Man Utility MANPL Environment Variable Buffer Overrun Vulner... BugTraq ID: 8602 Remote: No Date Published: Sep 12 2003 Relevant URL: http://www.securityfocus.com/bid/8602 Summary: The man utility is used for formatting and displaying various system manuals and documentation. It is possible to specify the length of lines to display using the MANPL environment variables.
It has been reported that the man utility may be prone to a buffer overrun conditon, when handling environment variable data. The problem is said to specifically occur due to insufficient bounds checking when handling data stored within the MANPL variable. As a result of this issue, a local attacker may be capable of executing arbitrary code with the privileges of man, typically setgid 'man'. This could be accomplished by placing approximately 128 or more bytes of data, within the affected environment variable, and invoking man. It should be noted that some vendors are said to apply a patch to affected man releases, however some systems may still deploy the vulnerable version with setgid privileges. vbPortal Authentication SQL Injection Vulnerability BugTraq ID: 8613 Remote: Yes Date Published: Sep 12 2003 Relevant URL: http://www.securityfocus.com/bid/8613 Summary: vbPortal is a portal application which can be used in conjunction with vbBulletin forums. It has been reported that vbPortal is prone to SQL injection attacks when authentication users. The problem occurs due to insufficient sanitization of the $aid variable, used to store the name of the authenticating user. Specifically, slashes are not placed into the value of $aid to terminate any control characters after the data has been base64 decoded. The exploitable SQL query can be seen below: $result=mysql_query("SELECT password as pwd FROM user WHERE username = '$aid'"); As a result, an attacker may supply data within the username designed to prematurely terminate the string, and influence the logic of this SQL query. This may be exploited to expose sensitive information, or potentially to launch attacks against the underlying database. This issue can be exploited by making a malicious HTTP request to the auth.inc.php script, including a base64 encoded payload embedded within the 'admin' URI parameter. DSPAM Insecure Default Permissions Privilege Escalation Vuln... BugTraq ID: 8623 Remote: No Date Published: Sep 15 2003 Relevant URL: http://www.securityfocus.com/bid/8623 Summary: DSPAM is an anti-spam application designed for use with most Unix mail applications. Beginning with DSPAM 2.6.5, an option was included in the program that allows a user to supply a delivery agent and quarantine agent via the command-line. A vulnerability has been reported for DSPAM that may allow an attacker to execute arbitrary code with elevated privileges. The issue lies in the fact that DSPAM is installed world-executable and setgid by default. As a result, an unprivileged attacker may supply a malicious executable to the application, as an argument when specifying a delivery or quarantine agent. When invoked, the executable will be run with the group privileges of DSPAM, typically mail. This privilege escalation could assist in further attacks launched against a target system. ChatZilla Remote Denial of Service Attack BugTraq ID: 8627 Remote: Yes Date Published: Sep 15 2003 Relevant URL: http://www.securityfocus.com/bid/8627 Summary: ChatZilla is an IRC-client for Linux operating systems. ChatZilla is based on JavaScript and XUL and it is shipped with Mozilla web browser. A vulnerability has been reported to exist in the software, that may allow a remote attacker to cause a denial of service condition in ChatZilla. The issue presents itself when a remote attacker posing as an IRC server sends specially crafted requests containing long string values to a vulnerable system. The attack may cause the software to behave in an unstable manner leading to a crash. Successful exploitation of this vulnerability may allow a remote attacker to cause the vulnerable software to crash. It is not known if this condition could also be exploited to execute arbitrary code on the client. ChatZilla versions 0.8.23 and prior are reported to be prone to this issue. OpenSSH Buffer Mismanagement Vulnerabilities BugTraq ID: 8628 Remote: Yes Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8628 Summary: A buffer mismanagement vulnerability has been reported in OpenSSH. This issue exists in the 'buffer.c' source file. The source of a problem is that a buffer structure size value may be expanded before the program attempts to reallocate the buffer using this size. If the expanded buffer size triggers a call to fatal(), a series of cleanup functions registered by the daemon will be called prior to exiting the program. As one of these functions may then reference the data within the