Xvt Buffer Overflow Vulnerability BugTraq ID: 2955 Remote: No Date Published: 2001-07-02 Relevant URL: http://www.securityfocus.com/bid/2955 Summary: Xvt is a terminal emulator for systems using X11R6. It is often installed setuid/setgid so that it runs with the enhanced privileges required to log user sessions. Xvt contains a buffer overflow in it's handling of the '-name' argument. If the argument is of excessive length, a stack overrun occurs and the extraneous data overwrites stack variables. This condition may permit an attacker to take control of the process. This would be accomplished by replacing a function return address with a pointer to supplied shellcode. An attacker can exploit this buffer overflow to execute arbitrary code with the enhanced privileges of Xvt. On some systems, Xvt is installed setuid root. On these systems local attackers would gain complete control over the affected host if successful. It may be the case that Xvt is installed with other enhanced but non-root privileges (such as gid 'utmp'). Compromise of these privileges may lead to further compromise or have other consequences (DoS, etc.). Xvt -T Buffer Overflow Vulnerability BugTraq ID: 2964 Remote: No Date Published: 2001-07-02 Relevant URL: http://www.securityfocus.com/bid/2964 Summary: Xvt is a terminal emulator for systems using X11R6. It is often installed setuid/setgid so that it runs with the enhanced privileges required to log user sessions. Xvt contains a buffer overflow in it's handling of the '-T' argument. When the argument to this option is excessive in length, an invalid memory access will occur and the program will crash. It is not known for sure what the cause is, however it is likely that an overrun is occuring during an unbounded memory copy. The segfault likely occurs when the process attempts to dereference pointers that have been corrupted due to the overrun. This overflow may occur in the heap region of memory. Though this condition may or may not be exploitable, it should be of concern because Xvt is often installed to run with enhanced privileges. On some systems, Xvt is installed setuid root. On these systems local attackers would gain complete control over the affected host if successful. It may be the case that Xvt is installed with other enhanced but non-root privileges (such as gid 'utmp'). Compromise of these privileges may lead to further compromise or have other consequences (DoS, etc.). phpMyAdmin Included File Arbitrary Command Execution Vulnerability BugTraq ID: 2966 Remote: Yes Date Published: 2001-07-02 Relevant URL: http://www.securityfocus.com/bid/2966 Summary: phpMyAdmin is a freely available tool that provides a WWW interface for handling MySQL adminstrative tasks. An input validation error exists in phpMyAdmin that could allow remote users to cause arbitrary files to be included and loaded by the PHP interpreter at runtime. The problem is the result of how some user-supplied values are handled by the 'sql.php' script. For some queries, the script allows the inclusion of a filename supplied by a remote user. It is also possible to bypass the authentication mechanism provided by the script by submitting a specially-crafted value for the 'server' field in the query. This authentication is not enabled with default installations of phpMyAdmin. As a result, it is possible for a remote user to supply the path to a file residing anywhere on the filesystem of a host running the phpMyAdmin software. This may result in the disclosure of sensitive information contained in the included file. In the event that an attacker is able to upload a file containing arbitrary code, the attacker could cause that code to be executed with the privileges of the web server. 10. phpPgAdmin Included File Arbitrary Command Execution Vulnerability BugTraq ID: 2967 Remote: Yes Date Published: 2001-07-02 Relevant URL: http://www.securityfocus.com/bid/2967 Summary: phpPgAdmin is a freely available tool that provides a WWW interface for handling PostgreSQL adminstrative tasks. It is derived from phpMyAdmin, which is used for MySQL administrative tasks. An input validation error exists in phpPgAdmin that could allow remote users to cause arbitrary files to be included and loaded by the PHP interpreter at runtime. The problem is the result of how some user-supplied values are handled by the 'sql.php' script. For some queries, the script allows the inclusion of a filename supplied by a remote user. It is also possible to bypass the authentication mechanism provided by the script by submitting a value for the 'LIB_INC' field in a query, causing the script to not authenticate the user. This authentication is not enabled with default installations of phpPgAdmin. As a result, it is possible for a remote user to supply the path to a file residing anywhere on the filesystem of a host running the phpPgAdmin software. This may result in the disclosure of sensitive information contained in the included file. In the event that an attacker is able to upload a file containing arbitrary code, the attacker could cause that code to be executed with the privileges of the web server. SquirrelMail Remote Command Execution Vulnerability BugTraq ID: 2968 Remote: Yes Date Published: 2001-07-02 Relevant URL: http://www.securityfocus.com/bid/2968 Summary: SquirrelMail is a freely available webmail package written in PHP. An input validation error exists in SquirrelMail that could enable remote users to execute arbitrary commands on a host running the package. The problem occurs when certain query values are submitted to some of the scripts included with the package. It is possible for a remote user to cause the scripts to fail to load files