MacOS X Client Apache File Protection Bypass Vulnerability BugTraq ID: 2852 Remote: Yes Date Published: 2001-06-10 Relevant URL: http://www.securityfocus.com/bid/2852 Summary: A vulnerability exists when Apache webserver is used with Mac OS X Client. The standard filesystem for Mac OS X is HFS+. HFS+ is case insensitive while Apache's filtering is case sensitive. Apache offers file protection functionality which prohibits unprivileged users from accessing protected directories. Because it was developed on systems with case sensitive filesystems, requests must match the filter exactly. Any difference in character case will cause a request to not match the filter. Apache will filter all file requests that match filters exactly (including case), but it will not filter requests if the case . Since HFS+ is case insensitive, these requests will result in the "filtered" files being disclosed. The impact is that privileged files may be arbitrarily disclosed to non-privileged remote users. [ m�me probl�me que IIS et Apache sous Windows NT p.ex. Solution: module open source de Apple. Semble ne concerner que la version workstation de MacOS X ... ] Imapd 'Local' Buffer Overflow Vulnerabilities BugTraq ID: 2856 Remote: Yes Date Published: 2001-06-11 Relevant URL: http://www.securityfocus.com/bid/2856 Summary: Washington University Imapd is a popular server program that allows clients to download mail from servers via the IMAP protocol. Imapd reportedly contains buffer overflow vulnerabilities which are exploitable by authenticated clients. These overflows may provide malicious clients with interactive access on the host. Imapd lowers privileges after users authenticate. A user with shell access on the host may not accomplish anything by exploiting this vulnerability. These buffer overflows should be of concern to administrators of mail servers with IMAP users that do not have access to the underlying host. If one of these vulnerabilities can be exploited to execute arbitrary code, an attacker with an IMAP-only username/password may be able to gain access to the server host. It is significantly easier for attackers to compromise the entire system (gain root) if they have local access. MandrakeSoft has released upgraded packages which will eliminate the reported vulnerabilities. More information is forthcoming in future updates pending complete SIA analysis of this/these vulnberabilities. MDBMS Query Display Buffer Overflow Vulnerability BugTraq ID: 2867 Remote: Yes Date Published: 2001-06-12 Relevant URL: http://www.securityfocus.com/bid/2867 Summary: MDBMS is a free relational database management system. A buffer overflow condition exists in MDBMS that may allow a remote user with database access to execute arbitrary code on a host running the server. The problem occurs when a user issues the '\s' command to display the query buffer when it contains a large amount of data. If the buffer is approximately 10000 bytes in length or longer, the condition is triggered. [ free comme libre ou free comme pas payant ? ] Linux Man Page Source Buffer Overflow Vulnerability BugTraq ID: 2872 Remote: No Date Published: 2001-06-12 Relevant URL: http://www.securityfocus.com/bid/2872 Summary: A buffer overflow vulnerability exists in the implementation of the 'man' system manual pager program commonly included with Linux distributions. When a manual page file begins with a '.so' statement, the 'man' program uses the filename given with the statement as the source file for that manual page. These statements can be specified recursively over several manual page files; the program loads each sourced file until the 'ultimate' file is found. A subtle bug exists in the algorithm used to handle these files. If a manual page file is compressed by a program such as gzip, the man program must first expand the file to check the first line for the '.so' statement. To do this, it calls popen() to execute the expansion program, passing the manual page filename as part of the command line. The boundary condition error occurs because the source file algorithm concatenates data from '.so' statements into a fixed-sized buffer for every level of recursion. If a command inserted after shell metacharacters in the filename returns a '.SO' statement of excessive length, the recursive nature of the algorithm could trigger the condition. As a result, local users can use this vulnerability to execute arbitrary code/commands with group 'man' privileges. This can lead to further system compromise. Multiple BSD Vendor Ptrace Race Condition Vulnerability BugTraq ID: 2873 Remote: No Date Published: 2001-06-14 Relevant URL: http://www.securityfocus.com/bid/2873 Summary: Ptrace is a facility used mostly by debuggers that allows one process to attach to another and monitor/modify its execution state and memory. Ptrace implements checks to ensure that unprivileged processes do not attach to privileged ones. It has been reported that a race condition exists in some BSD ptrace implementations that may cause these checks to by bypassed. The race condition is reportedly present when a process is exec()ing a setuid image. It may be possible to attach to the setuid process if the race is won. Once an unprivileged process has attached to a setuid process, it is possible to cause resumption of the setuid process' execution at an arbitrary address. If attacker-supplied instructions exist in an executable region of the setuid process' memory (such as in the environment), the attacker may resume execution at the location of these instructions. These instructions will then execute with the enhanced privileges of the setuid process. The attaching process may also be able to modify memory belonging to the setuid process. This provides the attacker with almost complete control over the setuid process. If exploited, this vulnerability could lead to local attackers elevating privileges. The privileges that can be gained depend on the setuid programs installed on the system. OpenBSD and NetBSD have both confirmed that they are vulnerable. OpenBSD has released kernel patches, while NetBSD has fixed the problem in their CVS tree. Updates will be sent out as more information becomes available. - Pour poster une annonce: [EMAIL PROTECTED]