buffer, including the unused expanded value, a miscalculation could potentially occur. Depending on how the cleanup functions reference this data, it may be theoretically possible for heap-based memory to be corrupted. This condition can reportedly be triggered by an overly large packet. External sources, including the vendor, do not believe that this issue could be exploited to execute arbitrary code though it may potentially be used to cause a denial of service. There are also unconfirmed rumors of an exploit for this vulnerability circulating in the wild. The impact may be reduced by the implementation of privilege separation on affected versions of OpenSSH. OpenSSH has revised their advisory, pointing out a similar issue in the channels.c source file and an additional issue. Solar Designer has also reportedly pointed out additional instances of the problem that may also present vulnerabilities. Individual BIDs will be created for these additional issues when further analysis is complete. KDE KDM PAM Module PAM_SetCred Privilege Escalation Vulnerab... BugTraq ID: 8635 Remote: Yes Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8635 Summary: KDM is the KDE Display Manager, a component of the KDE Desktop Environment. It is available for Linux/Unix operating systems. KDM provides a graphical login interface for KDE. A problem has been reported in the KDE Display Manager (KDM) when used in combination with Pluggable Authentication Modules (PAM). Because of this, an attacker may be able to gain unauthorized access to systems. The problem is in the handling of specific authentication requests passed through pam_setcred. Under some circumstances, the results of the pam_setcred call is not checked. An attacker could create a malicious request that circumvents authentication checking to gain unauthorized access to a system. It should be noted that this problem occurs when KDM is used in combination with the pam_krb5 module. KDE KDM Session Cookie Generation Weakness BugTraq ID: 8636 Remote: Yes Date Published: Sep 16 2003 Relevant URL: http://www.securityfocus.com/bid/8636 Summary: KDM is the KDE Display Manager, a component of the KDE Desktop Environment. It is available for Linux/Unix operating systems. KDM provides a graphical login interface for KDE. KDM uses a weak algorithm to generate session cookies. In particular, the session cookie generation algorithm is not sufficient for generating 128 bits of entropy. This may potentially make brute-forcing of session cookies a practical endeavor, inevitably enabling an adversary to hijack a KDM user session. For exploitation to be successful, the adversary must also be able to bypass any host-based restrictions. It is most likely that a malicious local user could potentially exploit this to gain unauthorized access to another user's existing session. Sendmail Prescan() Variant Remote Buffer Overrun Vulnerabili... BugTraq ID: 8641 Remote: Yes Date Published: Sep 17 2003 Relevant URL: http://www.securityfocus.com/bid/8641 Summary: Sendmail is prone to a buffer overrun vulnerability in the prescan() function. This issue is different than the vulnerability described in BID 7230. The issue exists in the parseaddr.c source file and could allow for corruption of stack or heap memory depending on where in the code the function is called from. One possible attack vector is if the function is indirectly invoked via parseaddr(), though others may also exist. This vulnerability could permit remote attackers to execute arbitrary code via vulnerable versions of Sendmail. This would occur with the privileges of the server. The vendor has reported that versions prior to version 8.12.10, are vulnerable. Additionally it has been reported that commercial releases including all versions of Sendmail Advanced Message Server, Sendmail Pro, Sendmail Switch and Sendmail for NT are also vulnerable. Lucent MAX TNT Universal Gateway Hang-Up Redial Administrati... BugTraq ID: 8642 Remote: Yes Date Published: Sep 17 2003 Relevant URL: http://www.securityfocus.com/bid/8642 Summary: MAX TNT Universal Gateway is a router solution maintained and distributed by Lucent. The device was previously manufactured by Ascend. A problem in the handling of hang-up and redial calls to the Lucent MAX TNT Universal Gateway has been reported. Allegedly, this may make it possible for an attacker to gain unauthorized access to network resources. It has been reported that callers connecting to the router, hanging up, then immediately redialing gain an arbitrary administrative access. Specific details of this issue are not currently available, and this BID will be further updated when information becomes available. It should be noted that it appears a valid user account is required to launch an attack. [ hardware ] NetBSD Sysctl Argument Handling Vulnerabilities BugTraq ID: 8643 Remote: No Date Published: Sep 18 2003 Relevant URL: http://www.securityfocus.com/bid/8643 Summary: Multiple vulnerabilities have been reported in the sysctl system call for NetBSD systems. A kernel panic could be the result of some sysctl nodes attempting to dereference a NULL pointer. In particular, a pointer variable was mistakenly used for pointing to a user-level and a kernel level address. A NULL pointer could be set to the variable by a user, potentially causing a kernel panic and denying service to legitimate users of the system. If the process ID of a zombie process is passed to the system call, this could cause a kernel panic. This could occur if the proc.