ManDB Utility Local Buffer Overflow Vulnerability BugTraq ID: 8278 Remote: No Date Published: Jul 25 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8278 Summary:
mandb is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility. mandb has been reported prone to a local buffer overflow vulnerability. It has been reported that a local attacker may exploit this issue to execute arbitrary instructions with elevated privileges. Specifically, user 'man' privileges. The issue likely presents itself due to a lack of sufficient bounds checking performed on user-supplied data. Although unconfirmed, it has been conjectured that user supplied data copied into an insufficient reserved memory buffer may overflow the bounds of that buffer and corrupt saved values that are crucial to program execution flow control. The attacker may exploit this issue to influence execution flow of the vulnerable utility and have arbitrary attacker specified instructions executed inline. It should be noted that although the mandb utility is installed with setuid root privileges by default, this issue has been reported to be only exploitable to attain user 'man' privileges. Additionally, although this vulnerability has been reported to affect man version 2.3.19, other version may also be affected. FreeRadius Chap Remote Buffer Overflow Vulnerability BugTraq ID: 8282 Remote: Yes Date Published: Jul 25 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8282 Summary: FreeRADIUS is a freely available, open source implementation of the RADIUS protocol. It is available for the Unix and Linux operating systems. A problem with FreeRADIUS has been reported when handling CHAP requests. Because of this, an attacker may be able to gain unauthorized access to a system using the vulnerable software. Specific details about the vulnerability are not currently available. It is known that the problem in CHAP may be exploited to execute code with the privileges of the FreeRADIUS server. This could give the attacker access to the system with the privileges of the FreeRADIUS server. University of Minnesota GopherD Do_Command Buffer Overflow Vulnerability BugTraq ID: 8283 Remote: Yes Date Published: Jul 25 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8283 Summary: gopherd is the implementation of the Gopher Protocol Daemon by the University of Minnesota. It is available for the Unix and Linux platforms. It has been reported that University of Minnesota gopherd is vulnerable to a remotely exploitable boundary condition error. This may make it possible for an attacker to gain unauthorized access to a host using the vulnerable software. The problem is in the do_command function of the Gopherd.c file. Due to insufficient bounds checking on the user-supplied data, it is possible for an attacker to overwrite sensitive process memory. This could result in the execution of arbitrary instructions with the privileges of the gopher daemon process. Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service Vulnerability BugTraq ID: 8290 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8290 Summary: The Cisco Aironet AP1x00 is a series of wireless access point devices. Cisco Aironet AP1x00 series devices are prone to a denial of service vulnerability upon receipt of a malformed HTTP GET request. This issue exists in the web administrative interface for affected devices. Such a request will cause the device to reload. It is possible to cause a prolonged denial of service by repeatedly sending such requests to an affected device. This could be exploited to deny availability of a WLAN that depends on the device. [ hardware ] Cisco Aironet Telnet Service User Account Enumeration Weakness BugTraq ID: 8292 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8292 Summary: Aironet is the Wireless Access Point solution distributed and maintained by Cisco. An information leak has been reported in Cisco Aironet Access Points when the telnet service has been enabled. This may allow a remote attacker to gain potentially sensitive information. The problem is in the response of the telnet daemon. Usual implementation returns a response to a failed authentication attempt that does not validate the user name. However, when an invalid username is sent to the Aironet telnet daemon, the daemon responds with a "% Login invalid" message, allowing the attacker to gather a list of valid user names on the target device. [ hardware ] Mod_Mylo Apache Module REQSTR Buffer Overflow Vulnerability BugTraq ID: 8287 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8287 Summary: mod_mylo is a third party module for Apache HTTP server. The module is designed to log data into a MySQL database in addition to standard logging. mod_mylo has been reported prone to remotely exploitable buffer overflow vulnerability. The issue presents itself due to insufficient bounds checking performed on HTTP requests before the HTTP request string is copied into a buffer in memory. Data excessive to the size of the buffer will corrupt adjacent memory. Because memory adjacent to this buffer has been reported to store a saved instruction pointer, it is possible for a remote attacker to influence program execution flow. Ultimately a remote attacker may exploit this condition to execute arbitrary instructions in the context of the Apache HTTP server. This issue has been reported to affect mod_mylo version 0.2.1 and all versions prior. Mini SQL Remote Format