containing configuration values. This could enable a user to bypass the authentication mechanisms used in the package. Once the authentication is bypassed, it is possible to coerce the scripts into creating a preferences file for a non-existent user. Malicious PHP code injected into this file and will be executed when one of the scripts attempts to load the preferences file for the non-existent user. As a result, it is possible for remote users to execute arbitrary commands on a host running SquirrelMail with the privileges of the web server. phpSecurePages Included File Arbitrary Command Execution Vulnerability BugTraq ID: 2970 Remote: Yes Date Published: 2001-07-02 Relevant URL: http://www.securityfocus.com/bid/2970 Summary: phpSecurePages is a PHP module to secures pages with a login name and password. An input validation error exists that could enable remote users to cause the 'interface.php' script used by phpSecurePages to be loaded from an arbitrary location. The problem is the result of how files are loaded by the 'checklogin.php' script. A variable named 'cfgProgPath' is used to define the path of the 'interface.php' configuration data file and is passed directly as part the include() statement used to load that file. Because the PHP interpreter creates and names variables the same as the element names in a query, it is possible to assign an arbitrary value to the 'cfgProgPath' variable. PHP contains support for and allows by default the inclusion of remote files using the include() statement. The path to remote files is specified using a HTTP or FTP URL. As a result, it is possible for a remote user to specify the URL of a site containing a malicious 'interface.php' file as the 'cfgProgPath' variable. This will cause any code in the file to be executed by the checklogin.php script on the site running phpSecurePages, with the privileges of the webserver. Xinetd Zero String Length Buffer Overflow Vulnerability BugTraq ID: 2971 Remote: Yes Date Published: 2001-07-02 Relevant URL: http://www.securityfocus.com/bid/2971 Summary: The possibility for a buffer overflow condition exists in the xinetd daemon. The problem is the result of the improper handling of string data in some internal functions used by xinetd. A buffer overflow could occur when a length argument with a value less than or equal to zero is passed to one of these functions, possibly leading to stack corruption if excessive data is copied past the end of the buffer. An attacker may be able to execute arbitrary code by overwriting a function return address with a value pointing to supplied shellcode. If successfully exploited, an attacker would gain root privileges on the affected host. It may also be possible for attackers to crash xinetd, which would result in a denial of service for all services started by the daemon. Apache Tomcat Cross-Site Scripting Vulnerability BugTraq ID: 2982 Remote: Yes Date Published: 2001-07-02 Relevant URL: http://www.securityfocus.com/bid/2982 Summary: Apache Tomcat can be used together with the Apache web server or a stand alone server for Java Servlets and Java Pages. Tomcat ships with a built in web server. Apache Tomcat does not filter script embedding from links that are displayed on a server's website. This problem is related to an input validation error in the JavaServlet Container. A malicious webmaster can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyper-link. When the malicious hyper-link is clicked it will generate an error message including the specified or embedded script. The specified or embedded scripting will be executed in the client's browser and treated as content originating from the target server returning the error message. This also has the effect of obfuscating the attacker, as the script appears to be executed from the trusted host. Successful exploitation of this vulnerability could lead to a complete compromise of the host. Lmail Temporary File Race Condition Vulnerability BugTraq ID: 2984 Remote: No Date Published: 2001-07-05 Relevant URL: http://www.securityfocus.com/bid/2984 Summary: Jon Zeeff's lmail is a local mail delivery agent (LDA) designed to provide mail-to-pipe and mail-to-file aliasing for smail. A race condition vulnerability exists in the lmail program. The program uses the mktemp() system call to make a unique temporary file name and opens the file in the normally world-writeable /tmp directory. No checking is performed to verify that the file does not already exist, rendering lmail susceptible to a symbolic link attack. The program also writes data from the standard input stream (stdin) directly to the temporary file. Because lmail is usually installed setuid root, it may be possible for a local user to overwrite any file on the system with arbitrary data. XDM Session Cookie Guessing Vulnerability BugTraq ID: 2985 Remote: Yes Date Published: 2001-07-04 Relevant URL: http://www.securityfocus.com/bid/2985 Summary: xdm is the X Display Manager, a component of the XFree86 package. xdm manages the display of X sessions both locally and remotely. A problem in xdm makes it possible for a remote users to gain access to the session of another user. This could lead to a remote user gaining access to a local system with the privileges of any user, and potentially as root. The problem is manifested in X packages that have been compiled with the HasXdmXauth option set. The default compilation of X with this option enabled forces xdm to create it's cookie values using the gettimeofday() call. A remote user that is able to monitor the start of X sessions may use the value from the time the session started in a brute force crack attempt against the server. Knowledge