Nokia GGSN Kernel Panic Denial of Service Vulnerability BugTraq ID: 7854 Remote: Yes Date Published: Jun 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7854 Summary:
The Nokia GGSN (Gateway GPRS Support Node) is used to bridge Gn and Gi networks. GPRS can allow for web browsing and email connectivity for cellular phones. The GGSN device is reported to be prone to a denial of service condition triggered by malformed IP packets. When the device receives a malformed IP packet with a TCP option of 0xFF set, it will cause a kernel panic resulting in the device shutting down. This will cause a failure in all data connectivity on the GPRS (General Packet Radio Service) network. [ hardware ] GZip ZNew Insecure Temporary File Creation Symbolic Link Vulnerability BugTraq ID: 7872 Remote: No Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7872 Summary: gzip is a freely available, open source file compression utility. It is maintained by public domain, and available for the Unix, Linux, and Microsoft operating systems. A problem with the utility may make the local destruction of data possible. It has been reported that gzip does not securely handle temporary files in the znew script. Because of this, a local attacker may be able to launch a symbolic link attack against sensitive files. The problem is in the handling of checking for existing files. When the znew script executes, it does not sufficiently validate the value returned when the program checks for the existence of a file in the temporary directory. Because of this, znew could potentially write to a symbolic link that would destroy the data at the end of the symbolic link, provided the user has sufficient privileges to write to the file. This may also potentially lead to elevated privileges, though this theory is unconfirmed. RPM Package Manager FTP NLST Data Integer Overflow Remote Memory Corruption Vulnerability BugTraq ID: 7874 Remote: Yes Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7874 Summary: The RPM Package Manager is a command line utility for creating, installing and managing RPM packages. It is available for a wide range of Linux distributions. A vulnerability has been reported for the RPM Package Manager. The problem occurs when using the application to access FTP listings on a remote server. Specifically, RPM fails to sufficiently carry out sanity checks on the size of data returned by an FTP NLST listing. The size value is subsequently shifted 2 bits to the left, effectively increasing it's size exponentially by 3, and is then used as a malloc() function parameter. The NLST data is then copied into the buffer returned by malloc(). An attacker could exploit this issue by controlling a malicious FTP server configured in such a way as to transmit NLST data in excess of 1 gigabyte. If this were to occur, when the RPM application carried out the shift procedure, the size value would overflow. As a result, an insufficient memory buffer will be allocated to store the data. The exploitability of this vulnerability to execute code is highly implausible as copying data of this size will typically result in a page fault. However, this issue could result in the exhaustion of available system resources and would ultimately cause the RPM utility to crash. Gnome FTP NLST Data Integer Overflow Memory Corruption Vulnerability BugTraq ID: 7875 Remote: Yes Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7875 Summary: A vulnerability has been reported for Gnome. It has been reported that when processing NLST data from an FTP server, various Gnome functions or utilities may fail to sufficiently handle the size of data returned. Due to subsequent calculations, insufficient data may be allocated for storage of the NLST data. This may result in excessive data being copied into insufficient memory, effectively causing a denial of service. It should be noted that this issue presents itself when a large amount of NLST data in excess of 1 gigabyte is received. As such, exploitation of this issue will inevitably result in the exhaustion of available resources, followed by a segmentation violation. Also, due to the excessive amount of data copied to memory, the exploitability of this issue to execute code may not be plausible. Furthermore, it is said that the exploitation of this issue may only be possible on architectures with specific variable width characteristics, typically 64-bit systems. It should be noted that the precise details regarding this vulnerability are currently unknown. The problem may lie in specific Gnome utilities or possibly in Gnome library string parsing functions linked to by other applications. SMC Wireless Router Malformed PPTP Packet Denial of Service Vulnerability BugTraq ID: 7876 Remote: Yes Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7876 Summary: SMC SMC7004VWBR is a wireless Cable/DSL broadband router with integrated wireless access point and SPI firewall. It has been discovered this device is prone to a denial of service attack. The problem occurs when processing a sequence of malformed PPTP packets transmitted to the router's internal interface. The successful exploitation of this vulnerability will result in the router no longer responding to internal wireless traffic. This will effectively deny legitimate wireless users further network services. It should be noted that the device would need to be physically reset to restore typical functionality. This vulnerability affects firmware versions earlier then 1.23. [ hardware ] Ethereal DCERPC Dissector Memory Allocation Vulnerability BugTraq ID: 7878 Remote: Yes Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7878 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. The DCERPC dissector of Ethereal is prone to a condition whereby too much memory may be allocated when decoding certain NDR strings. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available. An attacker may be able to exploit this vulnerability by crafting a specially formed packet and sending it to a system using the vulnerable dissector or by convincing a victim user to use Ethereal to read a malformed packet trace file. This may result in the vulnerable Ethereal process allocating too much memory. Repeated decoding of malformed NDR packets may result in the consumption of all available memory resources which may lead to a denial of service condition. This vulnerability affects Ethereal 0.9.12 and earlier. Ethereal SPNEGO Dissector Denial Of Service Vulnerability BugTraq ID: 7879 Remote: Yes Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7879 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. The SPNEGO dissector of Ethereal, when parsing certain ASN.1 codes, may cause a segmentation fault. