Glibc Getgrouplist Function Buffer Overrun Vulnerability BugTraq ID: 8477 Remote: Unknown Date Published: Aug 23 2003 Relevant URL: http://www.securityfocus.com/bid/8477 Summary: The GNU C library, glibc, contains standard C libraries called by various applications.
The getgrouplist function in glibc does not perform adequate bounds checking on data it retrieves, allowing a potential for the buffer to be overrun. When getgrouplist retrieves the group list for a user who is a member of more groups than the group list can hold, the buffer is overrun. This may result in segmentation faults in user applications. Consequences of this vulnerability are dependant on the application calling the getgrouplist function. Glibc Malloc Routine Race Condition Vulnerability BugTraq ID: 8478 Remote: Unknown Date Published: Aug 23 2003 Relevant URL: http://www.securityfocus.com/bid/8478 Summary: The GNU C library, glibc, contains standard C libraries called by various applications. An unspecified race condition issue exists in the malloc function of glibc. This issue may result in memory corruption, possibly allowing sensitive areas in memory to be overwritten. Specific details of this issue are not currently known. This record will be updated when further information becomes available. This issue was reported to only affect IA64 platforms. WIDZ Remote Root Compromise Vulnerability BugTraq ID: 8479 Remote: Yes Date Published: Aug 23 2003 Relevant URL: http://www.securityfocus.com/bid/8479 Summary: WIDZ is a wireless intrusion detection system that checks the identity of wireless access points against a list of authorized access points in a config file. If an access point is not in the authorized list, an alert message is generated. The alert message generated by WIDZ passes untrusted data to system() calls, possibly allowing for a compromise of the underlying operating system. If the essid of an access point is set to include commands, those commands will be executed when they are passed to the system() call by WIDZ. Commands would be executed with root privileges. [ licence ? ] Red Hat Linux IPTables Firewall Failure Vulnerability BugTraq ID: 8481 Remote: No Date Published: Aug 25 2003 Relevant URL: http://www.securityfocus.com/bid/8481 Summary: iptables is a firewall infrastructure developed for the Linux kernel. iptables on Red Hat Linux systems has been reported prone to a vulnerability, which may prevent the iptables firewall from functioning correctly. The issue presents itself, due to recent Red Hat kernel updates. It has been reported that a recent kernel update failed to update the iptables utility thereby preventing iptables operations, for example owner match, from functioning. Ultimately this issue may prevent an iptables firewall from restarting after a kernel-upgrade has been applied. This issue may lead an administrator into a false sense of security, as the administrator may believe that an effective firewall is running. Whois Client Command Line Buffer Overrun Vulnerability BugTraq ID: 8483 Remote: Yes Date Published: Aug 22 2003 Relevant URL: http://www.securityfocus.com/bid/8483 Summary: Whois is an enhanced whois client for Linux/Unix platforms. Whois is prone to a buffer overrun vulnerability when handling command line parameters of excessive length. The cause of the issue is that command line parameters are copied using an sprintf() operation without sufficient bounds checking. While the client is not setuid/setgid, it is often invoked by external scripts. This could present a security vulnerability if the program is invoked with untrusted input. In such a case, successful exploitation would permit an attacker to execute arbitrary code in the context of the program. A typical scenario would be if a CGI script called the program with parameters that could be controlled by a remote attacker. This could possibly the attacker to execute arbitrary code with the privileges of the web server, which would be invoking the vulnerable program. Sendmail DNS Maps Remote Denial of Service Vulnerability BugTraq ID: 8485 Remote: Yes Date Published: Aug 25 2003 Relevant URL: http://www.securityfocus.com/bid/8485 Summary: A potential vulnerability has been discovered in Sendmail when implementing the use of DNS Maps. This behavior can be enabled through the sendmail.cf configuration file. The problem lies in the sm_resolve.c source file, and is exclusive to Sendmail 8.12.x releases, prior to 8.12.9 only. Specifically, it has been discovered that the dns_parse_reply() function fails to initialize RESOURCE_RECORD_T structures after allocation. These structures are used in a chain, designed to keep track of varoius DNS data. Each structure includes a 'rr_next' variable, which is a pointer to the next structure in the list. When an invalid