WebFS Request-URI Buffer Overflow Vulnerability BugTraq ID: 7990 Remote: Yes Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7990 Summary:
WebFS is a simple web server that serves static content. It is available for Linux and Unix variant operating environments. A buffer overflow vulnerability has been reported for WebFS that may result in the execution of attacker-supplied code. The vulnerability exists in the parse_request() function of the request.c source file and is due to insufficient bounds checking on an overly long Request-URI HTTP request. Successful exploitation of this vulnerability will result in the corruption of sensitive memory with attacker-supplied values and the execution of code. This vulnerability affects WebFS 1.1.8 and earlier. osh Environment Variable Buffer Overflow Vulnerability BugTraq ID: 7992 Remote: No Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7992 Summary: osh Operator Shell is a security enhanced, restricted shell. It allows a system administrator to restrict access to special commands and files to certain users. The osh shell is a setuid root shell. A buffer overflow vulnerability has been reported for osh when processing environment variables. The problem likely occurs due to insufficient bounds checking when copying environment data into an internal memory buffer. As a result, it may be possible for a malicious local user to corrupt osh process memory in such a way as to redirect execution flow. Although unconfirmed, this buffer overflow may be exploited to execute arbitrary code with superuser privileges. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available. This vulnerability was reported to affect osh 1.7. osh File Redirection Buffer Overflow Vulnerability BugTraq ID: 7993 Remote: No Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7993 Summary: osh Operator Shell is a security enhanced, restricted shell. It allows a system administrator to restrict access to special commands and files to certain users. The osh shell is a setuid root shell. A buffer overflow vulnerability has been reported for osh when processing file redirection commands. The problem likely occurs due to insufficient bounds checking when copying environment data into an internal memory buffer. As a result, it may be possible for a malicious local user to corrupt osh process memory in such a way as to redirect execution flow. Although unconfirmed, this buffer overflow may be exploited to execute arbitrary code with superuser privileges. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available. This vulnerability was reported to affect osh 1.7. Traceroute-Nanog Integer Overflow Memory Corruption Vulnerability BugTraq ID: 7994 Remote: No Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7994 Summary: Traceroute is a tool that is used to track packets in a TCP/IP network to determine the path of network connections. Tracroute-Nanog is installed setuid root on most systems, as it requires the use of raw sockets. An integer overflow vulnerability has been reported for Traceroute-Nanog. It has been reported that when processing certain user-supplied max_ttl and nprobes values from a traceroute invocation, some functions or utilities may fail to sufficiently handle integer wrapping. Specifically, the issue presents itself when a large value is passed to the affected application via the '-q' (nprobes) and '-m' (max_ttl) command line arguments. If values of sufficient size are passed, when it is used in subsequent boundary calculations (nprobes (-q) * max_ttl (-m)) the integer value may wrap, causing it to be interpreted as a negative value and thus bypassing boundary checks. This may result in excessive data being copied into an insufficient memory space, effectively corrupting adjacent heap based memory management structures. Because the attacker can control arbitrary memory corruption, although conjectured and unconfirmed, the attacker might exploit this condition to execute arbitrary instructions with elevated privileges. It should be noted that this vulnerability might only affect the Debian implementation of Traceroute-Nanog. Zope Empty Upload Information DisclosureVulnerability BugTraq ID: 7998 Remote: Yes Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7998 Summary: Zope is an open source web application server, maintained by the Zope Project. Zope is available for Linux, Unix, and Microsoft Windows based systems. Reportedly, Zope will disclose path information if a user invokes an upload operation via the 'addFile' script when a target file does not exist as a URI parameter. An error will be triggered and traceback information containing possible sensitive path information will be returned to the browser of the attacker. If an attacker can gain information about the details of the filesystem, this information may be useful in further attacks against the host. Zope addItems Script Information Disclosure Vulnerability BugTraq ID: 7999 Remote: Yes Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7999 Summary: Zope is an open source web application server, maintained by the Zope Project. Zope is available for Linux, Unix, and Microsoft Windows based systems. A vulnerability has been discovered in Zope which may result in the disclosure of sensitive information to a remote attacker. The problem occurs when a value greater then 11 is passed as the records URI parameter to the addItems script. When this occurs, an exception will be triggered causing the server to return an error page containing sensitive system information. Information disclosed may include session identification, the script installation paths, the application installation