Cisco 7900 Series VoIP Phone ARP Spoofing Denial Of Service ... BugTraq ID: 8398 Remote: Yes Date Published: Aug 12 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8398 Summary:
The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco Systems. The Cisco 7900 Series of Voice-Over-IP phones have been reported prone to a vulnerability where a spoofed ARP message may crash the phone. It has been reported that an attacker that is connected to the same segment as the affected phones may send spoofed ARP messages to a phone, causing the target phone to be disconnected from the switch. This will result in the phone becoming unstable and crashing. Power cycling the phone to regain normal functionality is required. It has also been reported that such an attack performed on a switchboard phone may deny all incoming calls. Other attacks including man in the middle style attacks, for example packet injection and data interception, have also been reported possible. [ hardware ] HostAdmin Path Disclosure Vulnerability BugTraq ID: 8401 Remote: Yes Date Published: Aug 12 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8401 Summary: HostAdmin is a web-based tool designed to automate web-hosting operations. HostAdmin is prone to a path disclosure vulnerability. Passing invalid data to the HostAdmin site will cause an error message to be displayed, which contains installation path information. Exploitation may be dependant on web server and PHP configuration. This type of information may aid an attacker in mapping out the file system for further attacks against the host. [ licence + langage non clair ] DistCC Insecure Temporary File Vulnerability BugTraq ID: 8402 Remote: No Date Published: Aug 12 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8402 Summary: distcc is a distributed compiler application for Linux/Unix variants. distcc acts as a compiler front-end that can distribute software builds across multiple hosts. distcc is reported to handle temporary files insecurely. This could permit attacks which cause sensitive files to be corrupted. A local user may be able to exploit this issue by creating malicious symbolic links. Exploitation could result in destruction of critical files, causing a denial of service. Though unconfirmed, if a local attacker can corrupt files with custom data, they may be able to gain elevated privileges. SurgeLDAP Path Disclosure Vulnerability BugTraq ID: 8406 Remote: Yes Date Published: Aug 13 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8406 Summary: SurgeLDAP is an LDAP server implementation. It is available for a number of platforms including Microsoft Windows and Linux/Unix variants. SurgeLDAP is prone to a path disclosure vulnerability. It is possible to gain access to sensitive path information by issuing an HTTP GET request for an invalid resource. This could help a remote attacker enumerate the layout of the file system of the host running the vulnerable software, which may be useful in further attacks against the host. This issue exists in the web server component of SurgeLDAP. [ licence ? ] SurgeLDAP User.CGI Cross-Site Scripting Vulnerability BugTraq ID: 8407 Remote: Yes Date Published: Aug 13 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8407 Summary: SurgeLDAP is an LDAP server implementation. It is available for a number of platforms including Microsoft Windows and Linux/Unix variants. SurgeLDAP is prone to cross-site scripting attacks. The issue exists in the user.cgi script and is due to insufficient sanitization of data supplied via URI parameters, which will be echoed back to users. Remote attackers may exploit this issue by enticing a user to visit a malicious link that specifies hostile HTML and script code as a value for the 'cmd' parameter of the vulnerable script. This code may be rendered in the user's browser when the link is visited. This would occur in the context of the server. Successful exploitation may allow theft of cookie-based authentication credentials or other attacks. This issue exists in the web server component of SurgeLDAP. [ licence ? ] ECartis LIScript Arbitrary Variable Viewing Vulnerability BugTraq ID: 8420 Remote: Yes Date Published: Aug 14 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8420 Summary: ECartis is a freely available, open source mailing list manager. It is available for the Unix and Linux platforms. A problem in the handling of user-supplied input has been reported in ECartis. Because of this, an attacker may be able to gain access to unauthorized and potentially sensitive information. The problem is in the handling of requests sent via e-mail for specific functions and variables. By supplying specially malformed requests, it is possible to make ECartis disclose data or perform actions that may be restricted and sensitive in nature. Multiple instances of this type of issue were reported to exist in the software. Ecartis Multiple Buffer Overrun Vulnerabilities BugTraq ID: 8421 Remote: Yes Date Published: Aug 