-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PHP .htaccess Attribute Transfer Vulnerability BugTraq ID: 2206 Remote: Yes Date Published: 2001-01-16 Relevant URL: http://www.securityfocus.com/bid/2206 Summary: PHP the Personal Home Page software package distributed and maintained by the PHP Development Team. PHP provides enhanced attributes and added functionality to web pages. A problem with the PHP package could allow for unauthorized access to restricted resources. The problem is specifically in the Apache Module of the PHP package, and affects the package only when running in combination with Apache Webserver. Per directory access control is done via the .htaccess file. However, by generating a custom crafted request, it is possible to force PHP to serve the next page with the same access control attributes as the previous accessed page. This problem could allow a malicious user to access restricted information in an intelligence gathering attack. SuSE rctab Race Condition Vulnerability BugTraq ID: 2207 Remote: No Date Published: 2001-01-13 Relevant URL: http://www.securityfocus.com/bid/2207 Summary: rctab is the Run Control Tab script included with the SuSE distribution of the Linux Operating System. SuSE is a freely available, Open Source Operating system maintained by SuSE Incorporated. A race condition in the rctab script could allow an attacker to either gain elevated privileges, or append to and corrupt system files. This problem exists due to the insecure creation of files in the /tmp directory by the rctab script. Upon execution of the rctab script, rctab creates a subdirectory in the /tmp directory, using directory name rctmpdir.[pid of rctab process]. The script, which is normally run by root, also does not chown the rctmpdir subdirectory root. This problem makes it possible for a malicious user to guess the future process id of the rctab process, and create a range of directories that either will overwrite system files, or append to other system files and potentially allow elevation of privileges. splitvt Format String Vulnerability BugTraq ID: 2210 Remote: No Date Published: 2001-01-16 Relevant URL: http://www.securityfocus.com/bid/2210 Summary: splitvt is a VT100 window splitter, designed to allow the user two command line interfaces in one terminal window, originally written by Sam Lantinga. It is freely available, open source, and included with many variants of the Linux Operating System. A problem in the program could allow for a format string attack. The problem occurs in the handling of format strings by the -rcfile command line flag. By placing shellcode in the $HOME environment variable, and generating a custom crafted request to the splitvt program it is possible to overwrite variables on the stack, and arbitrarily execute code contained in the $HOME environment variable. This makes it possible for a user with malicious motives to execute arbitrary code, and in implementations with the splitvt binary installed SUID root, gain administrative privileges. There are also various reported buffer overflows in the code. These have been addressed in the new release. Caldera DHCP Package Format String Vulnerabililty BugTraq ID: 2215 Remote: Yes Date Published: 2001-01-15 Relevant URL: http://www.securityfocus.com/bid/2215 Summary: DHCP is the Dynamic Host Configuration Protocol, an open source, freely available, RFC specified networking protocol for host management. It is included with most versions of the UNIX Operating System. A problem with the Caldera implementation could create the possibility of a format string attack. The problem affects both the DHCP daemon and client, and involves string formatting when passed through the error logging code. It is possible to pass custom crafted packets to both the DHCP daemon and DHCP client that will result in an error, and pass the formatted strings to a static buffer. This buffer will then be filled and overflowed, overwriting variables on the stack and potentially executing arbitrary code. This problem makes it possible for a user with malicious motives to execute arbitrary code, potentially gain access, and elevated privileges. Tinyproxy Heap Overflow Vulnerability BugTraq ID: 2217 Remote: Yes Date Published: 2001-01-17 Relevant URL: http://www.securityfocus.com/bid/2217 Summary: versions 1.3.2 and 1.3.3 of tinyproxy, a small HTTP proxy, exhibit a vulnerability to heap overflow attacks. A failure to properly validate user-supplied input which arguments a call to sprintf() can allow unexpectedly large amounts of input to a buffer (used to display error messages) to be written past the boundary of the allocated space on the heap. As a result, it may be possible to execute a denial of service attack, or even to execute arbitrary commands if certain internal memory structures can be successfully overwritten. SSH Secure-RPC Weak Encrypted Authentication Vulnerability BugTraq ID: 2222 Remote: No Date Published: 2001-01-16 Relevant URL: http://www.securityfocus.com/bid/2222 Summary: SSH is a package designed to encrypt traffic between two end points using the IETF specified SSH protocol. The SSH1 package is distributed and maintained by SSH Communications Security. A problem exists which could allow the discovery of the secret key used to encrypt traffic on the local host. When using SUN-DES-1 to share keys with other hosts on the network to facilitate secure communication via protocols such as NFS and NIS+, the keys are shared between hosts using the private key of the user and a cryptographic algorithm to secure the contents of the key, which is stored on the NIS+ primary. The problem occurs when the key is encrypted with the SUN-DES-1 magic phrase prior to having done a keylogin (the keyserv does not have the users DH private key). A design flaw in the software that shares the key with the NIS+ master will inconsistently return the correct value for an attempted keyshare that has failed. A step in the private key encryption process is skipped, and the users private key is then encrypted only with the public key of the target server and the SUN-DES-1 magic phrase, a phrase that is guessable due to the way it is generated. A user from the same host can then execute a function that returns another users magic phrase, and use this to decrypt the private key of the victim. This makes it possible for a user with malicious intent to gain knowledge of a users secret key, and decrypt sensitive traffic between two hosts, with the possibility of gaining access and elevated privileges on the hosts and/or NIS+ domain. glibc LD_PRELOAD File Overwriting Vulnerbility BugTraq ID: 2223 Remote: No Date Published: 2001-01-16 Relevant URL: http://www.securityfocus.com/bid/2223 Summary: glibc is the GNU C Library, a freely available, open source C library maintained by public domain, and distributed by the Free Software Foundation. It is included in most current Linux distributions. A problem with the library could allow access to write or overwrite restricted files. Upon execution of SUID and SGID applications, the library allows a user to preload libraries in the environment variable LD_PRELOAD providing the variable does not contain forward slashes. A special check is also performed to ensure the library being preloaded is SUID. However, if the library is found in the /etc/ld.so.cache file, this check is circumvented, and never performed. It is therefore possible to load a library from /lib or /usr/lib prior to the execution of a SUID or SGID program. This flaw makes it possible for a user with malicious motives to create files in restricted locations, or overwrite files outside of the access of this user, including system files. Linux worm uses its noodle By Kevin Poulsen An Internet worm cobbled together from pre-existing scripts is spreading rapidly through Red Hat Linux systems, leaving in its wake a trail of defaced web pages touting the virtues of oriental noodles. The so-called 'Ramen' worm is a bulky, but effective, collection of hacking tools rolled up into a package. A modified scanning program searches broad swaths of the Internet for Red Hat Linux versions 6.2 and 7.0 installations. The scanner then launches attacks against those machines with publicly available exploits of three known vulnerabilities and spreads into each crackable box. http://www.securityfocus.com/templates/article.html?id=139 [ ps: mon premier essai de mail signé sur linux-leman-annonces :) ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE6bUydqXQFe392v8kRAgGTAKDT/PeCE7gOY8D0oM5YIX3A1oViywCfQcx4 6fx2XVZN2SMoh9d7NRGsgOQ= =so7u -----END PGP SIGNATURE----- - Pour poster une annonce: [EMAIL PROTECTED]
