SGI Performance Co-Pilot pmpost Symbolic Link Vulnerability BugTraq ID: 2887 Remote: No Date Published: 2001-06-18 Relevant URL: http://www.securityfocus.com/bid/2887 Summary: Performance Co-Pilot (PCP) is a set of services to support system-level performance monitoring developed by SGI. It has traditionally been an IRIX product, however SGI has made it open source and it is now available for Linux systems. One of the utilities that ships with PCP is called 'pmpost'. It is often installed setuid root by default. When 'pmpost' is executed by a user, it logs the command line parameter to a tempfile ('NOTICES') in the log directory. The location of the log directory can be specified via the 'PCP_LOG_DIR' environment variable. Because environment variables are user supplied, a local user can choose an arbitrary log directory. When writing to the 'NOTICES' file in the log directory, 'pmpost' will follow symbolic links. Since the data written is user-supplied (the command-line arguments), it is possible to gain superuser privileges if 'pmpost' is setuid root. An attacker may exploit this vulnerabilty by setting the log directory to one under their control, containing a symbolic link called 'NOTICES' pointing to a critical system file (such as '/etc/passwd'). The attacker could overwrite the contents of this file with arbitrary data. Note: This vulnerability affects both binary versions for IRIX and the open source distribution of PCP. S.u.S.E. has made PCP packages available for their linux distribution. PCP is not installed as part of S.u.S.E. Linux by default. The PCP packages for S.u.S.E. Linux 7.0 do not install 'pmpost' setuid root. Versions 7.1 and 7.2 do, and are vulnerable if PCP is installed. It has been reported that not all versions of PCP for IRIX are vulnerable. To determine whether you are vulnerable, run this command: strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR If the string 'PCP_LOG_DIR' appears, it is most likely that the version of 'pmpost' installed is vulnerable. It is not yet known which other Linux vendors may ship with PCP as either an optional package or installed by default. W3M Malformed MIME Header Buffer Overflow Vulnerability BugTraq ID: 2895 Remote: Yes Date Published: 2001-06-19 Relevant URL: http://www.securityfocus.com/bid/2895 Summary: W3M is a pager/text-based WWW browser similar to lynx. The 'w3m' client program contains a boundary condition error in its handling of HTTP header fields. A buffer overflow can occur when a base64-encoded string is received in a MIME header field. The string is copied into an internal buffer without performing bounds checking. If the string exceeeds approximately 32 characters in length, the extraneous data overwrites neighbouring memory. If successful, an attacker can have arbitrary code executed with the privileges of the user running the w3m client. Juergen Schoenwaelder scotty ntping Buffer Overflow Vulnerability BugTraq ID: 2911 Remote: No Date Published: 2001-06-21 Relevant URL: http://www.securityfocus.com/bid/2911 Summary: ntping is a component of scotty, a Tcl interpreter used to retrieve status and configuration information for TCP/IP networks. The SUID root ntping utility has been found to contain an exploitable buffer overflow. When ntping is invoked at the command line, the contents of argv[0] are copied to an internal variable without bounds checking. An argument of sufficient length will exceed the size of the destination buffer and will be copied over neighbouring data on the stack. If properly composed, this input can allow a local attacker exploiting this vulnerability to gain root privilege, leading to a complete system compromise. ePerl Foreign Code Execution Vulnerability BugTraq ID: 2912 Remote: Yes Date Published: 2001-06-19 Relevant URL: http://www.securityfocus.com/bid/2912 Summary: ePerl is a multipurpose Perl filter and interpreter program for Unix systems. ePerl provides a preprocessor that allows additional files to be loaded and processed at runtime, through the use of the 'include' directive. A secure variant of the 'include' directive, 'sinclude,' is provided so external data can be loaded and not processed. The user-supplied file path given with these directives can be a relative or absolute path for the local filesystem, or a fully qualified HTTP URL. An input validation error exists in this preprocessor. If a file referenced by a 'sinclude' directive contains an 'include' directive, the contents of the file referred to by that directive will be loaded and executed. In a situation where the 'sinclude' directive references a file outside of the script owner's control, it may be possible for the owner of the file to cause arbitrary code/commands to be executed the next time the script is run. cfingerd Utilities Buffer Overflow Vulnerability BugTraq ID: 2914 Remote: No Date Published: 2001-06-21 Relevant URL: http://www.securityfocus.com/bid/2914 Summary: cfingerd is a secure implementation of the finger daemon. cfingerd has been contributed to by many authors, and is maintained by the cfingerd development team. A problem with the daemon makes it possible for a local user to gain elevated privileges. A buffer overflow in the handling of input by the daemon makes it possible for a local user to execute arbitrary code, and gain elevated privileges. Successful exploitation of this vulnerability results in root access on the local system. The problem is in the handling of input from .nofinger files. During normal operation, the cfingerd is controlled by inetd. inetd waits for incoming finger requests, then calls the daemon to carry out the request. The problem involves the validation of input from .nofinger files. Due to insufficient input checking by the cfingerd program, it is possible for a local user to place a string of greater than 80 characters in a .nofinger file, creating a buffer overflow. This overflow overwrites stack variables, including the return address, and can be used to execute code as root. Additionally, since the daemon is controlled by inetd, it's possible to continually retry exploitation of this problem, as if the daemon dies, it's simply restarted by inetd upon the next finger request. CFingerD Utilities Format String Vulnerability BugTraq ID: 2915 Remote: No Date Published: 2001-06-21 Relevant URL: http://www.securityfocus.com/bid/2915 Summary: A problem exists in cfingerd that makes it possible to pass format string specifiers. Due to insufficient validation of input in a section of the util.c file, it's possible to pass arbitrary format strings through the .nofinger file. Because there are certain format specifiers which allow writing to memory, it may be possible for users to create a format string value that will cause almost arbitrary values to be written to attacker-supplied locations in memory. An attacker may be able to use these format specifiers in a maliciously constructed .nofinger file to cause critical areas of memory to be corrupted. An attacker may be able to execute arbitrary code on the host if a return address or function pointer is overwritten. cfingerd by default runs as root, and is managed by inetd. By exploiting this vulnerability, it's possible for local users to execute arbitrary code as root, and thus gain root privileges on the local system. - Pour poster une annonce: [EMAIL PROTECTED]
