Stronghold Secure Web Server Information Disclosure Vulnerability BugTraq ID: 3577 Remote: Yes Date Published: Nov 23 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3577 Summary:
Redhat Stronghold Secure Web Server is a web server based on the Apache source and designed to be robust and secure. The default installation of Stronghold includes the mod_status apache module, used to report information on the status of the web server. The information disclosed by this module is sensitive, and includes the contents of the httpd.conf file. A malicious user viewing this information may be able to use it to stage further attacks on the server. The urls used to access this service are: http://target/stronghold-info http://target/stronghold-status Although this module is by default compiled into apache, it is not enabled in a default installation. The vulnerability exists when the module is enabled with the ExtendedStatus directive, and access from external domains has not yet been disabled in the httpd.conf file. Detailed instructions on how to guard against external access are available in the current Stronghold Administration Guide. [ comme quoi les produits packag�s et vendus comme s�rs sont parfois plus vuln�rables que la version stable du logiciel concern�. ] AutoNice Daemon Program Name Format String Vulnerability BugTraq ID: 3580 Remote: No Date Published: Nov 26 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3580 Summary: AutoNice Daemon (AND) is a freely available, open source software package designed to limit the activity of system processes. It provides features such as killing a process that has exceeded specific memory or processor resources. A problem with the daemon could make it possible for a local user to gain elevated privileges. The problem is in the handling of some process names. When a process has exceeded one of the pre-specified limits set by AND, the daemon will launch, sending the process SIGKILL, or some other such signal to cease operation of the process. However, when a program executing contains format strings in it's name, such as "%n%n%n%n" or "%c%c%c%c", AND suffers from a format string vulnerability that can allow the string to write to arbitrary sections of process memory, including the return address on the stack. This problem could allow a local user to execute a maliciously crafted program, and execute code with the privileges of the AND, typically run as root. Gnome libgtop_daemon Remote Format String Vulnerability BugTraq ID: 3586 Remote: Yes Date Published: Nov 27 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3586 Summary: The GNOME libgtop_daemon is used to monitor processes running on a remote system. Under some conditions, when a remote connection fails, user supplied input is used as a format string within a log message. A malicious user may construct a string including format modifiers, causing stack information to be written to the log file, and possibly leading to remote execution of arbitrary code. While the daemon will normally execute as the nobody user, successful exploitation of this vulnerability may lead to a local shell. From a local viewpoint, elevated privleges may be easier to obtain. Older versions of libgtop_daemon may share this vulnerability. Wu-Ftpd File Globbing Heap Corruption Vulnerability BugTraq ID: 3581 Remote: Yes Date Published: Nov 27 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3581 Summary: Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by Washington University. Wu-Ftpd allows for clients to organize files for ftp actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap corruption vulnerability that may allow for an attacker to execute arbitrary code on a server remotely. During the processing of a globbing pattern, the Wu-Ftpd implementation creates a list of the files that match. The memory where this data is stored is on the heap, allocated using malloc(). The globbing function simply returns a pointer to the list. It is up to the calling functions to free the allocated memory. If an error occurs processing the pattern, memory will not be allocated and a variable indicating this should be set. The calling functions must check the value of this variable before attempting to use the globbed filenames (and later freeing the memory). Under certain circumstances, the globbing function does not set this variable when an error occurs. As a result of this, Wu-Ftpd will eventually attempt to free uninitialized memory. If this region of memory contained user-controllable data before the free call, it may be possible to have an arbitrary word in memory overwritten with an arbitrary value. This can lead to execution of arbitrary code if function pointers or return addresses are overwritten. If anonymous FTP is not enabled, valid user credentials are required to exploit this vulnerability. This vulnerability was initially scheduled for public release on December 3, 2001. However, Red Hat has made details public as of November 27, 2001. As a result, we are forced to warn other users of the vulnerable product, so that they may take appropriate actions. [ pour une fois que Red Hat va plus vite que les autres, on ne va pas critiquer quand m�me! Cela relance le d�bat full disclosure vs disclosure only to the `white guys'. ] - Pour poster une annonce: [EMAIL PROTECTED]