path, etc. Access to this information could potentially aid an attacker in launching further attacks against the system. Zope Invalid Query Information Disclosure Vulnerability BugTraq ID: 8000 Remote: Yes Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8000 Summary: Zope is an open source web application server, maintained by the Zope Project. Zope is available for Linux, Unix, and Microsoft Windows based systems. Reportedly, Zope will disclose path information if a user invokes an invalid query operation using Shopping cart example scripts. An error will be triggered and traceback information containing possible sensitive path information will be returned to the browser of the attacker. If an attacker can gain information about the details of the filesystem, this information may be useful in further attacks against the host. Zope ExampledbBrowseReport Description Field HMTL Injection Vulnerability BugTraq ID: 8001 Remote: Yes Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8001 Summary: Zope is an open source web application server, maintained by the Zope Project. Zope is available for Linux, Unix, and Microsoft Windows based systems. It has been reported that Zope ExampledbBrowseReport example script suffers from an HTML injection vulnerability. The problem is said to occur due to insufficient input validation of user-supplied form data. Specifically, it is possible to embed HTML code within the 'Description' field of the Zope ExampledbBrowseReport example script. All script code will be interpreted by the browsers of other Zope users, who view the affected page, within the context of the site hosting the affected script. The successful exploitation of this issue could ultimately result in the attacker obtaining cookie-based authentication credentials or other sensitive information, which, could be used to impersonate the other user. Linux /proc Filesystem Potential Information Disclosure Vulnerability BugTraq ID: 8002 Remote: No Date Published: Jun 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8002 Summary: A potential information disclosure vulnerability has been reported for the Linux /proc filesystem. The problem occurs specifically when invoking a setuid application. The problem lies in the permissions of the /proc/PID/environ file when the file has been accessed prior to privilege elevation. It has been reported that, if the environ file has been opened by a user application, forking and invoking a setuid application will not in fact modify the ownership of the open file. As a result, an attacker may be capable of reading the environment data of a privileged process. This may pose a security risk as the application may place sensitive or privileged information within it's environment. Access to this information could theoretically aid an attacker in launching further attacks against a target system. It has been conjectured that this issue affects the 2.2 and 2.4 Linux kernel trees. This, however has not been confirmed by Symantec. This information will be updated as further information becomes available. GNU GNATS PR-Edit Command Line Option Heap Corruption Vulnerablity BugTraq ID: 8003 Remote: No Date Published: Jun 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8003 Summary: GNU GNATS is a freely available bug tracking system. It is available for a variety of Linux and Unix variant operating environments. The pr-edit utility is shipped as part of GNATS and is intended as an editor for problem reports. The pr-edit utility is a setuid utility typically with UID 'gnats' privileges. A heap overflow vulnerability has been reported for the pr-edit utility. The vulnerability occurs due to insufficient checks performed on the arguments to the '-d' commandline option. The vulnerability exists due to the improper use of the sprintf() function. Due to this a determined attacker can invoke pr-edit with a malicious '-d' commandline argument to trigger the heap corruption vulnerability. Successful exploitation may result in the execution of attacker-supplied code with potentially elevated privileges. It should be noted that on some systems, the pr-edit utility may be installed with setuid 'root' privileges. This vulnerability was reported to affect GNATS 3.002. GNU GNATS PR-Edit Lock File Buffer Overflow Vulnerability BugTraq ID: 8004 Remote: No Date Published: Jun 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8004 Summary: GNU GNATS is a freely available bug tracking system. It is available for a variety of Linux and Unix variant operating environments. The pr-edit utility is shipped as part of GNATS and is intended as an editor for problem reports. The pr-edit utility is a setuid utility typically with UID 'gnats' privileges. A stack overflow vulnerability has been reported for the pr-edit utility. The vulnerability occurs when pr-edit locks a file for reading. If a file is locked, pr-edit will read the file to output a message stating the user that locked the file. Due to the improper use of fscanf(), there are no bounds checks performed on the length of the user that locked the file. An attacker can exploit this vulnerability by creating a lock file containing over 2000 bytes. This will trigger the buffer overflow condition when pr-edit attempts to read the file. Successful exploitation may result in the execution of attacker-supplied code with potentially elevated privileges. It should be noted that on some systems, the pr-edit utility may be installed with setuid 'root' privileges. This vulnerability was reported to affect GNATS 3.002. GNU GNATS Environment Variable Buffer Overflow Vulnerability BugTraq ID: 8005 Remote: No Date Published: Jun 