Zyxel Prestige SDSL Router IP Packet Length Remote Denial Of Service Vulnerability BugTraq ID: 3695 Remote: Yes Date Published: Dec 14 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3695 Summary:
Prestige is a product line of DSL routers produced and distributed by Zyxel. A problem with Zyxel routers has been discovered that could lead to a remote denial of service attack. The problem is in the receipt of malformed packets. When a Zyxel router receives malformed packets crafted with an IP length shorter than the actual size of the packet, the router becomes unstable and drops connectivity. This loss of connectivity can last up to three minutes. This could lead to a remote user denying service to a legitimate user of the router. The router is affected only by malformed packets received through the DSL interface. Malformed packets sent through the LAN interface have no affect on the system. The router is affected only by malformed packets received through the DSL interface. Malformed packets sent through the LAN interface have no affect on the system. This problem has been reported in the model 681 routers, and may affect others in the Prestige product line as well. [ Pas libre: firmware propri�taire. Mais vu que cela peut concerner un syst�me libre aussi ... ] Webmin Directory Traversal Vulnerability BugTraq ID: 3698 Remote: Yes Date Published: Dec 17 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3698 Summary: Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms, you can setup user accounts, Apache, DNS, file sharing and so on. Webmin will run on most Unix variants, providing it has been properly configured. A vulnerability has been discovered in Webmin 0.91(and possibly other versions) which may allow a remote attacker to view the contents of arbitrary files. Webmin does not adequately filter '../' sequences from web requests, making it prone to directory traversal attacks. Furthermore, since Webmin is a facility for remote web-based administration of Unix systems, it requires root privileges. This vulnerability could be exploited to effectively disclose any file on a host running the affected software. This issue is known to exist in the edit_action.cgi script. It may also be possible to edit files or place files on the server. This may lead to a remote root compromise. [ donner l'acc�s � n'importe lequel des modules Webmin signifie en r�gle g�n�rale de toute mani�re donner le mot de passe root. ] KDE2 KDEUtils KLPRFax_Filter Insecure Temporary File Creation Vulnerability BugTraq ID: 3694 Remote: No Date Published: Dec 14 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3694 Summary: KDE2 is a freely available, open source X Window System manager. It is maintained by the KDE Project. A problem with a program included with the KDE Utils package could make it possible for a local user to launch a symbolic link attack. The problem is in the klprfax_filter program. klprfax_filter is a program included with KDE2 for fax functionality. klprfax_filter works by adding a printer as a fax system, then putting the output of a print job through a filter to fax. The problem is in the creation of files in the temporary directory. The program uses the following code: cat >/tmp/klprfax.$$ /opt/kde/bin/klprfax --fax /tmp/klprfax.$$ >/tmp/klprfax.filter 2>&1 rm -f /tmp/klprfax.$$ The program does not check for the existance of the klprfax.filter file prior to attempting to send input to it. This makes it possible for a local user to create a symbolic link to any file that is write-accessible by the user executing klprfax_filter, and overwrite the contents of the file. This could result in a local user overwriting files owned by other users, and potentially elevated privileges. Agora.CGI Cross-Site Scripting Vulnerability BugTraq ID: 3702 Remote: Yes Date Published: Dec 17 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3702 Summary: Agora.cgi is a freely available, open source shopping cart system. An input validation error exists in the Agora.cgi e-commerce system which may enable an attacker to perform cross-site scripting attacks. The Agora.cgi script does not adequately filter HTML tags. As a result, it is possible for an attacker to construct a link to the script that includes maliciously constructed script code. When the link is clicked by a web user, the script code will be executed on the user in the context of the site running Agora.cgi. This issue may be exploited to by an attacker to steal cookie-based authentication credentials, permitting the attacker to hijack an Agora.cgi session and perform actions as a legitimate user. A number of other cross-site scripting attacks are also possible. Agora.cgi 3.3e(and possibly other versions) is prone to this issue. xSANE Insecure Temporary File Creation Vulnerability BugTraq ID: 3700 Remote: No Date Published: Dec 17 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3700 Summary: xSANE is a graphical program used to communicate with scanners and digital video devices. It uses the SANE library to communicate with physical devices. xSANE creates temporary files in the /tmp directory during the scanning process. Temporary files are also used to communicate with the SANE processes when images are previewed or saved. xSANE uses the mktemp(3) library call, which creates files with predictable names. It is possible for a local attacker to create symbolic links with these file names. When a local user executes xSANE, arbitrary files may be overwritten. Earlier versions of xSANE may also be vulnerable. WMCube/GDK Object File Buffer Overflow Vulnerability BugTraq ID: 3706 Remote: No Date Published: Dec 17 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3706 Summary: WMCube/GDK is a freely available, open source application for monitoring CPU load. It can be used with one, or multiple CPU's. A problem with WMCube/GDK could make it possible for a local user to gain elevated privileges. The problem is in the handling of object files. WMCube/GDK allows the loading of object files by executing users. A user may specify their own object file to be loaded by the program using the -o flag. WMCube/GDK does not properly impose the limit of 64 byte object files hard-coded into the program. Because of this, it is possible for a local user to load an object file greater than 64 bytes, creating a buffer overflow. This overflow could be used to overwrite stack variables, including the return address, and execute arbitrary code. A local attacker may gain egid 'kmem', which allows for reading of kernel memory. Elevation to root is imminent when attackers can read kmem. Zyxel Prestige SDSL Router IP Fragment Reassembly Vulnerability BugTraq ID: 3711 Remote: Yes Date Published: Dec 18 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3711 Summary: Prestige is a product line of DSL routers produced and distributed by Zyxel. A problem with Zyxel routers has been discovered that could lead to a remote denial of service attack. The problem is in the receipt of fragmented packets. When a Zyxel router receives fragmented packets that after reassembly is greater than 64 kilobytes in length, the router crashes. The router must be power cycled to resume normal operation. This could lead to a remote user denying service to a legitimate user of the router. The router is affected only by fragmented packets received through the DSL interface. Fragmented packets sent through the LAN interface have no affect on the system. This problem has been reported in the model 681 routers, and may affect others in the Prestige product line as well. [ idem ] - Pour poster une annonce: [EMAIL PROTECTED]
