Samba Remote Arbitrary File Creation Vulnerability BugTraq ID: 2928 Remote: Yes Date Published: 2001-06-23 Relevant URL: http://www.securityfocus.com/bid/2928 Summary: Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms. A problem has been discovered that can allow remote file creation. This problem can lead to denial of service attacks against the server, and may also lead to an elevation of privileges by a user with local access. The problem is due to the insufficient validation of NetBIOS hostnames by the Samba daemon. When a request is made to the Samba server, a NetBIOS hostname is passed through the daemon to request a specific share. This input is not checked sufficiently, and can allow the passing of meta-characters and strings to the logging facilities of Samba, which are normally kept in /var/log/samba. The Samba configuration file by default allows the supplied strings to pass as directory specifications. Because of this, it's possible to pass strings to the daemon which will allow the writing of files outside the /var/log/samba directory, and to anywhere on the filesystem to which samba user has write access. In the event that Samba is run as root, this makes it possible for a remote user to overwrite sensitive system files, creating a potential denial of service situation. [ Debian semble non vuln�rable vu la fa�on dont, par d�faut, le nom est construit -- v�rifiez quand m�me dans votre cas, en particulier si vous avez g�n�r� la config avec un outil comme Webmin ou SWAT ] Icecast Directory Traversal Vulnerability BugTraq ID: 2932 Remote: Yes Date Published: 2001-06-26 Relevant URL: http://www.securityfocus.com/bid/2932 Summary: Icecast is an open source audio-streaming server for both Unix and Microsoft Windows systems. Icecast does not filter URL encoded character from web requests. If a remote attacker crafts a URL containing the ascii equivalent of directory traversal characters, it will be possible to escape Icecast's "root" directory. This will allow the attacker to display arbitrary world-readable files on the server. The disclosed information may be of a sensitive nature and can be used to make further attacks on the vulnerable host. Icecast DoS Vulnerability BugTraq ID: 2933 Remote: Yes Date Published: 2001-06-26 Relevant URL: http://www.securityfocus.com/bid/2933 Summary: Icecast is an open source audio-streaming server for both Unix and Microsoft Windows systems. Icecast does not safely handle user-supplied input. The server will crash when requests for files include certain characters. The behaviour occurs when the remote attacker adds an '/', '\' or '.' to the end the URL they craft to request the file. Note that it isn't neccesary to make a valid file request, as the software does not handle the supplied input properly regardless. The result of successful exploitation is a denial of service. The software must be restarted to regain normal functionality. Paul Jarc cvmlogin Privilege Elevation Vulnerability BugTraq ID: 2934 Remote: Yes Date Published: 2001-06-26 Relevant URL: http://www.securityfocus.com/bid/2934 Summary: 'cvmlogin' is an implementation of the Unix 'login' utility that implements the CVM framework. It is developed by Paul Jarc. 'cvmlogin' contains a vulnerability that can be exploited to gain root privileges. After a user has authenticated using 'cvmlogin', another utility called 'setstate' executes the user's shell. 'setstate' is executed using the pathexec() functionality from Dan J. Bernstein's unix library. The 'setstate' utility depends on environment variables set by 'cvmlogin' for user properties such as the user's uid and shell. These environment variables are set by 'cvmlogin' using the pathexec_env() function. 'cvmlogin' does not check the return value of pathexec_env(). If there is a shortage of memory, pathexec_env() will fail and not set the desired environment variable in the environment for 'setstate'. If the 'UID' environment variable exists before 'cvmlogin' attempts to set it and is inherited by 'setstate', 'setstate' will setuid to the value of 'UID' before executing the user shell. If 'cvmlogin' is installed setuid root, this vulnerability may be exploitable locally. This may also be exploitable through telnet daemons. This vulnerability is only exploitable by an attacker who can successfully authenticate on the target host. [ Je ne sais pas ce que c'est, mais cela semble open source alors je le mets :) ] - Pour poster une annonce: [EMAIL PROTECTED]
