Multiple Atari800 Emulator Local Buffer Overflow Vulnerabili... BugTraq ID: 8322 Remote: No Date Published: Jul 31 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8322 Summary: atari800 is multi platform Atari 800, 800XL, 5200 and 130XE emulator software developed for Unix, WinCE, MS-DOS, Atari TT/Falcon, SDL and Amiga platforms.
atari800 emulator has been reported prone to multiple local buffer overflow vulnerabilities. The issues are likely due to insufficient bounds checking performed on user-supplied data before it is copied into reserved buffers in memory. A local attacker may supply excessive data in a manner sufficient to trigger these issues and in doing so corrupt arbitrary memory. Because atari800 requires direct access to graphic devices, it has been reported that one of the affected applications is setuid root. Therefore, it has been reported that a local attacker may exploit this condition to gain local root access. It should be noted that although version 1.2.2 and prior have been reported vulnerable, other versions are also likely to be prone to this issue. Cisco IOS UDP Echo Service Memory Disclosure Vulnerability BugTraq ID: 8323 Remote: No Date Published: Aug 01 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8323 Summary: IOS is the router operating system maintained and distributed by Cisco Systems. Under some circumstances Cisco IOS UDP Echo Service may leak sensitive memory contents to remote attackers. It has been reported that, if the upd-small-servers command is enabled, a Cisco appliance running IOS may answer malicious malformed UDP echo packets with replies that contain partial contents from the affected router's memory. It has been reported that a remote attacker may repeat this process to disclose portions of data stored in the router's memory. This could expose sensitive information that may be useful in mounting other attacks. **Update: This issue may be exploited in conjunction with other vulnerabilities, as is demonstrated in BID 8373. In BID 8373, memory disclosed through the exploitation of the UDP Echo Service, is used to assist in the successful exploitation of the IOS HTTP 2GB Buffer Overflow vulnerability. The vendor has reported that the udp-small-servers command is disabled by default since IOS 11.2(1). Additionally, IOS 12.1, 12.2, and 12.3 based images are not reported to be affected by this issue. [ firmware ] CDRTools RSCSI Debug File Arbitrary Local File Manipulation ... BugTraq ID: 8328 Remote: No Date Published: Aug 01 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8328 Summary: rscsi is a helper component of the cdrtools package. It has been reported that a local attacker may invoke the rscsi utility against an attacker specified file. The attacker may accomplish this by supplying a rscsi 'debug file' argument that points to a file that already exists, to the affected utility. This action will have the affect of causing the group ownership of the target file to be modified. The changes will reflect the group of which the individual invoking the rscsi utility is a member. Additionally the target file contents will be corrupted with data that may be influenced by the attacker. Because the rscsi utility is installed with setuid 'root' permissions by default, a local attacker may harness this vulnerability to achieve elevated privileges. This vulnerability has been reported to affect the version 2.x branch of cdrtools, and all previous versions. Linux Netfilter NAT Remote Denial of Service Vulnerability BugTraq ID: 8330 Remote: Yes Date Published: Aug 02 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8330 Summary: The Netfilter project maintains the packet filter component of the Linux kernel. A fix for a denial of service vulnerability has been reported by the Netfilter project. The vulnerability is present on systems with the ip_nat_ftp or ip_nat_irc modules loaded or with a kernel built supporting options CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC. These optional subcomponents implement limited stateful inspection of the FTP and IRC application protocols, allowing for features such as active mode FTP and DCC through NAT. A remotely exploitable denial of service vulnerability exists when at least one of these features are enabled and communication to FTP/IRC servers is permitted. Version 2.4.20 of the Linux kernel is confirmed vulnerable. A patch is available. According to the Netfilter team, the 2.4.20 kernels shipped with Red Hat Linux include the patch. Netfilter Connection Tracking Denial of Service Vulnerabilit... BugTraq ID: 8331 Remote: Yes Date Published: Aug 02 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8331 Summary: The Netfilter project maintains the packet filter component of the Linux kernel. A fix for a denial of service vulnerability has been reported by the Netfilter project. The vulnerability is present on systems with support for connection tracking enabled. Connection tracking allows for the firewall to identify which packets belong to established connections. Linux 2.4.20 systems with kernels built supporting the CONFIG_IP_NF_CONNTRACK option or with the ip_conntrack module loaded are vulnerable. Other kernel versions are not affected. The vulnerability is due to the introduction into the Linux 2.4.20 kernel of a new generic linked list implementation. The reliance on the previous linked list implementation resulted in a condition which could result in a denial of service. A patch has been released that removes dependence on a specific kernel linked list API. mindi Temporary File Creation Vulnerabilities BugTraq ID: 8332 Remote: No Date Published: Aug 