SLocate Path Malloc Integer Signing Heap Overflow Vulnerability BugTraq ID: 7629 Remote: No Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7629 Summary:
slocate is the Secure Locate program. It is available for various UNIX operating systems, and is maintained by public domain. A problem with slocate may make it possible for a local user to gain unauthorized privileges. It has been reported that slocate is vulnerable to a signed integer overflow issue when handling data in the environment variable SLOCATE_PATH. Because of this problem, it may be possible for a local attacker to cause a heap corruption issue, potentially executing code. The problem is in the handling of large amounts of data in the SLOCATE_PATH variable. By placing a specially crafted string in the environment variable, it could be possible for an attacker to cause the wrapping of a signed bit in an integer value, resulting in an insufficient amount of malloc'd memory. This could potentially be exploited by the attacker to execute code with the privileges of the slocate program. Snort Spoofed Packet TCP State Evasion Vulnerability BugTraq ID: 7635 Remote: Yes Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7635 Summary: Snort is a freely available, open source intrusion detection system. It is available for Unix, Linux, and Microsoft Windows platforms. A vulnerability has been reported within the spp_stream4.c source file. The problem is said to occur while maintaining the state of an established session. Specifically, Snort is said to call UpdateState before verifying the legitimacy of a packet received from a client partaking in a legitimate session. As a result, it may be possible to corrupt stateful inspection carried out by Snort. This issue can be triggered by forging a packet to a server containing the legitimate client source IP and port. When encountered by Snort, the state of the session is updated before verifying that the packet is a legitimate part of the established session. However when the packet is received by the server, due to invalid sequence and acknowledgement data, the packet will be dropped. An attacker could exploit this vulnerability to trigger a situation under which legitimate session traffic transmitted would no longer be detected by Snort. This vulnerability has been reported to affected Snort 2.0.0rc2, however other versions may also be affected. It should be noted that this is a theoretical issue and has not yet been officially confirmed. CUPS Cupsd Request Method Denial Of Service Vulnerability BugTraq ID: 7637 Remote: Yes Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7637 Summary: CUPS, Common Unix Printing System, is a widely used set of printing utilities for Unix based systems. The cupsd has been reported prone to a denial of service vulnerability. The issue presents itself when a remote attacker invokes an incomplete HTTP POST request. The cupsd does not adequately apply a time-out process for the operation and service is denied to subsequent cupsd requests. This issue may be exploited by remote attackers to deny cupsd service to legitimate users. WSMP3 Remote Information Disclosure Vulnerability BugTraq ID: 7642 Remote: Yes Date Published: May 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7642 Summary: WsMp3 is a web server designed to stream MP3 files over the internet. It is available for the Linux operating system. A vulnerability has been reported for WsMp3. The problem is said to occur due to insufficient sanitization of HTTP GET requests. Specifically, WsMp3 fails to strip directory traversal sequences (../) from requests. As a result, an attacker may be capable of accessing the contents of sensitive system resources. Information obtained in this manner may aid an attacker in launching further attacks against the target system. All files accessed in this manner will be done so with the privileges of WsMp3d, typically root. This vulnerability is said to affect WsMp3 0.0.10 and earlier. [ licence peu claire ] WSMP3 Remote Command Execution Vulnerability BugTraq ID: 7645 Remote: Yes Date Published: May 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7645 Summary: WsMp3 is a web server designed to stream MP3 files over the internet. It is available for the Linux operating system. A vulnerability has been reported for WsMp3. The problem is said to occur due to insufficient sanitization of HTTP POST requests. Specifically, WsMp3 fails to strip directory traversal sequences (../) from requests. As a result, an attacker may be capable of running arbitrary executables. This may lead to the complete compromise of a target system. All files executed in this manner would be invoked with the privileges of WsMp3d, typically root. This vulnerability is said to affect WsMp3 0.0.10 and earlier. WSMP3 Request Data Heap Overflow Vulnerability BugTraq ID: 7643 Remote: Yes Date Published: May 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7643 Summary: WSMP3 is a freely available server that allows users to stream MP3 files. WSMP3 is prone to a remotely exploitable heap overflow. Request data, which will be stored in dynamically allocated memory, is not sufficiently checked for a bounds violation before being freed. This lack of bounds checking occurs in multiple places in the 'req_descriptor.c' source file. An attacker may leverage this condition to corrupt malloc headers with custom data. It is possible to exploit this issue to execute malicious instructions with the privileges of the WSMP3 server. Slackware rc.M Runlevel Script Unexpected Partition Remounting Weakness BugTraq ID: 7654 Remote: No Date Published: May 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7654 Summary: The rc.M runlevel script used by Slackware is invoked when a system is entering multi-user mode. During the execution of rc.M the '/sbin/quotacheck' file is invoked, which is used to analyze the usage of files and directories on a target filesystem. A weakness has been discovered in the rc.M runlevel script when invoking quotacheck. The problem lies in the use of the '-M' command-line switch, in place of the intended '-m' switch. As a result, the '-M' will cause the filesystem and thus corresponding partition to be remounted. When this occurs any normally enforced mount options, such as 'noexec', 'nosuid', etc may not be used. This may result in an administrator having a false sense of security. Furthermore, access to less restrictive partitions may aid a local attacker in launching unrelated attacks successful. This vulnerability is said to affect the Slackware 9.0 rc.M script, however earlier releases of Slackware may also be affected. OpenLDAP LDBM_Back_Exop_Passwd Denial Of Service Vulnerability BugTraq ID: 7656 Remote: Yes Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7656 Summary: OpenLDAP is an open-source implementation of the LDAP protocol. OpenLDAP is prone to a remotely exploitable denial of service. Under some circumstances, the server may attempt to free an uninitialized structure during authentication. This issue exists in the 'password.c' source file. According to the vendor, this issue can occur when 'struct berval' is uninitialized and freed by the ldbm_back_exop_passwd() function (which handles LDAP Modify Password Extended Operations). This could deny availability of LDAP services to legitimate users. Nessus LibNASL Arbitrary Code Execution Vulnerability BugTraq ID: 7664 Remote: Yes Date Published: May 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7664 Summary: Nessus is a vulnerability scanning utility available for the Unix and Microsoft Windows operating systems. libnasl is a library used by Nessus to process NASL scripts. Nessus has reported that various flaws have been discovered in the libnasl library. Amongst other functions, scanner_add_port(), insstr() and ftp_log_in() fail to sufficiently handle malformed parameters and may allow a script to break out of the established sandbox environment. As a result, it may be possible for a malicious Nessus plugin to execute arbitrary system commands with the privileges of Nessus the application, possibly root. It should be noted that this malicious script must be a legitimate plugin which has been uploaded to the Nessus server. Furthermore, the affected Nessus application must have enabled the 'plugins_upload' option which is disabled by default. The precise details regarding this vulnerability are currently unknown. This BID will be updated as further information becomes available. Although unconfirmed, these vulnerabilities may be exploited to execute arbitrary attacker-supplied code. This issue affects Nessus version 2.05 and earlier. [ + les probl�mes hebdomadaires de phpnuke et d'autres logiciels. ] _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