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8005 Summary: GNU GNATS is a freely available bug tracking system. It is available for a variety of Linux and Unix variant operating environments. It has been reported that GNATS is prone to a buffer overflow condition when parsing certain environment variables. Specifically, the configure() function of the config.c source file does not perform proper bounds checks on the GNATS_ROOT function. An attacker can exploit this vulnerability by setting an overly long GNATS_ROOT environment variable, consisting of at least 5000 characters, and invoking one of several GNATS utilities. This will trigger the overflow condition and will result in the corruption of sensitive memory. The following utilities have been reported to be affected: pr-edit, queue-pr, gen-index The affected utilities are typically installed with setuid 'gnats' privileges however, on some systems, they may be installed with setuid 'root' privileges. Successful exploitation may result in the execution of attacker-supplied code with elevated privileges. This vulnerability was reported to affect GNU GNATS 3.113.1 and 3.113. tcptraceroute Failure To Relinquish Root Privileges Weakness BugTraq ID: 8020 Remote: No Date Published: Jun 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8020 Summary: tcptraceroute is a traceroute implementation that uses TCP packets. It is a setuid-root program. It has been reported that tcptraceroute does not properly drop root privileges after obtaining a file descriptor for raw packet capture. There are not currently any known exploitable conditions that exist for tcptraceroute. However, if an exploitable condition were discovered within the program, this weakness could allow local privilege escalation. Gkrellmd Remote Buffer Overflow Vulnerability BugTraq ID: 8022 Remote: Yes Date Published: Jun 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8022 Summary: GKrellM is a suite of system monitors, designed to display a graphic representation of system performance statistics. GKrellMd is a daemon that is shipped as a part of the GKrellM software. GKrellMd has been reported prone to a remote buffer overflow vulnerability, arbitrary code execution is possible. The issue presents itself due to a lack of sufficient bounds checking performed on network-based data. If data exceeding the maximum reserved memory buffer size (128 bytes) is received and processed by the affected daemon, excessive data is copied beyond the boundary of the assigned buffer and will corrupt adjacent memory. It has been confirmed that a saved instruction pointer may be corrupted in this manner; a remote attacker may ultimately exploit this issue remotely to seize control of the affected daemon and execute arbitrary code in the context of the user who is running the daemon. This vulnerability has been reported to affect Gkrellm 2.1.13. Sharp Zaurus Samba Server Unauthorized Remote Filesystem Access Vulnerability BugTraq ID: 8026 Remote: Yes Date Published: Jun 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8026 Summary: Zaurus is a handheld device distributed by Sharp Electronics. Zaurus runs an embedded Linux-based operating system called Embedix. When mounted on the docking station, the station's USB cable and respective connection is perceived as the network interface to the attached PC. As a result, a user from an attached PC may remotely connect to the Zaurus. It is may also possible to connect to a Zaurus via an 802.11b connection. A vulnerability has been reported for Samba server when run on the Sharp Zaurus Embedix operating system. The problem occurs when mounting the device to the docking station. When docked, a Samba server will immediately be invoked, allowing access via any external interface. It has been discovered that by default the Samba server is configured to allow unauthorized users unrestricted read/write access to the local file system. This could potentially result in the disclosure of sensitive information or the corruption of system resources. It may also allow an attacker to potentially execute arbitrary code on the target device. [ hardware? firmware ? OSS ? libre ? ] Tripbit Secure Code Analizer Local fgets() Buffer Overrun BugTraq ID: 8028 Remote: No Date Published: Jun 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8028 Summary: Tripbit Secure Code Analizer is a source code auditing utility design to parse through source files and identify the use of potentially insecure functions, such as strcpy(), gets(), fgets(), etc. A buffer overrun vulnerability has been discovered in Secure Code Analizer v1.0. The problem occurs when reading in data from a target source file. The vulnerability occurs within the single_source() function during a call to fgets(). The fgets() call is used to copy data from the target source file into an internal memory buffer: puffer[256]. However, the 'size' argument of the fgets() function is incorrectly set to 1024 bytes, potentially allowing for 768 bytes of stack memory to be overwritten. An attacker could exploit this vulnerability by creating a file containing approximately 257 or more bytes of data. It should be noted that 'puffer' is the first variable declared within the single_source() function, typically placing it adjacent to the saved frame pointer and return address. As a result, an attacker could potentially exploit this vulnerability by writing only 8 bytes past the end of the buffer. This would effectively overwrite the return address of the function, allowing for the execution of attacker-supplied code. This memory layout may differ between compilers. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