02 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8332 Summary: Mindi is a program for creating boot/root disks that is maintained by Hugo Robson. Debian has reported that Mindi is affected by several temporary file creation vulnerabilities that could allow for corruption of local files and, possibly, elevation of privileges. Throughout it's operation, mindi creates numerous files in /tmp with predictable filenames. Because /tmp is world-writeable, symbolic link attacks are possible. Some of the temporary file filenames are static and can be predicted with certainty and others are based on process IDs. If malicious local attackers know that another user on the system is going to run mindi, symbolic links with anticipated filenames can be created in /tmp. If the file pointed to by the symbolic link is writeable by the user running mindi, the file will be overwritten or deleted if the attacker chose the correct filenames. If the contents can be controlled by the attacker, privilege escalation may be possible. As there are numerous temporary files, different attack channels may yield different consequences. Debian has issued fixes. Multiple Postfix Denial of Service Vulnerabilities BugTraq ID: 8333 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8333 Summary: Postfix is a free, open-source mailer that was designed to be an alternative to Sendmail. It is written and maintained by Wietse Venema. Debian has reported two vulnerabilities in the Postfix mail transfer agent. The first vulnerability, CAN-2003-0468, can allow for an adversary to "bounce-scan" a private network. It has also been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. This is reportedly possible through forcing the server to connect to an arbitrary port on an arbitrary host. The second vulnerability, CAN-2003-0540, is another denial of service. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listener, also resulting in a denial of service. This BID has been divided into BIDs 8361 and 8362 and is being retired. NetBSD Kernel OSI Packet Handler Remote Denial Of Service Vu... BugTraq ID: 8340 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8340 Summary: It has been reported that NetBSD systems that have OSI networking support compiled into their kernel are prone to a remote denial of service vulnerability. The issue exists because error-reporting functions invoked by the netiso enabled kernel, under some circumstances, are not implemented correctly to abide by requisites of the BSD networking stack. When the kernel processes an OSI packet that is sufficient to trigger the generation of an error indication response packet one of two outcomes may occur. If the kernel has been compiled with "options DEBUG" a kernel panic may result and the kernel will report this condition. Otherwise the system may crash unpredictably. This is because the function that is responsible for crafting error indication response packets was not converted to use a "PKTHDR" mbuf, which is the standard for the BSD networking stack. It has been reported that this issue does not affect systems that do not have OSI networking support installed and an OSI network address assigned. Man-db DEFINE Arbitrary Command Execution Vulnerability BugTraq ID: 8341 Remote: No Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8341 Summary: man-db is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility. man-db could allow a local user to execute commands with elevated privileges. This occurs because man-db allows commands to be executed through the DEFINE directive even if it is running setuid "man". This would allow a local user to execute any command with "man" privileges. It is important to note that man-db is not installed setuid by default. This vulnerability is only present if man-db was installed setuid "man". gURLChecker HTML Parser Denial Of Service Vulnerability BugTraq ID: 8348 Remote: Yes Date Published: Aug 05 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8348 Summary: gURLChecker is software that can validate web links. It is available for Unix and Linux variants. gURLChecker is reported to be prone to a denial of service vulnerability. This issue is exposed when the HTML parser (html_parser.c) included with the software encounters specifically malformed HTML tags of excessive length. The issue appears to be present in the uc_html_parser_get_attributes() function. This could be exploited to cause gURLChecker to crash if the software is used to access an untrusted web page that contains code designed to trigger the condition. Though unconfirmed, this condition could result in memory corruption. Due to the nature of memory corruption issues, it may be possible to exploit this issue to execute arbitrary code in the context of the software. Webware WebKit Cookie String Command Execution Vulnerability BugTraq ID: 8349 Remote: Yes Date Published: Aug 01 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8349 Summary: Webware is an application suite which provides tools for development of web-based applications. It is implemented in Python. Webware ships with a component entitled WebKit that provides Python classes for dynamically generating web server content. The Webware WebKit component is prone to a vulnerability that may allow for execution of malicious commands. This issue is due to usage of SmartCookie, which is provided in the CookieEngine module. SmartCookie will attempt to unpickle malicious client-supplied cookie strings. This could result in the Python pickle module executing malicious code contained in cookie-strings. A remote attacker could potentially exploit this issue to execute malicious