IRCnet IRCD Local Buffer Overflow Vulnerability BugTraq ID: 8817 Remote: Yes Date Published: Oct 13 2003 Relevant URL: http://www.securityfocus.com/bid/8817 Summary: IRCnet IRCD is an IRC implementation that is available for a number of platforms including Linux/Unix variants.
IRCnet IRCD has been reported prone to a buffer overflow vulnerability that may be exploited by local users. The issue likely presents itself due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into a reserved buffer in memory. Supplied data that exceeds the size of the affected buffer may overrun its bounds and corrupt adjacent memory. This issue may be exploited to crash the affected server. Although unconfirmed, due to the nature of this vulnerability it has been conjectured that a local attacker may also leverage this condition to potentially have arbitrary instructions executed in the context of the affected server. This vulnerability has been reported to affect all versions of IRCnet IRCD in the 2.10 development tree up to and including 2.10.3p3. mIRC DCC SEND Buffer Overflow Vulnerability BugTraq ID: 8818 Remote: Yes Date Published: Oct 13 2003 Relevant URL: http://www.securityfocus.com/bid/8818 Summary: mIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. A vulnerability has been reported to exist in mIRC that may allow a remote attacker to crash a vulnerable mIRC client. The condition is most likely present due to insufficient boundary checking performed on 'DCC SEND' requests. It has been reported that when received, a malicious 'DDC SEND' request can trigger a fatal error and cause an affected mIRC client to crash. The 'DCC SEND' request can be sent to a channel or a specific targeted user. Although unconfirmed, due to the nature of this vulnerability it has been conjectured that a remote attacker may potentially lever this issue to have arbitrary code executed in the context of the affected mIRC client. mIRC versions 6.1 and 6.11 have been reported to be prone to this issue, however other versions may be affected as well. mIRC IRC URL Buffer Overflow Vulnerability BugTraq ID: 8819 Remote: Yes Date Published: Oct 13 2003 Relevant URL: http://www.securityfocus.com/bid/8819 Summary: mIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. When mIRC is installed it registers a handler for a 'irc://' type of URL. Through these means, mIRC is invoked when a 'IRC URL' is followed. mIRC has been reported prone to a buffer overflow vulnerability when handling malicious 'IRC URLs'. Specifically when a IRC URL of >998 bytes is clicked by a user running a vulnerable version of mIRC. The issue likely presents itself due to a lack of sufficient boundary checks performed when IRC URL data is being copied into an insufficient buffer in memory. Data that exceeds the size of the reserved buffer will overrun its bounds and corrupt adjacent memory. Because memory adjacent to the affected buffer is used to store a saved instruction pointer, an attacker may influence execution flow of the affected client into attacker controlled memory. This may ultimately allow the attacker to execute arbitrary instructions in the context of the user running the affected client. mIRC version 6.1 has been reported to be prone to this issue, however other versions may be affected as well. Apache Mod_Throttle Module Local Shared Memory Corruption Vu... BugTraq ID: 8822 Remote: No Date Published: Oct 14 2003 Relevant URL: http://www.securityfocus.com/bid/8822 Summary: The mod_throttle Apache module is an application developed by sert.com. It is designed to reduce the load used when handling specified server requests. mod_throttle is available for the BSD, Linux, and Solaris operating systems. The mod_throttle Apache module is said to be prone to a vulnerability that could allow for local privilege elevation. The problem occurs due to the mod_throttle module incorrectly storing critical data within shared memory that is accessible by a user with 'apache' privileges. As a result, an attacker may be capable of corrupting memory pointers and a data file located in a shared memory segment. These pointers may have previously pointed to internal module procedures or may point to critical data required to unload the module while Apache is terminating. This could ultimately lead to privilege elevation during the startup or shutdown procedures of Apache, ultimately allowing for an attacker to gain root privileges. To successfully exploit this issue, it has been reported that an attacker must somehow cause Apache to reload its configuration file. As a result, this vulnerability may be exploited in conjunction with the issue described in BID 5884. Other methods of loading the configuration file may also be used. Apache Tomcat Non-HTTP Request Denial Of Service Vulnerabili... BugTraq ID: 8824 Remote: Yes Date Published: Oct 15 2003 Relevant URL: http://www.securityfocus.com/bid/8824 Summary: Tomcat is a web server and JSP/Servlet container that is developed by Apache as part of the Jakarta project. Apache Tomcat 4 has been reported prone to a remotely triggered denial of service vulnerability when handling undisclosed non-HTTP request types. It has been reported that when certain specific non-HTTP request types are handled by the Tomcat HTTP connector the Tomcat server will reject subsequent requests on the affected port until the service is restarted. A remote attacker may exploit this condition to deliberately prevent the affected server from handling requests, effectively denying service to legitimate users. It should be noted that this vulnerability has been reported for Tomcat 4.0.x versions. DBMail IMAP Service SQL Injection Vulnerability BugTraq ID: 8829 Remote: Yes Date Published: Oct 15 2003 Relevant URL: http://www.securityfocus.com/bid/8829 Summary: dbmail is a set of applications used for storing and retrieving e-mail messages from a database. dbmail supports MySQL or PostgreSQL databases. A vulnerability has been reported to exist in dbmail IMAP service that may allow a remote attacker to inject malicious SQL syntax into database queries. The source of this issue is insufficient sanitization of user-supplied input. The problem is reported to exist in various parameters such as username and password. It has been reported that the vulnerable parameters are not sanitized for user-supplied input before it is included in the database. A remote attacker may exploit this issue to influence SQL query logic while attempting to authenticate to the server. A malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. dbmail versions 1.1 and prior have been reported to be prone to this issue, however other versions may be affected as well. Linksys BEFSX41 EtherFast Router Log Viewer Denial Of Servic... BugTraq ID: 8834 Remote: Yes Date Published: Oct 15 2003 Relevant URL: http://www.securityfocus.com/bid/8834 Summary: Linksys Instant Broadband EtherFast Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint is a hardware router targeted at home and small office users. Linksys BEFSX41 EtherFast Routers are prone to a denial of service. This issue is exposed via the log viewer in the web administrative interface. By submitting an invalid value for the "Log_Page_Num" parameter, it is possible to trigger this condition, causing the router to be unresponsive. The log viewer is implemented via Group.cgi. The following example was provided to demonstrate the issue: http://192.168.1.1/Group.cgi?Log_Page_Num=1111111111&LogClear=0 While exploitation does require a logged in administrative user to submit a request to the log viewer with malformed parameters, it is possible that the admin could be tricked into visiting a malicious URI that exploits the issue. The URI could be embedded in an image tag in a web page that the administrative user visits. Due to the router being at a predictable address and many router commands being submitted via HTTP GET requests, it may also be possible to use this type of attack to trick a logged administrative user into executing other router commands. This has not been confirmed. [ hardware ] _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
