Avaya Cajun Firmware Default Community String Vulnerability BugTraq ID: 5396 Remote: Yes Date Published: Aug 05 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5396 Summary:
Vulnerable versions of firmware for the Avaya Cajun line of network switches include a default read/write community string. Remote attackers may use the community string to view/set potentially sensitive properties within the device. Denial of service, network compromise may be possible. The community string, 'NoGaH$@!', is built into the firmware and has read/write access to the MIB. Unauthorized remote hosts may utilize it to gain access to the device. Using standard SNMP tools, attackers may traverse the MIB and view potentially sensitive information (interfaces, network configuration, etc). Attackers may also set configuration parameters and other properties within the MIB. It has been demonstrated that the device can be reset by setting a certain property. In addition to the confirmed denial of service attack, attackers may be able to carry out traffic redirection attacks. This is not confirmed. Avaya has removed the default community string in new versions of firmware. [ hardware ] Multiple Vendor calloc() Implementation Integer Overflow Vulnerability BugTraq ID: 5398 Remote: Unknown Date Published: Aug 05 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5398 Summary: The calloc() C library call is used to dynamically allocate memory. It differs from malloc() in that it facilitates allocation of a number of elements of a specified size in one call. In various different programming languages there exists similiar language-specific operations. For example, instantiating an array of objects in C++: pointer = new SomeClass[n]; When calculating the total amount of memory to allocate, several of these implementations do not check for integer overflow conditions. If the amount of memory requested exceeds the greatest value that can be represented by a machine word, a buffer that is too small may be allocated. As this is not caught, the procedure will return successfully and the invoking application will operate as though the requested buffer has been allocated. This condition may have security implications. A heap overrun condition may result if the invoking application attempts to write into the buffer at a location beyond the boundary of what was actually allocated. This vulnerability is of particular importance if the attacker has full or limited control over the arguments to the vulnerable operation. FreeBSD Arbitrary FFS Filesystem Data Block Access Vulnerability BugTraq ID: 5399 Remote: No Date Published: Aug 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5399 Summary: The default filesystem on FreeBSD systems is the Berkeley Fast File System (FFS). A vulnerability has been reported when allocating file sizes on a FFS system. The vulnerability is a result of improperly calculating file sizes on a FFS filesystem. The vulnerability may allow users to create files that are larger than what FreeBSD's virtual memory system may handle. This may result in a user having access to arbitrary filesystem blocks. The vulnerability only occurs on FFS filesystems with a block size of greater than 16k, on the i386 architecture, or greater than 32k, on the alpha architecture. The filesystem must also have at least six blocks of free space and an attacker must have write access to at least one file on the filesystem. Mozilla FTP View Cross-Site Scripting Vulnerability BugTraq ID: 5403 Remote: Yes Date Published: Aug 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5403 Summary: A cross-site scripting vulnerability in Mozilla has been reported. When viewing the contents of a FTP site as web content from a ftp:// URL, the directory name is included in the HTML representation. It is not adequately sanitized before this occurs. An attacker may embed javascript as this value between opening and closing "<title>" tags in a FTP URL. When the URL is clicked on and the FTP view is rendered, the embedded script code will be executed by the victim client in the context of the server's domain. Under some circumstances, the script code may be able to access sensitive data (for eample, cookies associated with the FTP server domain). Mozilla 1.0 running on Windows 2000 SP2 is confirmed vulnerable. [ similar problems in Opera, but Opera is proprietary software so not listed here. ] FreeBSD NFS Zero-Length RPC Message Denial Of Service Vulnerability BugTraq ID: 5402 Remote: Yes Date Published: Aug 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5402 Summary: A vulnerability has been reported in FreeBSD's implementation of NFS (network file system). The vulnerability occurs due the improper handling of certain incoming RPC (Remote Procedure Call) messages. When the NFS server receives a message with a zero length payload, the server would reference the payload from the previous message. This creates a loop in the message chain and will later develop into an infinite loop in a different area of the NFS server. An attacker can exploit this vulnerability by constructing a sequence of malicious requests to a vulnerable NFS server. This would result in the NFS server locking up and producing a denial of service condition. qmailadmin Local Buffer Overflow Vulnerability BugTraq ID: 5404 Remote: No Date Published: Aug 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5404 Summary: The qmailadmin utility, developed by Inter7, is a web-based qmail administration tool. The 'qmailadmin' executable is vulnerable to a buffer overflow condition. The condition may be exploited if attackers with local access can run it. The 'qmailadmin' executable is typically installed setuid (owned by root on some systems, regular users on others). qmailadmin fails to implement adequate bounds checking when processing the 'QMAILADMIN_TEMPLATEDIR' environment variable. If a local attacker executes 'qmailadmin' with the value