* sysctl tree is invoked on a zombie process, which would have invalid or non-existent process information. This could potentially be exploited by a user to cause a kernel panic, denying service to legitimate users of the system. Some sysctl nodes do not implement sufficient range checking, potentially allowing kernel memory to be read. The proc.curproc.rlimit subtree has a number of nodes that contain information about process limits. sysctl provides a helper that is used to manipulate these values, which does not implement sufficient range checking, potentially allowing values outside of the rlimit structure to be read. This could permit a local user to browse kernel memory, potentially gaining access to sensitive information such as credentials. This issue may be similar to the vulnerability described in BID 2364, which affects the Linux kernel. It is not known if other BSD derivatives are similarly affected by these issues. These issues will be separated into individual BIDs when further analysis is complete. Multiple Mambo Open Source 4.0.14 Server Vulnerabilities BugTraq ID: 8647 Remote: Yes Date Published: Sep 18 2003 Relevant URL: http://www.securityfocus.com/bid/8647 Summary: Mambo Open Source is a web based content management system. Several issues have been identified in Mambo Open Source Server. Because of these issues, an attacker may be able to gain unauthorized access to sensitive data and/or send e-mail/spam to arbitrary recipients. The vulnerabilities are caused by insufficient sanitization of user-supplied data. The following problems have been reported to exist: Multiple SQL injection vulnerabilities may exist in the banners.php and emailfriend/emailarticle.php modules of the software allow a remote attacker to inject malicious SQL syntax into database queries. A remote attacker may exploit the issues to influence SQL query logic. These issues may allow an attacker to gain access to sensitive data stored in the database. Other attacks on the underlying database are possible as well. An input validation issue has been reported in the sendmail function of contact.php module of the software. It is possible for a remote attacker to exploit this lack of input validation to send anonymous e-mail to arbitrary recipients, possibly in large volumes. The may be accomplished by passing URL arguments to the following parameters in order to send email to recipients: $text, $from, $name, $email_to, and $sitename. This issue may allow an attacker to conceal their identity and send e-mail/spam to arbitrary recipients. Mambo Open Source Server 4.0.14 has been reported to be prone to this problem, however other versions may be affected as well. This BID will be divided into individual BIDs when further analysis of the issues is complete. Sendmail Ruleset Parsing Buffer Overflow Vulnerability BugTraq ID: 8649 Remote: Unknown Date Published: Sep 17 2003 Relevant URL: http://www.securityfocus.com/bid/8649 Summary: Sendmail is a widely used MTA for Unix and Microsoft Windows systems. Sendmail has been reported prone to a buffer overflow condition when parsing non-standard rulesets. It has been reported that an attacker may trigger a buffer overflow condition in Sendmail, when Sendmail parses specific rulesets. Non-standard rulesets recipient(2), final(4) and mailer-specific envelope recipient may be used as an attack vector to trigger this vulnerability. It should be noted that Sendmail under a default configuration is not vulnerable to this condition. It is not currently known, if this vulnerability may potentially be exploited to execute arbitrary code. However due to the nature of the condition, although unconfirmed, it has been conjectured that ultimately an attacker may exploit this condition to execute arbitrary code in the context of the affected Sendmail server. It is not currently known if this vulnerability is restricted to local exploitation or if the issue may also be exploited remotely. Explicit technical details regarding this vulnerability are not currently available; this BID will be updated as further details are disclosed. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
