Orinoco OEM Residential Gateway SNMP Community String Remote Configuration Vulnerability BugTraq ID: 5436 Remote: Yes Date Published: Aug 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5436 Summary:
Orinoco is the manufacturer of various wireless network components, including access points and network cards. A problem with some systems manufactured by Orinoco may allow remote users to gain access to sensitive information, and potentially make AP configuration changes. The Orinoco series OEM products typically use a unique identification string to provide access control to the management interface. This identification string is unique and static. This identification string is used as the authentication string for performing configuration of the access point. It is possible to remotely gain access to the identification string used for configuration of OEM access points manufactured by Orinoco through SNMP. By sending a custom-crafted SNMP query to a vulnerable access point, the access point will return system credentials, including the identification string. This identification string can be used as the administrative community string. Through the use of this identification string as a SNMP community string, a remote user may make configuration changes to the access point. These changes may include the alteration of domain name servers, and the wired equivalent privacy key. [ hardware ] ISDN4Linux IPPPD Device String SysLog Format String Vulnerability BugTraq ID: 5437 Remote: No Date Published: Aug 10 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5437 Summary: isdn4linux is a freely available, open source package of isdn compatibility tools. It is available for Linux operating systems. A problem with isdn4linux may make local code execution and privilege elevation possible. isdn4linux contains a format string vulnerability in the ipppd utility. In some installations, this utility is installed with setuid root privileges. Exploitation of this vulnerability could lead to a local attacker executing code with administrative privileges. The problem is in handling of device strings. By executing ipppd with an excessively long device string (256 or greater bytes), and embedding format string specifiers in the device string, it is possible to execute arbitrary attacker-supplied instructions. SecurityFocus staff have determined that this vulnerability has apparently been fixed in version 3.2p1 of the software. This has not been confirmed by the vendor. OpenBSD select() Buffer Overflow Vulnerability BugTraq ID: 5442 Remote: No Date Published: Aug 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5442 Summary: OpenBSD is a freely available, open source operating system designed with security in mind. It is maintained and distributed by the OpenBSD project. A buffer overflow vulnerability has been reported for the select(2) function. The vulnerability occurs when using the select(2) call. select(2) provides programmers with the facility to examine I/O descriptors. The size parameter for the select() function is a signed integer. Reportedly, select() evaluates the upper boundary checks in a signed context. As a result, an attacker is able to cause the kernel to overwrite arbitrary locations in memory when supplying select() with certain negative values for the size parameter. An attacker can exploit this vulnerability by causing the kernel to overwrite memory locations with arbitrary attacker-supplied values. This may result in the attacker causing the kernel to execute malicious, attacker-supplied code. PGP / GnuPG Chosen Ciphertext Message Disclosure Vulnerability BugTraq ID: 5446 Remote: Yes Date Published: Aug 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5446 Summary: PGP and GnuPG are two popular implementations of the OpenPGP encryption specification. Both are available for a range of platforms, including Microsoft Windows and Linux based systems. A weakness in the OpenPGP specification, as implemented by both products, may allow an attacker to learn the plaintext contents of encrypted communications. While some degree of user interaction is required, the attack is very plausible against non-technical end users. In order to exploit this issue, an attacker E must first intercept an encrypted message of interest between two users, B and A. The attacker may modify this message and inject additional content into the encrypted content. This modified message must then be transmitted to A, the recipient of the original message. The attacker must then entice A into decrypting this message, and revealing the results of the decrypted message. This may occur if A responds to the malicious message with text that includes the decrypted contents. As the results of decryption will appear garbled and meaningless, it is conceivable that A would reply and include the original "quoted" message in an attempt to determine what has gone wrong. Given the decrypted version of the malicious message, and the original encrypted message, the attacker may recover a portion of the original plaintext. In general the attacker will be able to recover at best half of the plaintext content