Linux Init Default Umask Vulnerability BugTraq ID: 3031 Remote: No Date Published: 2001-07-16 Relevant URL: http://www.securityfocus.com/bid/3031 Summary: Certain versions of the Linux kernel create the init process with umask set to 000. The umask defines how permissions are to be set on files that are created by a process. When umask is set to 000, files are created mode 777. The initialization scripts that ship with various linux distributions rely on inheriting a safe umask from 'init' and execute without setting it explicitly. If the kernel creates an 'init' process with a umask of 000, any init scripts which do not explicitly set their own umask will also run with umask 000. This condition opens up the possibility for security vulnerabilities because the init scripts create sensitive files. It has been demonstrated that Slackare Linux 8.0 systems are vulnerable. Other distributions using init scripts which rely on umask inherited from the init process may be vulnerable as well. /var/run/utmp /lib/modules/`uname -r`/modules.dep It has been demonstrated that there is at least one way for an attacker to gain root privileges due to this condition ('modules.dep'). See attack scenarios. There may be other avenues of exploitation to cause system damage or elevate privileges. AdCycle AdLogin.pm Admin Autentication Bypass Vulnerability BugTraq ID: 3032 Remote: Yes Date Published: 2001-07-13 Relevant URL: http://www.securityfocus.com/bid/3032 Summary: AdCycle is a series of scripts to facilitate ad banner rotation on a website. It is backended with a MySQL database. Adcycle is distributed as shareware. AdLogin.pm is the user authentication script that comes bundled with AdCycle. Unchecked user-input is included in SQL queries. It is possible for attackers to construct input that will alter the logic of the query that is using during the authentication process. This is the format of the command AdLogin.pm uses to authenticate users: "SELECT * FROM ad WHERE LOGIN='$account' AND PASSWORD='$password'" The remote attacker would need to craft a URL with 'ADMIN' as the $account and 'X' OR 1 #' as the $password argument. This will alter the logic of the query and cause a response that will trick the service into thinking that the user has already authenticated. If exploited the attacker would have all the privileges of an administrator of the AdCycle service, including the ability to change ad banners. [ c'est tellement souvent ... cf le binding de variable en Perl qui permet d'�viter le traitement de texte de requ�tes SQL ] Autres trucs: - plein de probl�mes concernant les interfaces LDAP de produits commerciaux UNIX et non UNIX - la version open suit: OpenLDAP Denial of Service Vulnerabilities BugTraq ID: 3049 Remote: Yes Date Published: 2001-07-16 Relevant URL: http://www.securityfocus.com/bid/3049 Summary: The Lightweight Directory Access Protocol (LDAP) is designed to be a lightweight access protocol for directory services supporting X.500 models. It offers a means of searching, fetching and manipulating directory content. Several input validation errors have been found to exist in OpenLDAP. The problems were discovered using the PROTOS project's LDAPv3 test suite, which tests the security of a server by presenting it with a wide variety of sample packets containing unexpected values or illegally formatted data. Specifically, the vulnerabilities were found during tests from the "Encoding" section of the test suite, which tests an LDAP server's response to packets that violate the Basic Encoding Rules (BER). The problems enable remote attackers to cause an affected OpenLDAP server to crash, resulting in a denial of service condition. Further technical details are not available at this time. - Pour poster une annonce: [EMAIL PROTECTED]