DNS reply is received by Sendmail, i.e. one with a reply size differing from the announced reply size, the dns_free_data() function is called. This function is designed to free allocated chains of RESOURCE_RECORD_T structures, and traverses the chain until a 'rr_next' variable points to NULL. Due to the failure to initialize these structures, the last structure in the chain will not contain a NULL 'rr_next' variable. As such, the dns_free_data() function may traverse into random memory by referencing this garbage 'rr_next' pointer, which could potentially result in the free() function being called on random memory. This could potentially allow for a denial of service condition, as an attacker may trigger a situation under which invalid memory will be dereferenced. Theoretically, if this garbage data were to be controlled by an attacker at some point during execution, it may be possible to exploit this issue to execute arbitrary code. This however has not been confirmed. It should be noted that the default configuration of Sendmail is not affected by this issue. GTKFTPD LIST Command Remote Buffer Overflow Vulnerability BugTraq ID: 8486 Remote: Yes Date Published: Aug 25 2003 Relevant URL: http://www.securityfocus.com/bid/8486 Summary: GtkFtpd is a personal FTP server that includes a GTK graphical interface. The GtkFtpd LIST command routine has been reported prone to a remotely exploitable buffer overflow vulnerability. The issue presents itself in the sys_cmd.c source file, and is due to a lack of sufficient bounds checking that is performed on user-supplied data. Specifically when a LIST command is invoked, a sprintf() call fails to perform sufficient checks when appending date/user/stat data to a file/foldername string. When the concatenated data is copied into a 256-byte buffer to be later displayed on screen, 40 bytes of attacker-controlled data may be written past the boundary of a reserved buffer in memory. Ultimately this issue may be leveraged by a remote attacker to influence GtkFtpd program execution flow and have arbitrary supplied instructions executed in the context of the vulnerable daemon, typically root. It should be noted that this issue has been reported to affect GtkFtpd version 1.0.4 and previous. Pam_SMB Remote Buffer Overflow Vulnerability BugTraq ID: 8491 Remote: Yes Date Published: Aug 26 2003 Relevant URL: http://www.securityfocus.com/bid/8491 Summary: pam_smb is a pluggable authentication module (PAM) that provides for authentication of UNIX users to a Server Message Block (SMB) server. pam_smb has been reported prone to a buffer overflow vulnerability. It has been reported that systems using pam_smb to authenticate to a remotely accessible service may be vulnerable to a condition that may allow a remote attacker to supply and execute arbitrary code in the context of the vulnerable module. Specifically, insufficient bounds checking is carried out on user-supplied passwords before being copied into internal memory space. As a result, an attacker may be capable of overwriting sensitive locations in memory. It has been reported that all versions of pam_smb prior to, and including version 1.1.6 and 2.0.0-rc development versions are affected by this vulnerability. SLRN XRef Buffer Overflow Vulnerabilty BugTraq ID: 8493 Remote: Yes Date Published: Aug 26 2003 Relevant URL: http://www.securityfocus.com/bid/8493 Summary: slrn is an open source, freely available newsreader. It is actively maintained by the SLRN Development Team, distributed through Sourceforge, and included with many distributions of Linux. slrn has been reported prone to a remote buffer overflow condition. The issue has been reported to present itself when handling malicious Xref headers. It has been reported that, when handled, an Xref header value sufficient to trigger this issue may overrun the bounds of a reserved memory buffer, and corrupt adjacent memory within the slrn process. Although unconfirmed, due to the nature of this vulnerability it has been conjectured that a remote attacker may exploit this issue to influence the execution flow of the affected slrn application. This could result in arbitrary code execution in the context of the user running slrn. This vulnerability has been reported to affect all versions of slrn prior to slrn version 0.9.8.0. akpop3d User Name SQL Injection Vulnerability BugTraq ID: 8495 Remote: Yes Date Published: Aug 26 2003 Relevant URL: http://www.securityfocus.com/bid/8495 Summary: akpop3d is a stand alone POP3 daemon. The product allows secure POP3 sessions based on POP3-over-SSL. akpop3d may be prone to a vulnerability that may allow an attacker to inject malicious SQL syntax into database queries. The source of this issue is insufficient sanitization of user-supplied input before including this