LinuxNode Remote Buffer Overflow Vulnerability BugTraq ID: 8512 Remote: Yes Date Published: Aug 29 2003 Relevant URL: http://www.securityfocus.com/bid/8512 Summary: LinuxNode is an amateur packet radio node program.
It has been reported that LinuxNode is prone to a remote buffer overflow condition. The issue presents itself due to insufficient bounds checking. A remote attacker may ultimately exploit this issue remotely and execute arbitrary code in the context of the user who is running the vulnerable software. Successful exploitation may allow a attacker to gain unauthorized access to the vulnerable host. Explicit technical details regarding this vulnerability are not currently available. This BID will be updated, as further details regarding this issue are made public. Although LinuxNode 0.3.0 has been reported to be vulnerable to this problem, other versions may be affected as well. XFree86 Multiple Unspecified Integer Overflow Vulnerabilitie... BugTraq ID: 8514 Remote: Yes Date Published: Aug 30 2003 Relevant URL: http://www.securityfocus.com/bid/8514 Summary: Multiple integer overflow vulnerabilities have been discovered in XFree86 4.3.0. The problem specifically occurs due to insufficient sanity checks within font libraries. As a result, a malicious font server that transmits font data to a target client may include a malformed integer value designed to unexpectedly pass a bounds checking calculation and trigger a buffer overrun. This could cause memory corruption within stack or heap process space, ultimately allowing for the execution of arbitrary code with the privileges of the client program. It should be noted that under some non-default XFree86 configurations, it has been reported that the Xserver and XFS daemons may act as a client to the font server, making it possible for these services to be exploited remotely. Although unconfirmed, these integer overflow vulnerabilities may be present in earlier versions of XFree86. Precise technical details regarding these vulnerabilities are currently unavailable, however as further information is released this BID will be updated accordingly. Exim EHLO/HELO Remote Heap Corruption Vulnerability BugTraq ID: 8518 Remote: Yes Date Published: Sep 01 2003 Relevant URL: http://www.securityfocus.com/bid/8518 Summary: Exim is a message transfer agent (MTA) developed at the University of Cambridge and available under the GNU Public License. It is available for the Linux operating system. A heap buffer overflow vulnerability has been discovered in Exim. The problem is said to affect all Exim3 and Exim4 versions prior to Exim 4.21. I This issue occurs due to insufficient bounds checking performed when handling user-supplied SMTP EHLO/HELO command data. The vulnerability specifically occurs within the 'smtp_in.c' source file when handling invalid EHLO/HELO arguments. If EHLO/HELO arguments contain 506 leading spaces followed by a NUL byte and a CRLF, a static string intended for a syntax error message will be appended to the command argument data. The interpolated string will now exceed the size of the reserved buffer in heap-based memory. The entire string will be copied, without the spaces being stripped, into the affected command buffer, this will result in heap memory management structures adjacent to the affected buffer being corrupted with superfluous data. It has been reported that this vulnerability is unlikely to be exploitable to execute arbitrary code. This is because a free() call is never made on the attacker-controlled malloc chunk. Exploitation attempts will also be hindered because the uncontrollable static string 'o argument given)\0' is appended to attacker-supplied data, and will complicate the valid corruption of the adjacent malloc header. Multiple Vendor PC2Phone Software Remote Denial of Service V... BugTraq ID: 8523 Remote: Yes Date Published: Sep 01 2003 Relevant URL: http://www.securityfocus.com/bid/8523 Summary: It has been reported that multiple PC2Phone products are prone to a remote denial of service condition. The problem is said to occur when processing excessive data passed to the programs via a UDP packet and could result in the product crashing. This could result in an established conversation prematurely ending, or potentially other attacks. This vulnerability has been triggered by transmitting the UDP packet to port 5000 on Go2Call Cash Calling, as well as Net2Phone Dialer. However, to trigger the issue Yahoo! Messenger the packet must be sent via UDP port 6801. It should be noted that reports indicate that the problem may in fact lie within the Go2Call Cash Calling program, and other products derived from its source code are also affected. However, this information has not yet been confirmed. The precise technical details regarding this issue are currently unknown, however as further information