Qualcomm qpopper Username Buffer Overflow Vulnerability BugTraq ID: 2811 Remote: Yes Date Published: 2001-06-02 Relevant URL: http://www.securityfocus.com/bid/2811 Summary: Qualcomm popper, or 'qpopper', is a POP3 server, enabling POP3 clients to read and download mail. In version 4, a buffer overflow vulnerability was introduced into the qpopper source tree. The buffer overflow occurs when the server is processing the client-supplied username. The username is copied via strcpy() into another member of the pop session structure, which is allocated locally in the primary session function, qpopper(). Strcpy() is an unsafe libc function. It is an unbounded memory copy; it copies bytes until the end of the string, having no argument for maximum length. If the length of the string is greater than the size of the destination buffer, any excessive data will overwrite neighboring memory. Because the POP username is a client-supplied string, remote clients can overwrite values in qpopper's stack with arbitrary data. An attacker may be able to replace a function return address with a value pointing to attacker supplied instructions, which will be executed once the function returns. It is believed that the overflow occurs before authentication, so it may not be required that users have valid POP accounts. Exploitation of this vulnerability may lead to a compromise of root privileges to remote attackers. Linux Man Malicious Cache File Creation Vulnerability BugTraq ID: 2815 Remote: No Date Published: 2001-06-04 Relevant URL: http://www.securityfocus.com/bid/2815 Summary: When a system manual page is viewed, the man program creates a cache file containing information relevant to the current state of the manual page system and the information stored within that page, to enhance the speed of subsequent lookups. It is possible for local users to cause man to cache files from outside of the configured manual page hierarchy search path. Most man implementations offer the user the ability to specify a custom directory from which to locate and load man pages. This user-specified man directory can also contain the cache directory, which will be used if it exists. The vulnerability in the Linux implementation of man is that when the desired manpage (from a user-controlled man directory) is loaded, the cached version is created without first dropping privileges. Another issue is that man follows symbolic links as cache directories. It is therefore possible to have man create a cache file as group 'man' in the system cache directory. This would be accomplished by creating the 'user controlled' cache directory as a symbolic link pointing to the system cache directory. When the man page (from the user-supplied area) is viewed, a cache is created in the directory pointed to by the symbolic link with group 'man' privileges -- the system cache directory. Combined with the behaviours of 'man' and 'mandb' or any other utilities which trust cache filenames, it may be possible to use this vulnerability to elevate privileges. See the attack scenarios section. Linux FPF Kernel Module Denial Of Service Vulnerability BugTraq ID: 2816 Remote: Yes Date Published: 2001-06-04 Relevant URL: http://www.securityfocus.com/bid/2816 Summary: FPF is a Linux Kernel Module which alters the Linux TCP/IP stack, causing it to emulate other operating systems when fingerprinted using tools such as nmap or Queso. An attacker could easily launch an attack using a utility such as nmap. OpenBSD Dup2 VFS Race Condition Denial Of Service Vulnerability BugTraq ID: 2817 Remote: No Date Published: 2001-06-02 Relevant URL: http://www.securityfocus.com/bid/2817 Summary: OpenBSD is a BSD based operating system maintained and distributed by the OpenBSD project. OpenBSD has been designed as a secure implementation of the BSD Operating System, and offers numerous security features. A problem in the kernel could allow a local user to crash a vulnerable system. This is due to a design problem involving rfork() and the dup2() system calls. Under normal conditions, the rfork() system call allows child processes to share the file descriptor table with their parent processes. The dup2() system call allows file descriptors between two processes to be copied. The problem occurs in the finishdup() function, where a process may enter sleep while another process sharing the file descriptor table functions. The finishdup() function does not check whether the file descriptor is null prior to dereferencing it. Therefore, another process running while the process in finishdup() is in sleep could set the file descriptor to null. Upon the process in finishdup() returning from sleep, it could dereference the file descriptor already set to null, causing a kernel panic. OpenBSD Pipe VFS Race Condition Denial Of Service Vulnerability BugTraq ID: 2818 Remote: No Date Published: 2001-06-02 Relevant URL: http://www.securityfocus.com/bid/2818 Summary: OpenBSD is a BSD based operating system maintained and distributed by the OpenBSD project. OpenBSD has been designed as a secure implementation of the BSD Operating System, and offers numerous security features. A problem within the kernel makes it possible for a local user to cause a kernel panic. This problem can be exploited to cause a Denial of Service attack against legitimate users of the system. The problem involves the handling of pipes by the kernel. During normal operations, a thread within a process using a pipe between two files does so by creating two file descriptors in the file descriptor table. Once the thread has created the two file descriptors, it is possible for another thread from within the same process to set one of the file descriptors within the file descriptor table to null. In doing so, when the other thread attempts to dereference the file descriptor, a kernel panic occurs, causing the system to halt operation. OpenSSH Client X11 Forwarding Cookie Removal File Symbolic Link Vulnerability BugTraq ID: 2825 Remote: No Date Published: 2001-06-04 Relevant URL: http://www.securityfocus.com/bid/2825 Summary: OpenSSH is the free implementation of the SSH client and server protocol. It is maintained by the OpenBSD project, and distributed freely as open source software. A problem in the checking and removal of files created in the /tmp directory makes it possible for a local user to delete arbitrary files named "cookie". During normal operation, an ssh client connecting to a server with X11 forwarding enabled causes the creation of a directory in /tmp using the $XAUTHORITY variable for naming. This directory is created with a cookie file inside, which is used to maintain the secure X11 connection between client and server. The problem occurs when a user with local access connects to the system with forwarding enabled. Upon connecting, the directory and cookie file are created. A hostile user may rm -r this directory, and create a symbolic link in its place to another directory containing a file named "cookie." Upon termination of the ssh session, the sshd removes the symbolically linked cookie file. xinetd Insecure Default Umask Vulnerability BugTraq ID: 2826 Remote: No Date Published: 2001-06-05 Relevant URL: http://www.securityfocus.com/bid/2826 Summary: A vulnerability exists in the xinetd daemon. When an application is run, it inherits the file creation mask of it's parent. This mask is used by the open() call to set initial file permissions on newly-created files. Although it is possible for an application to set it's own mask or to explicitly set file permissions, sometimes this is not the case. The xinetd daemon runs with umask 0. As a result, files created by applications that use the xinetd umask without explicitly setting permissions will be world writable. - Pour poster une annonce: [EMAIL PROTECTED]
