition, as the PIX firewall may respond to connection requests sent to
the subnet address. Large numbers of these types of requests are reported
to cause memory fragmentation on the device. It may be necessary to
restart the device to regain normal functionality.
This vulnerability is reportedly due to incorrect handling of requests to
the subnet address by the PIX operating system TCP/IP stack.
This issue was reported for Cisco PIX Firewall 6.2.2. Other versions of
the PIX operating system may also be affected.
12. SnortCenter Insecure Temporary Filename Vulnerability
BugTraq ID: 6108
Remote: No
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6108
Summary:
SnortCenter is a web-based client-server management system written in PHP
and Perl. It assists in the configuration of Snort configuration and
signature files.
A vulnerability has been discovered in SnortCenter v0.9.5.
It has been reported that SnortCenter creates temporary files using
predictable file names. When SnortCenter is used to aggregate Snort rules
for a particular sensor, a file is created in the /tmp directory using the
same name as the sensor.
By anticipating the name of a temporary file a local attacker may be able
to corrupt sensitive data by creating a symbolic link to a system resource
which is writeable by SnortCenter.
It is not yet known whether versions prior to v0.9.5 are affected by this
issue.
13. SnortCenter Insecure Sensor Configuration File Permissions Vulnerability
BugTraq ID: 6109
Remote: No
Date Published: Nov 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6109
Summary:
SnortCenter is a web-based client-server management system written in PHP
and Perl. It assists in the configuration of Snort configuration and
signature files.
A vulnerability has been discovered in SnortCenter v0.9.5
When SnortCenter is used to aggregate Snort rules for a particular sensor,
a file is created in the /tmp directory which are 'world' accessible. The
temporary sensor configuration files created may contain sensitive alert
database server access credentials.
Information disclosed by accessing this file may aid a malicious user in
launching attacks against alert database servers. The ability to modify
sensitive information contained within these files may result in the
corruption of typical SnortCenter functionality.
15. Safe.PM Unsafe Code Execution Vulnerability
BugTraq ID: 6111
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6111
Summary:
Safe.pm is a Perl module that is included in the distribution of Perl.
This module is used to compile and execute code in restricted
compartments. These compartments are used verify the safety of potentially
rogue Perl code.
A vulnerability has been reported in the Safe.pm module. Reportedly, the
vulnerability may allow an attacker to bypass the security settings of the
secured compartment and execute code in an unsafe manner.
The vulnerability affects the reval() and rdo() subroutines in Safe.pm. It
is possible for a malicious program to modify a compartment variable used
by the subroutines. When a subroutine is called a second time with the
same compartment, it may be possible to bypass the security settings of
the compartment.
17. Frank McIngvale LuxMan Memory File Descriptor Leakage Vulnerability
BugTraq ID: 6113
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6113
Summary:
Frank McIngvale LuxMan is a video game similar to Pac Man for Linux based
systems.
A vulnerability exists in LuxMan that could allow a local user read and
write access to the Memory.
It has been reported that the 'maped' setuid binary in LuxMan is
vulnerable to a leakage of open file descriptors that may result in
unauthorized disclosure of memory. It is allegedly possible for attackers
to inherit open file descriptors with read/write access to /dev/mem by
executing a malicious program through maped. Since maped calls gzip
without using the explicit path, an attacker could create a malicious
binary named gzip and add its directory to the PATH environment variable.
When gzip is called by maped, the malicious gzip will be called rather
than the legitimate version.
Upon exploiting this vulnerability, an attacker would have read and write
access to memory. The attacker could use this access to gain sensitive
information such as passwords, or other information. Additionally, an
attacker could remap system calls. It should be assumed that total
compromise is imminent if an attacker has read or write access to memory.
18. Apache mod_php File Descriptor Leakage Vulnerability
BugTraq ID: 6117
Remote: Yes
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6117
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. Mod_PHP is an Apache
module which allows for PHP functionality in websites.
