ProFTPD Client Hostname Resolving Vulnerability BugTraq ID: 3310 Remote: Yes Date Published: 2001-09-07 Relevant URL: http://www.securityfocus.com/bid/3310 Summary: ProFTPD is a popular ftp server for Unix systems. ProFTPD contains a vulnerability that may allow for remote attackers to bypass ProFTPD access control lists (ACLs) or have false information logged. When 'UseReverseDNS' mode is set in the configuration file, ProFTPD will attempt to 'reverse resolve' the hostnames of clients connecting. The resolved hostname will then be evaluated against the ACLs and recorded as the client address in the logs. Unfortunately, ProFTPD does not forward resolve the hostname to verify that one of the IP addresses listed in DNS records matches that of the connected client. It may be possible for a remote attacker with control over address space to set an arbitrary hostname as the PTR record for the attacking address. When the attacker connects, ProFTPD will resolve the attacker-specified hostname and will evaluate it against it's hostname-based ACLs. If the attacker is aware of permitted hostnames, it may be possible to bypass ACL restrictions and login by exploiting this vulnerability. The ProFTPD logs will also record the reverse-resolved hostname. Taylor UUCP Argument Handling Privilege Elevation Vulnerability BugTraq ID: 3312 Remote: No Date Published: 2001-09-08 Relevant URL: http://www.securityfocus.com/bid/3312 Summary: Taylor UUCP is an implementation of the UUCP package written originally by Ian Lance Taylor. A problem has been discovered in the Taylor UUCP package that makes it possible for a local user to gain elevated privileges. The problem is in the improper checking of command line input, and acceptance of arbitrary configuration files. uux is a program included with the Taylor UUCP package. uux, as implemented in the package, is designed to execute commands remotely on other UUCP hosts, such as rnews and rmail. This program is usually used to provide the mail and news distribution functionality in a UUCP network. The problem occurs in handling of configuration files by uux when uucp is invoked within it. By executing uux, and using the uucp program within uux, and passing a malicious configuration file to uucp through the --config parameter, it is possible for a local user to execute commands on a local host with setuid privileges. The commands passed to uucp through the file specified in --config are usually executed by uuxqt, a daemon on the system that by default executes rnews and rmail. uuxqt is setuid uucp. Therefore, a local user executing uux, and passing a malicious configuration file to uucp using the config flag, may gain privilege elevation to uucp, and potentially local root access when the configuration file is executed by uuxqt. [ Moyen rapide de supprimer l'exploitabilit� de la vuln�rabilit�: chmod 0 /usr/bin/uucp cette commande n'est utile que si uuCP est n�cessaire, ce qui n'est normalement pas le cas pour rmail/rnews. ] Joerg Wendland LibNSS-PgSQL Remote SQL Query Manipulation Vulnerability BugTraq ID: 3314 Remote: Yes Date Published: 2001-09-10 Relevant URL: http://www.securityfocus.com/bid/3314 Summary: Joerg Wendland's 'libnss-pgsql' is a NSS(Name Service Switch) module for PostgreSQL. The NSS database module 'libnss-pgsql' is prone to a vulnerability which will allow SQL queries to be manipulated via a HTTP request. Data that is included in SQL query strings is not adequately sanitized. It may be possible for users to modify the structure of SQL queries by carefully constructing variables containing metacharacters that will be included in the target query. It is believed that the attacker would need an interactive account on the vulnerable host to exploit this issue. Attacks will be executed on the database server as the database user that is making the query. This issue allows the user to access resources that would normally be restricted, which may in turn provide an opportunity for the attacker to exploit other vulnerabilities that exist in the server. NSS NSS_PostGreSQL Remote SQL Query Manipulation Vulnerability BugTraq ID: 3315 Remote: Yes Date Published: 2001-09-10 Relevant URL: http://www.securityfocus.com/bid/3315 Summary: NSS(Name Service Switch) can use PostgreSQL as a back-end for authentication. The NSS database module 'nss_postgresql' is prone to a vulnerability which will allow SQL queries to be manipulated via a HTTP request. Data that is included in SQL query strings is not adequately sanitized. It may be possible for users to modify the structure of SQL queries by carefully constructing variables containing metacharacters that will be included in the target query. It is believed that the attacker would need an interactive account on the vulnerable host to exploit this issue. Attacks will be executed on the database server as the database user that is making the query. This issue allows the user to access resources that would normally be restricted, which may in turn provide an opportunity for the attacker to exploit other vulnerabilities that exist in the server. Joerg Wendland Pam-PSQL Remote SQL Query Manipulation Vulnerability BugTraq ID: 3317 Remote: Yes Date Published: 2001-09-10 Relevant URL: http://www.securityfocus.com/bid/3317 Summary: Joerg Wendland's 'pam-psql' is a PAM authentication module to be used with PostgreSQL. 'pam-psql' is prone to a vulnerability which will allow SQL queries to be manipulated via any medium which requires a user to authenticate(HTTP, SSH, telnet, etc). Data that is included in SQL query strings is not adequately sanitized. It may be possible for users to modify the structure of SQL queries by carefully constructing variables containing metacharacters that will be included in the target query. This issue allows the user to access resources that would normally be restricted, which may in turn provide an opportunity for the attacker to exploit other vulnerabilities that exist in the server. The attacker may be able to exploit this issue to gain unauthorized access to the host. Leon J Breedt Pam-PSQL Remote SQL Query Manipulation Vulnerability BugTraq ID: 3319 Remote: Yes Date Published: 2001-09-10 Relevant URL: http://www.securityfocus.com/bid/3319 Summary: Leon J Breedt's 'pam-psql' is a PAM authentication module to be used with PostgreSQL. 'pam-psql' is prone to a vulnerability which will allow SQL queries to be manipulated via any medium which requires a user to authenticate(HTTP, SSH, telnet, etc). Data that is included in SQL query strings is not adequately sanitized. It may be possible for users to modify the structure of SQL queries by carefully constructing variables containing metacharacters that will be included in the target query. This issue allows the user to access resources that would normally be restricted, which may in turn provide an opportunity for the attacker to exploit other vulnerabilities that exist in the server. The attacker may be able to exploit this issue to gain unauthorized access to the host. SpeechD Privileged Command Execution Vulnerability BugTraq ID: 3326 Remote: No Date Published: 2001-09-11 Relevant URL: http://www.securityfocus.com/bid/3326 Summary: SpeechD is a device-independent layer for speech synthesis under Linux, providing an interface for speech-based applications or device drivers. SpeechD has been found to contain an input validation flaw under certain implementations. User input is accepted and passed to a system() call without having been checked for shell metacharacters. This can permit a local user to pass arbitrary commands to be executed at the privilege level of speechd by passing them to the /dev/speech device. This issue has been confirmed to affect speechd running with the rsynth application. It may also potentially affect festival and other applications. - Pour poster une annonce: [EMAIL PROTECTED]
