Sendmail Debugger Arbitrary Code Execution Vulnerability BugTraq ID: 3163 Remote: No Date Published: 2001-08-17 Relevant URL: http://www.securityfocus.com/bid/3163 Summary: An input validation error exists in Sendmail's debugging functionality. The problem is the result of the use of signed integers in the program's tTflag() function, which is responsible for processing arguments supplied from the command line with the '-d' switch and writing the values to it's internal "trace vector." The vulnerability exists because it is possible to cause a signed integer overflow by supplying a large numeric value for the 'category' part of the debugger arguments. The numeric value is used as an index for the trace vector. Before the vector is written to, a check is performed to ensure that the supplied index value is not greater than the size of the vector. However, because a signed integer comparison is used, it is possible to bypass the check by supplying the signed integer equivalent of a negative value. This may allow an attacker to write data to anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, this could lead to a full system compromise. This vulnerability has been successfully exploited in a laboratory environment. glFTPD LIST Denial of Service Vulnerability BugTraq ID: 3201 Remote: Yes Date Published: 2001-08-17 Relevant URL: http://www.securityfocus.com/bid/3201 Summary: glFtpD contains an input validation error that may allow a malicious user to cause a denial of service against a host running the daemon. The problem occurs when a specially crafted 'LIST' command is received by the server. If the argument to the command contains an excessive number of '*' characters, the server will cease to respond and consume all available CPU resources on the system. If the attack is successful, the server will need to be manually restarted to regain normal functionality. FreeBSD IPFW Me Point To Point Interface Address Addition Vulnerability BugTraq ID: 3206 Remote: No Date Published: 2001-08-17 Relevant URL: http://www.securityfocus.com/bid/3206 Summary: FreeBSD is a freely available BSD-based UNIX Operating System distributed and maintained by the FreeBSD Project. A problem in the ipfw software package included with FreeBSD could allow unintended hosts on the other side of point to point interfaces access to the system. The problem is in the handling of point to point interfaces and the use of the "me" identifier in ipfw rules. When a rule is added using the "me" identifier on a point to point interface, the ipfw arbitrarily allows access from the IP address on the remote end of the point to point link. This problem could give unintended access to a system from a remote host, and could lead to potential compromise of local resources. Surf-Net ASP Forum Predictable Cookie ID Vulnerability BugTraq ID: 3210 Remote: Yes Date Published: 2001-08-20 Relevant URL: http://www.securityfocus.com/bid/3210 Summary: Surf-Net ASP Forum is a free, open-source web-based message board. Surf-Net ASP Forum allows users to rely upon cookie-based authentication. However, ASP Forum assigns a predictable sequence number when it saves a cookie on the machine of a user. Instead of attempting to randomize the ID number assigned to cookies, ASP Forums use a sequence number directly derived from the UserID of the forum user. The code used to determine the cookie sequence number is as follows: lngLoggedInUserID = CLng(Request.Cookies("Forum")("UserID") / 888888) The administrative account has a UserID of 1, so it follows that the ID number in the cookie will be "0888888". A malicious user can exploit this issue by editing the cookie locally, substituting the admin cookie ID in the place of the one they were initially assigned. FreeBSD linprocfs Privileged Process Memory Disclosure Vulnerability BugTraq ID: 3217 Remote: Yes Date Published: 2001-08-21 Relevant URL: http://www.securityfocus.com/bid/3217 Summary: FreeBSD's linprocfs is an implementation of the Linux /proc filesystem, which provides an interface to some process and system information and parameters. It is used with Linux binaries so they can obtain access to exported kernel data. An access validation error can occur when an unprivileged process is debugging a privileged one. It is possible for an unprivileged process to retain read access to the memory of a privleged second process by opening the /proc/<pid>/mem file prior to debugging the target process. This may result in the disclosure of sensitive data in the target process' memory. - Pour poster une annonce: [EMAIL PROTECTED]