of this value makes a brute force attack trivial. Cobalt Raq3 PopRelayD Arbitrary SMTP Relay Vulnerability BugTraq ID: 2986 Remote: Yes Date Published: 2001-07-04 Relevant URL: http://www.securityfocus.com/bid/2986 Summary: poprelayd is a script that parses /var/log/maillog for valid pop logins, and based upon the login of a client, allows the person logged into the pop3 service to also send email from the ip address they're accessing the system with. A problem with the poprelayd script allows users to arbitrarily relay SMTP, which could lead to spamming. The problem is due to the method in which the poprelayd script identifies users authorized to relay SMTP. The script parses /var/log/maillog for a string matching the following regular expression: /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/) However, sendmail also logs to this file. A user may connect to the SMTP port, and create a malicious string that the sendmail server will log to /var/log/maillog, thus allowing the remote user to relay mail through the system. Lucent RADIUS Remote Buffer Overflow Vulnerability BugTraq ID: 2989 Remote: Yes Date Published: 2001-07-05 Relevant URL: http://www.securityfocus.com/bid/2989 Summary: The Lucent RADIUS implementation is a user authentication software package designed to offer enhanced security services to users needing remote access to various resources. The package is no longer maintained by Lucent, and is public domain. A problem with the software package makes it possible for remote users to execute arbitrary code. In the event that this vulnerability is exploited, a remote user can gain local access to the system. The daemon, by default, runs as root, which also may allow a remote user to gain local administrative privileges. Multiple buffer overflows within the Lucent RADIUS package may be taken advantage of to aid in the compromising of a remote system. Due to insufficient sanity checking of user supplied data in various components of the package such as the logging facilities of radiusd, it is possible for a remote user to create a buffer overflow, which could result in the overwriting of variables on the stack, including the return address. There have been a minimum of 11 different buffer overflows found throughout the Lucent RADIUS source code. Numerous routines within log.c, menu.c, version.c, radiusd.c, and users.c make use of functions which are inherently insecure. sprintf() is used frequently. The sprintf function is used to construct a string using printf functionality and store it in a supplied buffer. sprintf does not enforce a size limit on the string being created. If attackers can force the creation of a string larger in size than the buffer to which it will be written, an overrun can occur. Another commonly occurring problem within the program is the use of strcpy(), which performs unbounded copies of one string to another. This function can be exploited to cause a buffer overflow, and code execution. Finally, there are off-by-one buffer overflows within the program, that may be exploitable by attackers to execute arbitrary code, and potenially gain elevated privileges. Merit RADIUS Buffer Overflow Vulnerability BugTraq ID: 2991 Remote: Yes Date Published: 2001-07-05 Relevant URL: http://www.securityfocus.com/bid/2991 Summary: The Merit RADIUS implementation is a user authentication software package designed to offer enhanced security services to users needing remote access to various resources. A problem with the software package makes it possible for remote users to execute arbitrary code. In the event that this vulnerability is exploited, a remote user can gain local access to the system. The daemon, by default, runs as root, which also may allow a remote user to gain local administrative privileges. Multiple buffer overflows within the Merit RADIUS package may be taken advantage of to aid in the compromising of a remote system. Due to insufficient sanity checking of user supplied data in various components of the package such as the logging functions of the radius daemon, it is possible for a remote user to create a buffer overflow, which could result in the overwriting of variables on the stack, including the return address. The use of an inherently insecure function within authenticate.c and funcs.c make possible the exploitation of numerous buffer overflows. The strcpy() function is used frequently which performs unbounded copies of one string to another. This function can be exploited to cause a buffer overflow, and code execution. Lucent RADIUS Format String Vulnerability BugTraq ID: 2994 Remote: Yes Date Published: 2001-07-06 Relevant URL: http://www.securityfocus.com/bid/2994 Summary: The Lucent RADIUS implementation is a user authentication software package designed to offer enhanced security services to users needing remote access to various resources. The package is no longer maintained by Lucent, and is public domain. A problem with the software package makes it possible for remote users to execute arbitrary code. In the event that this vulnerability is exploited, a remote user can gain superuser access to the system. Format string vulnerabilities exist within the log.c, users.c, and version.c. These programs make use of function calls in which certain format specifiers can be used to write to supplied locations in memory. Bugs in the implementation of these functions may allow users to write to process memory. Attackers can use these format specifiers to overwrite critical values in memory with malicious replacements that will cause the execution of supplied shellcode or otherwise compromise enhanced privileges. - Pour poster une annonce: [EMAIL PROTECTED]
