University of Minnesota Gopherd FTP Gateway Buffer Overflow Vulnerability BugTraq ID: 8167 Remote: Yes Date Published: Jul 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8167 Summary:
Gopherd is a daemon written by the University of Minnesota that provides support for the gopher protocol. By default, gopherd ships with the "FTP gateway" component enabled. The purpose of this component is to server as an FTP proxy for clients. It is reported that the routine used by this component to process FTP LIST commands may be subject to a buffer overflow vulnerability due to a failure to perform bounds checking on filenames returned by the FTP server. Reportedly, the filenames returned are stored in a buffer residing on the stack capable of holding 256 bytes. It is possible to cause the gopherd server to read filenames up to 8 kilobytes in size, which will overrun the buffer by approximately 7500 bytes. Attackers may be able to corrupt adjacent data stored on the stack, such as saved instruction pointers. This could result in execution of malicious attacker-supplied instructions. It should be noted that by default, gopherd restricts the process environment using a chroot() call, and as a result, the impact of successful exploitation may confine the attackers to a chroot jail. University of Minnesota Gopherd GSisText Buffer Overflow Vulnerability BugTraq ID: 8168 Remote: Yes Date Published: Jul 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8168 Summary: Gopherd is a daemon written by the University of Minnesota that provides support for the gopher protocol. It is reported that the function used by gopherd to determine view-types associated with a given gopher object fails to perform bounds checking on user-submitted requests. The user-supplied string passed to this function is stored in a temporary buffer residing on the stack, capable of holding 64 bytes of data. It is possible to cause the gopherd server to read excessive data, potentially overflowing the buffer. This may allow attacker to corrupt adjacent data stored on the stack, such as saved instruction pointers. It should be noted that by default, gopherd restricts the process environment using a chroot() call, and as a result, the impact of successful exploitation may confine the attackers to a chroot jail. In order to successfully exploit this vulnerability, the request must begin with one of the following characters, followed by a tab character and a string of sufficient size to overrun the buffer: h, 0, 4, 5, 9, s, I, or g. ImageMagick Display Filename Format String Vulnerability BugTraq ID: 8177 Remote: Yes Date Published: Jul 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8177 Summary: ImageMagick is an image manipulation program. It is available for a variety of platforms including Microsoft Windows and Unix and Linux variant operating systems. The ImageMagick display program is alleged to be prone to a format string vulnerability. Exploitation may occur when the program is invoked with a filename that includes malicious format specifiers. This issue could be exploited to corrupt arbitrary regions of memory with attacker-supplied data, potentially resulting in execution of arbitrary code in the context of the user running the program. For this issue to be exploited, the program would need to be invoked with an untrusted filename. This could occur automatically if the program was specified as the default image viewer for an e-mail client or some other program. This issue was reported for Unix/Linux platforms. It is not known if other platforms are similarly affected. NFS-Utils Xlog Remote Buffer Overrun Vulnerability BugTraq ID: 8179 Remote: Yes Date Published: Jul 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8179 Summary: nfs-utils provides various NFS tools, including a daemon for handling RPC requests. It is available for Unix and Linux variants. A remote buffer overrun vulnerability has been reported in xlog, which is a logging facility for nfs-utils. It is possible to exploit this issue via mountd. It has been reported that exploitation of this issue will most likely result in a denial of service. There is a likelihood that this issue could be exploited to run arbitrary code in the context of mountd, which runs as root. This vulnerability is an off-by-one boundary condition error in the xlog.c source file, which contains code for handling logging of RPC requests. In particular, the xlog() function is prone to this issue when a buffer equal to or longer than 1023 bytes is supplied, causing one byte of memory to be overrun with attacker-supplied data. The issue could also occur in other nfs-utils components that call xlog with externally-supplied data. xfstt Denial Of Service Vulnerability BugTraq ID: 8182 Remote: Yes Date Published: Jul 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8182 Summary: xfstt is an X font server designed to provide support for TrueType fonts. It has been reported that attackers may be able to crash an xfstt server by sending it a specially malformed packet. Remote execution may also be possible. Within the xfstt.cc source file, there exists a function called working(). In certain cases, this function may not properly perform bounds checking on incoming packets prior to parsing headers and storing information in internal buffers. Specifically, it is reported that it is possible to overflow the 'req->num_ranges' variable, causing a subsequent