XFree86 fbglyph Denial of Service Vulnerability BugTraq ID: 3657 Remote: Unknown Date Published: Dec 08 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3657 Summary:
XFree86 4.x is vulnerable to a potential memory corruption / buffer overflow attack. This vulnerability has been demonstrated using the KDE Web Browser / File Management application "Konqueror", and represents at the very least a denial of service. This may also indicate an exploitable buffer overflow that could be used by an attacker to gain privileges on the machine running the X server, and may or may not be remotely exploitable (depending on which applications expose it). This is a vulnerability in the XFree86 server itself and not the client applications that can be used to initiate it. This has been reported under the following circumstances: 1. When the Konqueror browser processes excessively long strings in the actual browser window (ie, pasting these to a remote site from within the browser). 2. Double clicking on excessively long filenames in the file manager of Konqueror Technical details are not yet available, although a patch for fbglyph.c has been released. XTerm Title Bar Buffer Overflow Vulnerability BugTraq ID: 3663 Remote: No Date Published: Dec 08 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3663 Summary: XFree86 is a freely available implementation of the X Window System. It is maintained by public domain, and package with many Unix and Unix clone operating systems. A problem with X makes it possible for a remote user to execute a buffer overflow attack. The problem is in the handling of strings passed via the -title option. The -title option used with xterm allows the user executing xterm to set the title bar of the xterm to a suitable string. However, when an excessively long string is supplied with the -title option, a buffer overflow resulting in a segmentation fault occurs. This problem could allow an attacker to overwrite stack variables, including the return address of the process. Doing so would allow an attacker the ability to execute arbitrary code. Since xterm is included on most systems as a setuid root executable, this makes it possible for a malicious local user to execute arbitrary code with root privileges, and gain local administrative access. [ ce qui est peu clair c'est que l'on peut provoquer ce buffer overflow via p.ex. une session ssh lanc�e depuis un xterm: un simple write le tty dans la machine distante suffit: cela enverra une s�quence d'�chappement xterm pour changer le titre. On remarque cela p.ex. avec des versions r�centes de screen o� un screen dans un ssh dans un xterm modifie la barre de titre. Par contre, la plupart des distributions disposant d'un /dev/pts n'ont pas besoin de tourner xterm sous root: utmp suffit si l'on veut pouvoir le mettre � jour, p.ex. le groupe utmp sur une Debian, cf ls -la /usr/X11R6/bin/xterm. Par contre c'est une attaque contre l'utilisateur � coup s�r. Ajoutons que d'autres logiciels bas�s sur xterm sont probablement vuln�rables. ] CSVForm Remote Arbitrary Command Execution Vulnerability BugTraq ID: 3668 Remote: Yes Date Published: Dec 11 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3668 Summary: CSVForm is a Perl cgi script used to format input from a cgi form into a comma separated value text file, commonly used for later import into a database. The file to which comma separated data will be written is accepted by CSVForm as an input parameter. This parameter is not parsed for shell meta characters. A maliciously formed URL submitted to the script could contain additional shell commands, which are passed to the shell during a file open command. These additional commands would then be executed as the web server user, generally 'nobody'. As a result, the attacker may execute arbitrary code on the vulnerable system. FreeBSD AIO Library Cross Process Memory Write Vulnerability BugTraq ID: 3661 Remote: No Date Published: Dec 10 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3661 Summary: aio.h is a library implementing the POSIX standard for asynchronous I/O. Support for AIO may be enabled in FreeBSD by compiling the kernel with the VFS_AIO option. This option is not enabled in the default kernel configuration. Under some circumstances, pending reads from an input socket may persist through a call to execve. Eventually the read will continue, and write to the memory space of the new process. A malicious local user may take advantage of this vulnerability. A program may be constructed to set up asynchronous I/O calls, and then call execve on a suid binary. Once the suid process is started, data read from the initial AIO calls may write to arbitrary locations within the memory space of the suid process. This could immediately lead to the execution of arbitrary code as the root user. - Pour poster une annonce: [EMAIL PROTECTED]