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available. An attacker may be able to exploit this vulnerability by crafting a specially formed packet with an invalid ASN.1 value and sending it to a system using the vulnerable dissector. Due to the nature of this vulnerability, it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this may allow for the execution of arbitrary code with the privileges of the Ethereal process. This vulnerability affects Ethereal 0.9.12 and earlier. Ethereal OSI Dissector Buffer Overflow Vulnerability BugTraq ID: 7880 Remote: Yes Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7880 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. The OSI dissector is prone to a buffer overflow condition when handling bad IPv4 or IPv6 prefix lengths. This is likely due to insufficient bounds checking. It may be possible to construct an IPv4 or IPv6 packet that will, when decoded by Ethereal, trigger the overflow condition. Successful exploitation of this vulnerability may result in the attacker gaining access to the Ethereal host via execution of attacker-supplied instructions. This BID will be updated when further technical details are disclosed. This vulnerability affects Ethereal 0.9.12 and earlier. Ethereal Multiple Dissector String Handling Vulnerabilities BugTraq ID: 7881 Remote: Yes Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7881 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. Several dissectors included with Ethereal do not properly handle strings. Exploitation of this issue may allow an attacker to cause Ethereal to behave in an unpredictable manner. The BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors are vulnerable to this issue. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available. An attacker may be able to exploit this vulnerability by crafting a specially formed packet and sending it to a system using the vulnerable dissectors or by convincing a victim user to use Ethereal to read a malformed packet trace file. Due to the nature of this vulnerability, it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this may allow for the execution of arbitrary code with the privileges of the Ethereal process. This vulnerability affects Ethereal 0.9.12 and earlier. Ethereal TVB_GET_NSTRINGZ0() Memory Handling Vulnerability BugTraq ID: 7883 Remote: Yes Date Published: Jun 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7883 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. An Ethereal routine, tvb_get_nstringz0(), has been reported prone to a memory handling vulnerability. Reportedly tvb_get_nstringz0() incorrectly handles a zero-length buffer size. Although unconfirmed, it has been conjectured that this issue may be due to an incorrect allocation of memory, caused when an unsigned integer is used when calculating the size of memory to be allocated. Exploitation of this issue may allow an attacker to cause Ethereal to behave in an unpredictable manner. Due to the nature of this vulnerability, it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this may allow for either a remotely triggered denial of service condition or ultimately in the execution of arbitrary code with the privileges of the Ethereal process. The precise technical details of this vulnerability are currently unknown. This BID will be updated, as further information is available. This vulnerability affects Ethereal 0.9.12 and earlier. FakeBO Syslog Format String Vulnerability BugTraq ID: 7882 Remote: Yes Date Published: Jun 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7882 Summary: FakeBO is a utility to log common trojan attempts in an effort to possibly emulate one. It may also be used in a honeypot setup to facilitate security monitoring. It is available for Microsoft Windows, Linux, and Unix variant operating systems. A vulnerability has been reported for FakeBO that may result in an attacker obtaining elevated privileges on a target system. Due to a programming error, it may be possible to exploit a format string vulnerability in the affected utility. Specifically, a logging function in FakeBO contains insecure syslog() calls. This could result in the execution of attacker-supplied code. The vulnerability occurs when FakeBO resolves a carefully constructed hostname that include malicious format string specifiers. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with elevated privileges. This vulnerability was reported for FakeBO 0.4.1. MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability BugTraq ID: 7887 Remote: Yes Date Published: Jun 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7887 Summary: MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows. MySQL contains a library called libmysqlclient. A problem exists in the sql_real_connect() function of the libmysqlclient library that could result in a buffer being overrun. The problem likely occurs due to insufficient bounds checking of user-supplied parameters and could allow an attacker to corrupt sensitive process memory. It is possible to trigger this condition by supplying a parameter containing approximately 350 or more bytes of data. An attacker could potentially be capable of exploiting this issue to execute arbitrary code on a remote system. It should be noted that this issue would be required to be exploited in conjunction with an unrelated remote SQL injection attack or possibly used on a system which allows for the uploading of scripts. Typespeed Remote Memory Corruption Vulnerability BugTraq ID: 7891 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7891 Summary: Typespeed is a game designed to test typing skills. It is available for the Linux operating system. Typespeed is installed setgid 'games' by default on the Debian Linux distribution. A memory corruption vulnerability has been reported for Typespeed that may result in code execution with elevated privileges. The vulnerability exists in the net_swapscore() function of the 'network.c' source file. Specifically, proper bounds checks are not performed prior to executing the 'strncpy' function. A remote attacker may be able to exploit this vulnerability to corrupt sensitive with attacker-supplied code. This vulnerability was reported for Typespeed 0.4.1 and earlier. Cistron RADIUS Remote Signed NAS-Port Number Expansion Memory Corruption Vulnerability BugTraq ID: 7892 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7892 Summary: A vulnerability has been discovered in the Cistron RADIUS server. The problem is due to the way the application processes user-supplied NAS-Port values. The issue occurs within the make_wtmp function when making a call to sprintf(). Specifically, the '%03d' format specifier is used to interpret the user-supplied nas_port variable. The problem lies in the fact that the nas_port variable could hold a signed integer value. If the value were a negative value greater then 1 billion (10 digits), the sprintf() function would expand the integer up to 11 bytes. This is due to a minus '-' symbol being prepended to the 10 byte value. Due to this unexpected value expansion, the 'buf[32]' character array may be overrun by 1 byte. This is due to the sprintf() call also appending a semicolon ':', 20 bytes of data and a NUL byte to the buffer, after interpreting the port value. This issue could pose a security threat as the NUL byte could potentially corrupt the LSB of the current frames saved frame pointer. This could result in a situation under which an attacker-supplied memory address could be popped as an instruction pointer, effectively resulting in the execution of arbitrary code. It should be noted that the exploitability of this issue is heavily dependant on the layout of the process in memory, which is compiler dependant. It has been reported however that under some circumstances this issue may affect data stored from previously processed packets or possibly other sensitive stack variables. [ hardware/firmware ] _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