for loop to be miscalculated. This may allow arbitrary data to be written to adjacent memory locations, possibly resulting in a denial of service condition against the server. It is not known whether or not this can be exploited to execute arbitrary code at this time. Asus ADSL Router Information Disclosure Vulnerability BugTraq ID: 8183 Remote: Yes Date Published: Jul 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8183 Summary: It has been reported that certain Asus ADSL routers make sensitive files available via a Web interface. No access control is enforced on these files, and as a result, remote users may view them without supplying any credentials. It may be possible to retrieve information such as usernames, unencrypted passwords, SNMP information and other configuration details. To exploit this ability, attackers may request the sensitive files from the root path of the web interface. [ hardware ] Citadel/UX Configuration Buffer Overrun Vulnerability BugTraq ID: 8191 Remote: Yes Date Published: Jul 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8191 Summary: Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other Unix systems. Citadel/UX provides a means for clients to execute commands as an internal program and access IPC (Inter-process Communications). To use this feature, clients must supply an internal program password via the IPGM command. Citadel/UX is prone to a buffer overrun when importing configuration data supplied by IPGM authenticated users. If excessive data is supplied during an import, it is possible to corrupt sensitive regions of stack memory with specific values. This may be exploited to execute arbitrary code in the context of the server. Citadel/UX Unlimited Biography Data Denial Of Service Vulnerability BugTraq ID: 8192 Remote: Yes Date Published: Jul 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8192 Summary: Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other Unix systems. Citadel/UX allows users to add biographical data to their profile. This is facilitated via the EBIO command. Citadel/UX does not limit the amount of Biography data that clients can supply. This data is written to a file on the system hosting the BBS. A malicious user of the BBS could exploit this to cause a denial of service by supplying excessive data, potentially using up disk space available to the system user that the BBS is running as. Citadel/UX Weak Internal Program Authentication Key Vulnerability BugTraq ID: 8193 Remote: Yes Date Published: Jul 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8193 Summary: Citadel/UX is an open source BBS package for Linux, BSD, Solaris and other Unix systems. Citadel/UX uses an authentication key exchange process, normally used to authenticate to the Citadel/UX as an internal trusted program (IPGM). A vulnerability has been reported for Citadel/UX, the issue presents itself in the procedure used by Citadel/UX to generate the internal program authentication key. The affected server derives the key using an srand() call, the current process ID is used as the seed for srand(). This method results in a low entropy key that can be replicated, if the current PID for the affected Citadel/UX server is known. A remote attacker may exploit this vulnerability, by iterating through possible process IDs in a sequential manner. If successful the attacker may authenticate with the affected server as a trusted program, and consequently attain elevated privileges. QMail-SMTPD-Auth True Program Remote E-Mail Vulnerability BugTraq ID: 8196 Remote: Yes Date Published: Jul 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8196 Summary: qmail-smtpd-auth is a freely available, open source program to add support for the AUTH extension to QMail. It is available for the Unix and Linux platforms. A vulnerability in qmail-smtpd-auth has been reported when malformed authentication requests are received. This may result in an attacker circumventing authentication to send e-mail. The problem is in the handling of requests that do not contain all the correct parameters. By submitting a request for authentication to a qmail daemon patched with the vulnerable code, and omitting the hostname component of a request to authenticate against the server when attempting to relay e-mail through a specific server, an attacker may bypass authentication. This problem requires the site be configured to use /bin/true as the dummy program. It should be noted that this is the default configuration. Deutsche Telekom Teledat DSL Router Portscan Remote Denial Of Service Vulnerability BugTraq ID: 8199 Remote: Yes Date Published: Jul 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8199 Summary: Teledat is the DSL router solution distributed and maintained by Deutsche Telekom. A problem has been reported in the handling of portscans by Deutsche Telekom Teledat DSL routers. Because of this, an attacker may be able to deny service to legitimate users. It has been reported that Teledat routers become unstable when portscanned. This vulnerability was originally reported as the result of running the Symantec Security Check tools against a system behind the router. It is likely that a remote attacker could reproduce this issue through one of several free, publicly available utilities. The problem has been reported in the 530 series router, and may exist in other models. [ hardware ] _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