of this variable set to a string of excessive length, a buffer overrun will occur. It is likely that this can be exploited by malicious local users to elevate privileges. [ The big issue with qmail is that the base software is secure -- but to make it work you need to apply a lot of patches and use external software (which cannot be in the original source for djb copyright reasons), and in most of the cases the external software and the patches are of very poor quality. ] FreeBSD kqueue Kernel Panic Denial Of Service Vulnerability BugTraq ID: 5405 Remote: No Date Published: Aug 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5405 Summary: A vulnerability has been reported in FreeBSD's implementation of the kqueue mechanism. kqueue provides a means for user applications to tie into some events associated with a given file descriptor, and receive asynchronous notifications when these events occur. One such event is EVFILT_WRITE, which returns whenever it is possible to write to the associated file descriptor. If a pipe is created through the pipe(2) system call, and one end subsequently closed, associating the EVFILT_WRITE event with the open end can cause a kernel panic. A local user may easily create this condition with a malicious program. Exploitation of this vulnerability may allow a local user to create a denial of service condition, and require that the vulnerable system be restarted in order to regain normal functionality. Gaim Jabber Plug-In Buffer Overflow Vulnerability BugTraq ID: 5406 Remote: Yes Date Published: Aug 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5406 Summary: Gaim is an instant messaging client that supports numerous protocols. It is available for Unix and Linux variants. The Gaim client Jabber messaging plug-in is prone to a buffer overflow condition. The exact details of this issue are not currently known. However, it is possible that an attacker may leverage this condition to cause memory to be corrupted with attacker-supplied values, resulting in execution of arbitrary code as the user running the vulnerable client. [ securityfocus makes it more and more difficult to determine if some software is proprietary or not, I think this one isn't. ] LibPNG Wide Image Processing Memory Corruption Vulnerability BugTraq ID: 5409 Remote: Yes Date Published: Aug 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5409 Summary: The libpng graphics library is reported to be prone to a security-related issue with regards to handling of overly wide images. It may be possible to corrupt memory with an overly wide PNG image. An attacker may be able to exploit this condition to execute arbitrary code with the privileges of an application or client which handles the overly wide image, though this possibility has not been confirmed. It may be possible to exploit this issue via a web client that is configured to load PNG images automatically. Patches have been released which address this condition by preventing libpng from processing overly wide images. Cisco VPN 5000 Concentrator Plaintext Password BugTraq ID: 5417 Remote: Yes Date Published: Aug 07 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5417 Summary: The VPN 5000 Concentrator line supports the use of a RADIUS server to authenticate client connections. An error has been reported in this authentication process when either PAP or Challenge authentication is used. For Access-Request RADIUS messages, the VPN 5000 device will encrypt the user password. However, if a response to the initial RADIUS request is not recieved, the device will retransmit a second request. In this case, the client password is no longer encrypted. An attacker able to sniff network traffic will be able to view the password. This condition may also occur if a request is sent to a defined backup RADIUS server. Cisco has reported that this issue does not exist if CHAP authentication is used. [ hardware ] iSCSI Insecure Configuration File Permissions Information Disclosure Vulnerability BugTraq ID: 5423 Remote: No Date Published: Aug 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5423 Summary: The iSCSI (Internet Small Computer System Interface) protocol is an Internet Protocol (IP) based storage networking standard for linking data storage facilities. iSCSI leaves administrative credentials stored in a world-readable configuration file. The configuration file that iSCSI uses is stored in /etc/iscsi.conf. Reportedly, this file is installed, by default, with world readable and possibly world writeable permissions enabled. This may have some potentially serious consequences as the configuration file also stores password information in plain text. Reportedly, RedHat Linux Limbo Beta and SuSE ship with iSCSI. SuSE has reported that proper permissions are enabled for iSCSI. RedHat has confirmed that Limbo Beta ships with improper file permissions enabled and will reportedly fix it in the next release of Limbo. Apache 2.0 Information Disclosure Vulnerability BugTraq ID: 5434 Remote: Yes Date Published: Aug 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5434 Summary: A vulnerability has been reported in Apache versions 2.0.39 and earlier on non-Unix platforms (potentially including Apache compiled with CYGWIN). Platforms that may be affected by this include Windows, OS2, and Netware. This issue is reported to allow remote attackers to gain access to sensitive information but may also allegedly be exploited to damage a server in other ways. Full details have not been disclosed at this time. However, it has been reported that it is possible to mitigate this issue via changes to server configuration. Any additional details that are released will be added to this record as they become available. Based on the provided workaround, this issue appears to be related to how Apache handles requests for restricted resources. This issue will reportedly be addressed in 2.0.40. - Pour poster une annonce: [EMAIL PROTECTED]