is made available this bid will be updated accordingly. [ hardware ] PADL Software PAM_LDAP PAM Filter Access Restriction Failure... BugTraq ID: 8535 Remote: Yes Date Published: Sep 03 2003 Relevant URL: http://www.securityfocus.com/bid/8535 Summary: PAM_LDAP is the PAM module package designed to allow authentication with LDAP servers via PAM-compliant authentication mechanisms. It is available for the Unix and Linux platforms. A problem in the PAM filter portion of PAM_LDAP has been identified that may fail to restrict access to certain systems. This may allow unauthorized access to network resources. The problem is in the handling of values supplied to PAM filter. When PAM filter is used to restrict the ability of users logging in from unauthorized hosts, PAM filter may fail to restrict access by the user. This could result in a user gaining access to a system from an unauthorized host. This will also create a false sense of security, as the PAM filter has been configured to restrict access and is not performing as expected. Stunnel Leaked File Descriptor Vulnerability BugTraq ID: 8537 Remote: No Date Published: Sep 03 2003 Relevant URL: http://www.securityfocus.com/bid/8537 Summary: Stunnel is a freely available, open source cryptography wrapper. It is designed to wrap arbitrary protocols that may or may not support cryptography. It is maintained by the Stunnel project. Stunnel has been reported prone to a file descriptor leakage vulnerability. The issue reportedly presents itself due to an fcntl() call made without a CLOEXEC flag in the source of Stunnel. It has been reported that because of this, file descriptors returned by a listen() call are made available to unprivileged processes. If Stunnel is used to tunnel an application or service that provides shell access, such as telnet, the shell will have the affected file descriptor leaked to it. As a result, an unprivileged attacker may exploit this issue to hijack the Stunnel Server. Other file descriptors are also reportedly leaked, which may also be potentially exploited in a similar manner. It should be noted that this issue has been reported to affect Stunnel versions 3.24, 4.00 and previous. Leafnode fetchnews Remote Denial of Service Vulnerability BugTraq ID: 8541 Remote: Yes Date Published: Sep 04 2003 Relevant URL: http://www.securityfocus.com/bid/8541 Summary: Leafnode is a Usenet news proxy. It allows online news readers to read news offline. Fetchnews is a NNTP client software used with Leafnode. Fetchnews is reported to be prone to a remote denial of service vulnerability that may allow a remote attacker to cause the software to hang. The vulnerability may occur if an attacker sends certain non-RFC-1036 compliant Usenet news articles to the server. As fetchnews attempts to retrieve the articles it may cause the software to wait for input that never arrives. It has been reported that only one fetchnews process is allowed to run at a time, therefore any fetchnews processes started afterwards would fail immediately. This issue does not exhaust CPU resources but limits the availability of the client while the condition is occurring. Successful exploitation of this issue may allow an attacker to cause a denial of service attack on a vulnerable version of the software by posting malformed news articles. This problem would result in news bases not being updated. This vulnerability affects Leafnode 1.9.3 to 1.9.41. The default installation of Leafnode is also affected by this vulnerability. The vendor has advised that versions 1.9.42 and newer are not vulnerable to this issue. Asterisk SIP Request Buffer Overrun Vulnerability BugTraq ID: 8546 Remote: Yes Date Published: Sep 04 2003 Relevant URL: http://www.securityfocus.com/bid/8546 Summary: Asterisk is a software-based PBX system, which is available for Linux operating systems. Asterisk includes support for the SIP (Session Initiation Protocol). Asterisk is prone to a remote exploitable buffer overrun. This is due to insufficient bounds checking of SIP MESSAGE and INFO requests. In particular, due to a programming error in the chan_sip.c source file, data supplied via either of these requests is used as a size argument for a strncat() operation. By passing 1024 bytes in the request body, strncat() will be invoked with a negative number for the size argument, causing memory to be corrupted. A null is included in the affected page of memory, limiting the amount of memory that is corrupted in the operation and preventing a page fault, which will permit the saved return address to be overwritten with attacker-supplied data. As a result, it will be possible to control execution flow of the program and execute arbitrary code. This issue may be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of the software. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
