UML_NET Integer Mismanagement Code Execution Vulnerability BugTraq ID: 7676 Remote: No Date Published: May 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7676 Summary:
uml_utilities is a collection of packages designed to be used in conjunction with the User Mode Linux (UML) kernel patch. The uml_net program can be used by an administrator to configure various network devices and system networking parameters. A vulnerability has been discovered in uml_net. The problem lies in the uml_net.c source file and occurs while handling user-supplied version information. The 'v' variable is declared as a signed integer, however it is used to store an unsigned integer value returned by a call to the 'strtoul()' function. This will result in 'v' being interpreted as a negative value. As 'v' is later used in various bounds checking calculations, specifically 'if (v > CURRENT_VERSION)', it is possible to trigger an unexpected calculation and bypass the check. If all necessary calculation checks are passed, an attacker may be capable of indexing into a malformed location within an array of function pointers. Specifically, the 'v' variable is used as an index into the (*handlers[])() array. When this occurs the negative value stored in 'v' will allow the attacker to reference a supplied address lower in process memory. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands with the privileges of uml_net, possibly root. It has been confirmed that uml_net is installed suid root on at least one Linux distribution. Encrypted Virtual Filesystem Local Heap Overrun Vulnerability BugTraq ID: 7679 Remote: No Date Published: May 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7679 Summary: Encrypted Virtual Filesystem (EVFS) is a virtual filesystem that runs on top of the Linux VFS. It allows multiple users to each mount their own encrypted filesystems using individual keys. It is available for the Linux operating system. A vulnerability has been discovered in the 'efs' utility used by EVFS. The problem occurs during the 'do_mount()' function within the efs.c source file. During a call to salloc(), the size calculation fails to take the size of the 'to' argument into account. Data greater then that allocated may subsequently be written into the buffer. As a result, it may be possible for an attacker to corrupt sensitive memory management information. Successful exploitation of this vulnerability could allow a legitimate EVFS user to execute arbitrary commands with root privileges. This vulnerability affects EVFS v0.2, however earlier versions may also be affected. D-Link DI-704P Syslog.HTM Denial Of Service Vulnerability BugTraq ID: 7686 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7686 Summary: The D-Link DI-704P is an Internet Broadband Gateway device. The DI-704P provides a method to share a single broadband Internet connection and share a single printer among systems connected to the local network. D-Link DI-704P has been reported prone to a remote denial of service vulnerability. The issue presents itself in the 'Syslog.htm' page, a part of the router's web management interface. It has been reported that when excessive is data passed URI parameter in a request for the vulnerable page, the router firmware the device behaves in an unstable manner. Although unconfirmed this may be due to an attempted name resolution of the malicious data. Subsequent malicious requests may result in corruption of device logs or in a complete denial of service condition requiring a device reboot. Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected. [ hardware ] ifenslave Argument Local Buffer Overflow Vulnerability BugTraq ID: 7682 Remote: No Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7682 Summary: ifenslave is a tool designed to attach and detach slave network interfaces to a bonding device. The bonding device will act like an Ethernet network device to the Linux kernel, but will send out packets using the bound slave devices using a scheduler. ifenslave for Linux has been reported prone to a buffer overflow vulnerability. The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. Specifically, excessive data passed as the first command line argument to the vulnerable ifenslave executable, when copied into internal memory, may overrun the boundary of the assigned buffer and corrupt adjacent memory. Memory adjacent to this buffer has been confirmed to contain values that are crucial to controlling program execution flow. It is therefore possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of ifenslave. ifenslave is not installed setUID or setGID by default. It should be noted that although this vulnerability has been reported to affect ifenslave version 0.07 previous versions might also be affected. PalmVNC Insecure Password Storage Vulnerability BugTraq ID: 7696 Remote: No Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7696 Summary: PalmVNC is a VNC implementation for PalmOS. It can be used to