input in database queries. A remote attacker may exploit this issue to influence SQL query logic. This issue may allow an attacker to gain access to sensitive data stored in the database. Other attacks on the underlying database are possible as well. It has been reported that a valid POP3 password is required in order to exploit this issue. GBrowse Help Parameter File Disclosure Vulnerability BugTraq ID: 8496 Remote: Yes Date Published: Aug 25 2003 Relevant URL: http://www.securityfocus.com/bid/8496 Summary: GBrowse (Generic Genome Browser) is web-based genetics software. GBrowse is prone to a file disclosure vulnerability. Remote users may gain access to files outside of the web root directory by passing directory traversal sequences (../) via the 'help' URI parameter. This vulnerability could be exploited to gain unauthorized access to files that are readable by the web server that is hosting the vulnerable software. If successfully exploited, an attacker may gain access to sensitive information that could assist in mounting further attacks against system resources. BProc Local Arbitrary File Deletion Vulnerability BugTraq ID: 8509 Remote: No Date Published: Aug 28 2003 Relevant URL: http://www.securityfocus.com/bid/8509 Summary: BProc (Beowulf Distributed Process Space) is a set of kernel modifications, utilities and library files that are designed to facilitate the invocation and handling of processes on remote systems. BProc is designed for use with the Linux kernel. Bproc is prone to a vulnerability that could allow malicious local users to delete arbitrary system files. The problem is said to be due to incorrect permission checking when handling I/O redirection. As a result, an attacker may be capable of gaining limited access to arbitrary system files with elevated privileges. This issue could be exploited by an attacker to delete arbitrary system files, potentially rendering the system unusable. The problem is believed to occur due to BProc failing to sufficiently setup I/O prior to the execution of setuid programs from within another program. This may make it possible for an attacker to access descriptors used by the privileged program. This could possibly be accomplished by creating a process under which file descriptors are shared with the parent, and subsequently having the child invoke a setuid application. This however, has not been confirmed. It should be noted that the precise technical details regarding this issue are currently unknown. As further information becomes available this BID will be updated accordingly. This vulnerability was reported for 3.2.5 however, earlier versions may also be affected. ISC INN Innfeed Config File Command Line Format String Vulne... BugTraq ID: 8510 Remote: Yes Date Published: Aug 28 2003 Relevant URL: http://www.securityfocus.com/bid/8510 Summary: ISC INN (InterNetNews) is an NNTP implementation for Unix/Linux variants. A format string vulnerability has been reported in ISC INN (InterNetNews). The issue exists in the innfeed binary and may be triggered by including format specifiers as an argument when specifying a config file via the -c command line switch. The innfeed program is a streaming NNTP feeder. The source of the problem is that the program does not include format specifiers when using logging functions, which will enable an attacker to supply their own format specifiers. This could be leveraged to overwrite arbitrary locations in memory with attacker-supplied data, which will allow for an attacker to control the execution flow of the program. This vulnerability could be exploited by a user with a group ID of news to execute arbitrary code in the context of the program, which may allow an attacker to gain the user ID of news on some systems. Further privilege escalation may be possible if this issue is successfully exploited. LinuxNode Remote Buffer Overflow Vulnerability BugTraq ID: 8512 Remote: Yes Date Published: Aug 29 2003 Relevant URL: http://www.securityfocus.com/bid/8512 Summary: LinuxNode is an amateur packet radio node program. It has been reported that LinuxNode is prone to a remote buffer overflow condition. The issue presents itself due to insufficient bounds checking. A remote attacker may ultimately exploit this issue remotely and execute arbitrary code in the context of the user who is running the vulnerable software. Successful exploitation may allow a attacker to gain unauthorized access to the vulnerable host. Explicit technical details regarding this vulnerability are not currently available. This BID will be updated, as further details regarding this issue are made public. Although LinuxNode 0.3.0 has been reported to be vulnerable to this problem, other versions may be affected as well. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