14 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8421 Summary: ECartis is a freely available, open source mailing list manager. It is available for the Unix and Linux platforms. Multiple buffer overrun vulnerabilities have been reported for Ecartis 1.0. The problems occur due to a variety of problems within the code, and each appears to be a result of insufficient bounds checking when copying the contents of e-mail into internal memory buffers. One such problem occurs within the smtp_body_822bis() function, located in the stmp.c source file, which is designed to copy data from a src buffer into a destination buffer. However, the function does not include a size parameter, which may allow for the destination to be overrun. As a result of this issue, any later implementation of this function may result in a, potentially exploitable, buffer overrun. Other issues have been reported within the unhtml.c and unmime.c source files. All issues located in these files appear to occur due insufficient bounds checking before transferring data between pointers. Successful exploitation of this vulnerabilities may result in a remote denial of service. Also, although it has not yet been confirmed, due to the nature of these vulnerabilities, it is theoretically possible that an attacker may be capable of exploiting the overruns to execute arbitrary instructions. It should be noted that due to the nature of e-mail protocols, successfully exploiting this issue may be difficult due to a restricted character set. Skunkweb Error Page Cross-Site Scripting Vulnerability BugTraq ID: 8422 Remote: Yes Date Published: Aug 14 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8422 Summary: Skunkweb is a web application server written in python. Skunkweb has been reported to be prone a cross-site script vulnerability. The problem exists in the Handler module of the software. This module handles error output for the server. HTML and script code will not filtered before being displayed to the user in 404 error pages. Therefore an attacker may create a malicious link containing HTML and script code, which could be rendered in a legitimate user's browser when the link is visited. This would occur in the context of the vulnerable server and could permit the attacker-supplied code to access properties of pages hosted by the server. This issue allows a user to be prone to attacks such as cookie-based credential theft. Other attacks may be possible as well. Skunkweb Cache Module File Disclosure Vulnerability BugTraq ID: 8424 Remote: Yes Date Published: Aug 14 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8424 Summary: Skunkweb is a web application server written in Python. Skunkweb has been reported by the vendor to be prone to a vulnerability that may allow remote users to access restricted data from the server. The problem exists in the Cache module of the server that is responsible for caching spread mailboxes. The vulnerability allows clients to traverse outside of the document root for the web server using various character sequences. This may allow the attacker to access system resources on the server. Through successful exploitation of this issue sensitive information could be disclosed to an attacker leading to further attacks. Unix/Linux Keystroke Information Disclosure Weakness BugTraq ID: 8425 Remote: Yes Date Published: Aug 15 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8425 Summary: Various Unix-derived operating systems implement the /dev/random device which acts as a source of entropy when generating pseudo-random numbers. This device contains an entropy pool, containing pseudo-random data from a variety of sources. One such source is keyscan codes, triggered by a user using the keyboard. A weakness has been discovered in the /dev/random mechanism that could theoretically allow an attacker to deduce keystrokes made by a user who is physically at the system's console keyboard. The problem appears to lie in the differing times between entropy pool seeding times. Specifically, when a typical keystroke is made a keypress in and keypress out scancodes are generated. These keystrokes typically have different timing delays, due to the way a keyboard is used. For instance, as Michal Zalewski described, a keypress scancode in will generate 1-2 byte(s) of data with a 50-150 millisecond delay, whereas a key release scancode in, which also generates 1-2 byte(s), will have a 50 millisecond or more delay. Other forms of seeding the entropy pool have other patterns, making them easy to distinguish from keystrokes. As a result of these timing differences, it may be possible for an attacker to reliably time keystrokes made at the systems physical console. This timing data may then be compared to statistics regarding keypress times versus words typed, potentially allowing the attacker to deduce a users keystrokes. A conclusive list of affected systems is not available at this time. It is also not known at this point if any specific