establish VNC sessions with Windows or Unix/Linux systems. PalmVNC stores password credentials in plaintext. By default, the database file (PalmVNCDB) that contains VNC passwords has the backup bit set. As a result, these credentials may be stored on a desktop system when the Palm is "Hotsynced". This could expose credentials to other users of the system that the backup is stored on. This issue was reported in PalmVNC 1.40. Other versions are also likely affected. [ licence peu claire ] BNC IRC Proxy Multiple Session Denial of Service Vulnerability BugTraq ID: 7701 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7701 Summary: BNC IRC Proxy is an open source IRC proxying server that allows a system without direct Internet access to relay through the BNC server. It has been reported that the BNC IRC Proxy is prone to a denial of service vulnerability. This vulnerability appears to occur when two legitimate users of the service connect from the same IP address. If the second connected user disconnects before the first connected user, the service reportedly fails when the first user disconnects. Precise technical details of this vulnerability are not currently known. This record will be updated when further details become available. This vulnerability was reported to affect BNC IRC Proxy version 2.6.2 and prior. upclient Command Line Argument Buffer Overflow Vulnerability BugTraq ID: 7703 Remote: No Date Published: May 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7703 Summary: upclient is a multi-platform utility that is designed to extract and publish system uptime statistics. upclient has been reported prone to a buffer overflow vulnerability when handling command line arguments of excessive length. Specifically when the vulnerable upclient handles a '-p' command line argument of greater than 1022 bytes, the bounds of an internal buffer in memory is overrun and memory adjacent to the buffer is corrupted with attacker-supplied data. Memory adjacent to this buffer has been reported to contain values that are crucial to controlling program execution flow. It is therefore possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of upclient. It has been reported that upclient is installed on FreeBSD systems as setuid kmem. An attacker may harness elevated privileges obtained in this way to manipulate arbitrary areas in system memory through /dev/mem or /dev/kmem devices. eterm PATH_ENV Buffer Overflow Vulnerability BugTraq ID: 7708 Remote: No Date Published: May 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7708 Summary: Eterm is terminal emulation software which is available for Unix and Linux variants. Eterm has been reported prone to a local buffer overflow vulnerability. Code execution with elevated privileges has been confirmed possible. The issue presents itself in the conf_parse_theme() function, and is due to a lack of sufficient bounds checking performed on an environment variable that is copied into an internal memory buffer. The buffer is located in static memory space. This issue is further exaggerated because adjacent memory contains 'rs-pixmap' char pointer data, this may be manipulated by the attacker to point anywhere in system memory. The function post_parse(), is later invoked. This function calls free() on the location pointed to by rs_pixmaps. Since the attacker may have corrupted 'rs-pixmap' data to point to a malicious crafted fake malloc chunk on the heap, when malloc() is called arbitrary memory of the attackers choice may be corrupted. It has been reported that Eterm fails after it frees the malicious chunk, an internal Eterm function dump_stack_trace(), intercepts SIGSEGV in the process and performs a small memory dump before launching gdb, dump_stack_trace() later generates a SIGALRM. It has been demonstrated, however, that the delivery of this signal may be prevented and arbitrary shell code executed with elevated privileges. Code execution will occur in the context of the vulnerable Eterm, which may have setuid/setgid utmp or possibly root on some Unix/Linux distributions. Red Hat Linux up2date Unspecified Vulnerability BugTraq ID: 7714 Remote: No Date Published: May 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7714 Summary: Red Hat Linux is a popular distribution of the Linux operating environment. A vulnerability has been reported for Red Hat Linux's up2date mechanism. up2date is used by Red Hat Linux distributions to provide a way for users to obtain system updates through the Red Hat Network. up2date is prone to an issue that may result in a segmentation fault during Migration. Although unconfirmed, due to the nature of this report, it has been speculated that memory corruption may trigger this vulnerability. It may be possible that, under the correct circumstances, this situation may ultimately be exploitable. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information becomes available. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