commands with the privileges of the software. ERoaster Local Insecure Temporary File Creation Vulnerabilit... BugTraq ID: 8350 Remote: No Date Published: Aug 06 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8350 Summary: eroaster is a freely available graphical frontend to cdrecord. It is available for the Linux operating system. A problem has been reported in the secure creation of temporary files by the eroaster application. This may allow an attacker to overwrite files belonging to the eroaster user. Few details are available about this vulnerability. However, it is theorized that this issue results from inadequate checks on the existence of a predictable temporary file prior to an attempt to create the file during program execution. By creating a symbolic link, an attacker could potentially destroy data at the end of the symbolic link, or perform other nefarious deeds. ManDB Compressor Binary Substitution Vulnerability BugTraq ID: 8352 Remote: No Date Published: Aug 06 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8352 Summary: mandb is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility. mandb is prone to a vulnerability that may permit local attackers to gain elevated privileges. The source of this issue is that local users are able to specify an arbitrary program as the location for a compressor utility for cat files. In particular, the open_cat_stream() function call will be made while the program still has privileges. By specifying a malicious program, the attacker can cause arbitrary code execution with the privileges of mandb. mandb typically executes with the privileges of user 'man'. D-Link DI-704P Long URL Denial Of Service Vulnerability BugTraq ID: 8355 Remote: Yes Date Published: Aug 06 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8355 Summary: The D-Link DI-704P is an Internet Broadband Gateway device. The DI-704P provides a method to share a single broadband Internet connection and share a single printer among systems connected to the local network. D-Link DI-704P has been reported prone to a remote denial of service vulnerability. The issue presents itself when a request of excessive length is sent to the router. It has been reported that when a URL of excessive length is requested, the device behaves in an unstable manner. This may result in a complete denial of service condition requiring a device reboot, or the loss of the ability to log in to the administration interface. Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected. [ hardware ] Cisco Content Service Switch ONDM Ping Failure Denial Of Ser... BugTraq ID: 8358 Remote: Yes Date Published: Aug 07 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8358 Summary: Cisco Content Service Switch is an appliance designed to provide a front-end for server farms and cache clusters. It has been reported that under certain circumstances, it may be possible for remote attackers to force the System Controller Module (SCM) on Cisco Content Service Switches to reboot. A component on the device known as the Online Diagnostics Monitor (ONDM) periodically sends out ping packets to all SFP cards present on the device to ensure functionality. In the event that a reply is not received, the SCM will reboot the device. Remote attackers may be able to perform a SYN flood attack against the device by directing a large amount of data to the circuit IP address of the Content Service Switch. This may prevent delivery of these diagnostic ping packets, causing the router to believe the component is not functional and cause the SCM to reboot. [ hardware ] Postfix Connection Proxying Vulnerability BugTraq ID: 8361 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8361 Summary: Postfix is a free, open-source mailer that was designed to be an alternative to Sendmail. It is written and maintained by Wietse Venema. A vulnerability has been reported in Postfix that may allow an adversary to "bounce-scan" a private network. The problem is in handling an attempt to deliver a message to an address with the following format: <[server_ip]:[EMAIL PROTECTED]> This will cause the server to make a connection to the port and IP address that is specified. Such an address can be included in the "RCPT TO" or "MAIL FROM" / Errors-To SMTP header fields. By designing requests that create bounces, an adversary can abuse this issue to proxy scans to networks that the adversary would not normally have direct access to. It has been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. This is reportedly possible through forcing the server to connect repeatedly to an arbitrary port on an arbitrary host. This issue was described in BID 8333 and is now being assigned an individual BID. Postfix SMTP Malformed E-mail Envelope Address Denial of Ser... BugTraq ID: 8362 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8362 Summary: Postfix is a free, open-source mailer that was designed to be an alternative to Sendmail. It is written and maintained by Wietse Venema. Postfix is reported to be prone to a denial of service attack. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listener, also resulting in a denial of service. The vulnerability is present in the address parser code. Evidence of exploitation of this vulnerability can be detected in the mail server logs. Deleting the malicious message in the queue that is associated to the "resolve_clnt_query: null recipient" error message contained in Postfix logs and restarting the service can restore normal functionality. This issue was described in BID 8333 and is now being assigned an individual BID. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