implementation is not affected. This BID will be updated and the affected systems modified as more information becomes available. Autorespond Buffer Overrun Vulnerability BugTraq ID: 8436 Remote: Yes Date Published: Aug 16 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8436 Summary: autorespond is a program that is used with qmail to generate automated responses to e-mail. It is available for Unix and Linux variants. autorespond is prone to a buffer overrun. This issue may potentially be exploited by remote attackers to execute arbitrary code in the context of the software. Debian has reported that this issue may not be exploitable due to "incidental" limits on the length of user-supplied input that could potentially trigger this issue. Exploitation should not be ruled out though, since it is possible that there may be situations where these limits do not apply. If this issue were successfully exploited, it would be possible to execute malicious instructions in the context of the user who has configured qmail to forward messages to autorespond. Dropbear SSH Server Username Format String Vulnerability BugTraq ID: 8439 Remote: Yes Date Published: Aug 18 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8439 Summary: Dropbear SSH Server is a secure shell server designed to be usable with low-end systems. Dropbear implements the use of various SSH 2 protocol features as well as X and authentication-agent forwarding, and is available for the Linux, Tru64, Solaris, and FreeBSD operating systems. A remotely exploitable format string vulnerability has been discovered in Dropbear SSH Server. The problem occurs due to an incorrectly formatted call to the syslog() system call, occurring within the 'util.c' source file. This syslog() call can be triggered by invoking the dropbear_log() function, which amongst other locations is called during the authentication stage. The specific code which makes this vulnerability remotely exploitable occurs within the 'auth.c' source file, and is invoked after the server places the user-supplied 'username' variable within an internal memory buffer. This buffer is then passed to the syslog() system call as a format string, called via the dropbear_log() function, and is subsequently interpreted as such. As a result of this format string, an attacker may be capable of influencing the flow of program execution by placing specially calculated format specifiers within the 'username'. When this data is logged, it may be possible for the attacker to execute arbitrary code with the privileges of Dropbear, typically root. This vulnerability affects Dropbear SSH Server v0.34 and earlier. eMule Client OP_SERVERIDENT Heap Overflow Vulnerability BugTraq ID: 8440 Remote: Yes Date Published: Aug 17 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8440 Summary: eMule is a freely available open source peer-to-peer file sharing application. eMule uses the eDonkey file sharing protocol. EMule+, xMule and lmule are similar peer-to-peer file sharing applications that are derived from the eMule code base and so are affected by this vulnerability. eMule client has been reported prone to a heap overflow vulnerability. The issue presents itself when the client parses OP_SERVERIDENT data received from a server. An attacker may exploit this issue by transmitting malicious data to an affected client using a malicious server. Excessive data greater than the size of an allocated buffer in heap memory, will corrupt data adjacent to that buffer. In this case corrupting heap memory management structures. Ultimately an attacker may exploit this condition to execute arbitrary supplied instructions in the context of the vulnerable eMule application. Failed exploitation attempts will result in a denial of service of the affected client. It should be noted that this vulnerability has been reported to affect eMule <= 0.29a, lmule <= 1.3.1, xMule <= 1.4.3, <= 1.5.4 and EMule+ 1.0. ManDB Utility Hard Link Buffer Overrun Vulnerability BugTraq ID: 8442 Remote: No Date Published: Aug 18 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8442 Summary: mandb is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility. Debian released updates for previous mandb vulnerabilities (described in BID 8303) that introduced a buffer overrun. This vulnerability exists in a routine that is responsible for resolving hard links. The issue could potentially be triggered by a malformed filename for a hard linked man page. This could permit local attackers to execute arbitrary code in the context of the mandb utility, which is typically user 'man'. Debian addressed this by releasing revised updates that also fix this issue. It is not known if the utility is prone to this issue on other distributions. eMule Client OP_SERVERMESSAGE Format String Vulnerability BugTraq ID: 8443 Remote: Yes Date Published: Aug 17 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8443 Summary: eMule is a freely available, open source peer-to-peer file