A vulnerability has been discovered in the mod_php module available for
Apache web servers that may, under some circumstances, leak file
descriptor information. By exploiting this vulnerability it may be
possible for a remote attacker to reuse file descriptors used by the httpd
daemon, effectively emulating the web server.
Exploitation of this issue may allow an attacker to bind a malicious
server instead of Apache httpd server. This will allow the attacker to
pose as a web server and distribute false information to legitimate users
attempting to connect to the server. It may also be possible to obtain
user credentials, or other sensitive information.
It should be noted that this issue is exploitable only if the 'safe_mode'
PHP option is disabled.
19. Linux Kernel 2.4 System Call TF Flag Denial Of Service Vulnerability
BugTraq ID: 6115
Remote: No
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6115
Summary:
A denial of service vulnerability has been reported for the Linux kernel.
Reportedly, it is possible to cause the kernel from responding by
triggering a system call with the TF flag enabled.
When a native Linux binary makes a system call, the 'int 0x80' instruction
is called, effectively triggering a trap into kernel mode. Non-native
Linux binaries use the 'lcall7' instruction to trigger a kernel trap. If
the TF (TRAP FLAG) bit is set when a trap is triggered using the 'lcall7'
instruction, the kernel will hang.
An attacker can exploit this vulnerability by executing a malicious
application that uses the lcall7/lcall27 functions to execute system
calls. By ensuring that the TF flag is set when the kernel attempts to
execute the system call, it is possible to cause the kernel to hang and
cause the denial of service condition. A reboot is necessary to restore
functionality.
This vulnerability was fixed in the Linux Kernel 2.4.19.
20. Linuxconf mailconf Module Mail Relay Vulnerability
BugTraq ID: 6118
Remote: Yes
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6118
Summary:
Linuxconf is an administration system which is divided in several modules.
The mailconf module is responsible for the configuration of Sendmail.
A vulnerability has been discovered in the mailconf module included with
Linuxconf.
It has been reported that the sendmail.cf configuration file created by
the mailconf module, contains a bug which could allow message relaying. By
specifying a recipient in the format of "user%domain@", it is possible to
relay messages outside of the mail daemon's served network.
Exploitation of this issue could allow an attacker to send unauthorized
messages from the vulnerable server.
It should be noted that the default configuration file distributed with
Sendmail is not vulnerable to this issue. It must have been created by
Linuxconf for this vulnerability to be introduced.
21. WindowMaker Image Handling Buffer Overflow Vulnerability
BugTraq ID: 6119
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6119
Summary:
WindowMaker is a popular window manager for X11 systems. A buffer
overflow vulnerability has been reported in WindowMaker.
The condition occurs when processing malformed images. According to the
report, a buffer for the image data is allocated based on the length and
width fields in the file. Allegedly, there is no bounds checking against
the buffer size when reading the actual image data from the file. As a
result, it may be possible to overrun the allocated buffer and corrupt
adjacent memory.
Exploitation of this vulnerability requires that the victim process a
specially constructed image file. This may be accomplished by including
the file in a malicious "theme" and then transmitting it to the victim or
placing it on a distribution HTTP/FTP server (in hopes that a victim will
download it and use/preview it).
22. Pine From: Field Heap Corruption Vulnerability
BugTraq ID: 6120
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6120
Summary:
Pine is an open source mail user agent distributed by the University of
Washington. It is freely available for Unix, Linux, and Microsoft
operating systems.
It is possible to cause a denial of service in Pine by sending an email
message with a specially crafted "From:" address. According to the
report, the crash can be reproduced by setting the "From:" address to a
value such as:
"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.tld
A stack trace suggests that this behaviour may be due to corruption of
data in the heap. If that is the case, execution of arbitrary code may be
possible.
Note that the user does not have to view the message in order for the
denial of service to take place; the message simply has to be present in
the user's Inbox. While a message with this address is present in the
Pine Inbox, it is not possible to start Pine again. The message
containing this address must be manually removed from the spool or by
using another MUA.
It is important to note that this specially crafted "From:" address is RFC
legal.
This issue will reportedly be fixed in Pine 4.50.
ne