String Vulnerability BugTraq ID: 8295 Remote: Yes Date Published: Jul 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8295 Summary: Mini SQL (mSQL) is a relational database management system. mSQL has been reported prone to a remotely exploitable format string vulnerability. Reportedly a remote attacker may send malicious format specifiers to trigger the issue. This issue is due to erroneous use of a formatting function, which may allow format specifiers to be supplied by an external source, in this case a remote user. By passing specially crafted format specifiers through a session, may corrupt process memory and thereby have the ability to execute arbitrary code with the privileges of the affected daemon, which is typically root. This vulnerability has been reported to affect mSQL version 1.3 and all prior versions; other versions may also be affected. KDE Konqueror HTTP REFERER Authentication Credential Leak Vulnerability BugTraq ID: 8297 Remote: Yes Date Published: Jul 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8297 Summary: Konqueror is a freely available, open source web browser distributed and maintained by the KDE project. It is available for the Unix and Linux operating systems. It has been reported that a problem in KDE Konqueror may result in the leak of authentication credentials through the HTTP REFERER header field. This could result in an attacker gaining unauthorized access to authentication information. When a user visits a site that keeps the authentication credentials in the URL, the browser will pass the authentication credentials to the site at the end of the URL through the referrer log. This could result in unauthorized access to the user account of the referring page site. Linux Kernel 2.4 XDR Packet Handler For NFSv3 Remote Denial Of Service Vulnerability BugTraq ID: 8298 Remote: Yes Date Published: Jul 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8298 Summary: XDR (External Data Representation) is a protocol governing the platform independent description and encoding of data, in this particular case it is used in conjunction with the Linux implementation of NFSv3 (Network File System), used to share system based resources across a network. NFS uses XDR to describe the format of its data. Linux Kernel 2.4 XDR handler routines for NFSv3 have been reported prone to a remote denial of service vulnerability. The issue presents itself in the decode_fh XDR handler routine contained in the nfs3xdr.c kernel source file. The issue is due to a signed/unsigned mismatch, when processing the size field of an XDR packet. A malicious attacker may bypass the following signed sanity check arithmetic (if (size > NFS3_FHSIZE) of the decode_fh XDR handler routine, by crafting an XDR packet that contains a negative two's compliment representation of -1, or 0xFFFFFFFF. This value will be passed to a memcpy() function that uses the unsigned value of 0xFFFFFFFF or (4 GB), as its size parameter, the massive memcpy operation will trigger a kernel panic. It has been reported that the target host may need an accessible exported directory, if this vulnerability is to be successfully exploited. It should be noted that other methods to trigger the vulnerability might also be possible. This vulnerability has been reported to affect the Linux 2.4 kernel tree. NetScreen ScreenOS TCP Window Size Remote Denial Of Service Vulnerability BugTraq ID: 8302 Remote: Yes Date Published: Jul 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8302 Summary: NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients. NetScreen ScreenOS has been reported prone to a vulnerability that may allow a remote user to trigger a denial of service condition in an affected appliance. It has been reported that by modifying system configuration values that control the TCP window size, an attacker may trigger a denial of service in a remote appliance, by connecting to the target appliance. It has been reported that the issue only affects NetScreen appliances that are configured to use management services. For example HTTP, SSH or Telnet. This issue only affects some ScreenOS 4.0.1rx and 4.0.3rx releases. NetScreen IDP, NetScreen Firewall/VPN products running ScreenOS 3.x and earlier, 4.0.0, and 4.0.2 are not vulnerable. The vendor has supplied upgrades for affected versions. [ hardware ] Multiple ManDB Utility Local Buffer Overflow Vulnerabilities BugTraq ID: 8303 Remote: No Date Published: Jul 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8303 Summary: mandb is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility. mandb has been reported to be affected by multiple buffer overflow vulnerabilities. These issues present themselves in the ult_src(), add_to_dirlist(), test_for_include() functions and in the PATH/MANPATH argument handler of mandb. The issues are due to insufficient bounds checking performed on user-supplied data before it is copied into reserved buffers in memory. A local attacker may supply excessive data in a manner sufficient to trigger these issues and in doing so corrupt arbitrary memory. It has been conjectured that an attacker may ultimately exploit this issue to execute arbitrary instructions, with elevated privileges. Code execution would occur in the context of the mandb utility, typically user 'man'. This BID will be split up into unique BIDs as these issues are analyzed in further detail. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