sharing application. eMule uses the eDonkey file sharing protocol. EMule+, xMule and lmule are similar peer-to-peer file sharing applications that are derived from the eMule code base and so are affected by this vulnerability. eMule client has been reported prone to a format string vulnerability. The issue presents itself when the client processes OP_SERVERMESSAGE data received from a server. An attacker may exploit this issue by transmitting malicious data, containing embedded format string specifiers to an affected client using a malicious server. The format specifiers will be interpreted literally and may result in attacker controlled arbitrary memory being corrupted. Ultimately a remote attacker may exploit this condition to execute supplied instructions in the context of the vulnerable eMule application. Failed exploitation attempts will result in a denial of service of the affected client. It should be noted that this vulnerability has been reported to affect eMule 0.29a and earlier, lmule 1.3.1 and earlier, xMule 1.4.3 and earlier as well as 1.5.4 and earlier, and EMule+ 1.0. eMule AttachToAlreadyKnown Double Free Vulnerability BugTraq ID: 8444 Remote: Yes Date Published: Aug 17 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8444 Summary: eMule is a freely available open source peer-to-peer file sharing application. eMule uses the eDonkey file sharing protocol. xMule and lmule are similar peer-to-peer file sharing applications that are derived from the eMule code base and so are affected by this vulnerability. eMule client has been reported prone to a double free vulnerability. It has been reported that when the eMule client receives a specific sequence of packets from a malicious server, the AttachToAlreadyKnown client object that is currently used is freed from reserved memory. The program may fail to sufficiently format the pointer to the object after it has been freed. As a result an attacker may be capable of freeing the object a second time, potentially resulting in attacker-controlled data being referenced. Ultimately an attacker may exploit this condition to execute arbitrary supplied instructions in the context of the vulnerable eMule application. Failed exploitation attempts will result in a denial of service of the affected client. It has been reported that this issue may be exploited with packets that conform to the eDonkey protocol. This may make exploitation attempts difficult to detect. It should be noted that this vulnerability has been reported to affect eMule <= 0.29c, lmule <= 1.3.1 and xMule <= 1.4.2, <= 1.5.6a. eMule Client Servername Format String Vulnerability BugTraq ID: 8445 Remote: Yes Date Published: Aug 17 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8445 Summary: eMule is a freely available, open source peer-to-peer file sharing application. eMule uses the eDonkey file sharing protocol. EMule+, xMule and lmule are similar peer-to-peer file sharing applications that are derived from the eMule code base and so are affected by this vulnerability. eMule client has been reported prone to a format string vulnerability. The issue presents itself when the client processes a malicious server name. An attacker may exploit this issue by passing a server name containing embedded format string specifiers to an affected client in a sufficient manner. The format specifiers will be interpreted literally and may result in attacker controlled arbitrary memory being corrupted or revealed. Ultimately, a remote attacker may exploit this condition to trigger a denial of service condition in the affected client. Although unconfirmed it has been conjectured that this issue may also be exploited to reveal contents in arbitrary locations of memory. Remote code execution is not believed to be possible. It should be noted that this vulnerability has been reported to affect eMule 0.29c and earlier, lmule 1.3.1 and earlier, xMule 1.4.2 and earlier as well as 1.5.5 and earlier and EMule+ 1.0. OpenSLP Initialization Script Insecure Temporary File Vulner... BugTraq ID: 8446 Remote: No Date Published: Aug 18 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8446 Summary: OpenSLP is a freely available, open source implementation of the Service Location Protocol. It is available for the Unix and Linux platforms. A problem exists in the creation of temporary files by OpenSLP. Because of this, an attacker may be able to destroy data, resulting in a denial of service. The problem is in the initialization script used by OpenSLP. The default script, slpd.all_init, does not properly check for the existence of the /tmp/route.check file prior to attempting to create it. Because of this, a symbolic link to a file can result in the destruction of the file at the end of the symbolic link, depending upon the privileges of the user executing the initialization script. It should be noted that the initialization script is typically executed by a privileged user. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