per attack, as it is difficult to modify the encrypted length of the message, and an equal amount of injected content is required in order to implement the attack. Under many applications this will be sufficient, however multiple attacks may result in full disclosure of the plaintext message. It is not believed to be possible to exploit this weakness against message content which is compressed during the OpenPGP encryption process. Attacker supplied content will cause an error in the decompression process with a high degree of probability, which may alert the end user or prevent the display of the decrypted content. Compression is reported to be enabled in both products by default. Files which are already compressed, however, may not be compressed again, allowing exploitation. It is important to note that exploitation of this issue will result in the plaintext contents of a specific, intercepted message being disclosed to a third party. The integrity of the private keys involved in the original communication is not compromised, and widespread exploitation of this weakness is extremely likely to be noticed by the end user. W3C CERN httpd Proxy Cross-Site Scripting Vulnerability BugTraq ID: 5447 Remote: Yes Date Published: Aug 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5447 Summary: CERN httpd is a freely available HTTP server and HTTP proxy server available from the W3C. The httpd Proxy does not protect against cross-site scripting attacks. When it cannot retrieve a web document, Proxomitron outputs an error webpage. The URL that it attempted to use is displayed without being sanitized. It is possible for attackers to construct urls that will cause arbitrary HTML or script code to be embedded in the error page. When the client interprets the error page, the attacker-supplied code may execute within the context of the proxy server. This type of vulnerability may be used to steal cookies or perform other web-based attacks. [ bon, qui tourne encore ce truc ? :-> ] L2TPD Weak Random Number Generator Seeding Vulnerability BugTraq ID: 5451 Remote: Yes Date Published: Aug 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5451 Summary: l2tpd is a Layer 2 Tunneling Protocol daemon, implementing the protocol defined in RFC 2661. Some versions of l2tpd fail to seed the random number generator before calling the function rand(). This may result in predictable random numbers being generated. Random numbers are used for a number of purposes within l2tpd, including tunnel and session ids, and within the challenge / response mechanism. An attacker may be able to exploit this vulnerability to predict the numbers which will be generated by l2tpd. This may allow a number of attacks. The ability to guess session and tunnel ids may allow an attacker to inject data into a valid conversation. The ability to predict the behavior of the challenge / response mechanism may allow man in the middle attacks, or some replay attacks. In both cases, the integrity of connections made with l2tpd may be compromised. The consequences of exploitation will be highly dependant on the environment l2tpd is deployed in. Red Hat Interchange Arbitrary File Read Vulnerability BugTraq ID: 5453 Remote: Yes Date Published: Aug 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5453 Summary: Interchange is a Web application development environment with a focus on ecommerce and dynamic content management. It is available for Linux and Unix variant operating systems. A vulnerability has been reported for Interchange 4.8.5 and earlier. Interchange may disclose contents of files to attackers. The vulnerability occurs due to the placement of the 'doc' folder. Reportedly, the folder will be installed as follows: <INTERCHANGE_ROOT>/doc. This folder, by default, contains Interchange man pages. This vulnerability is only exploitable when the Interchange service runs in INET (Internet service) mode. An attacker may exploit this vulnerability to the contents of restricted files accessible to the Interchange process. The potentially sensitive information obtained may be used to mount further attacks against a vulnerable system. It has been reported that this issue may be exploited through a '../' directory traversal sequence in a HTTP request to the vulnerable server. URLs may escape the document root in this manner, and request arbitrary files on the system, subject to the permissions of the server process. [ licence pas claire ] Xinetd Open File Descriptor Denial Of Service Vulnerability BugTraq ID: 5458 Remote: No Date Published: Aug 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5458 Summary: Xinetd is intended as a secure replacement for inetd. It is designed for use with Linux and Unix variant operating environments. Reportedly, xinetd is vulnerable to a denial of service condition. The vulnerability is the result of file descriptors for the signal pipe being inherited by child processes launched by xinetd. This may result in a malicious attacker access to pipes associated with xinetd thus having the ability to communicate with xinetd. Local attackers may misuse the open file descriptors by sending extraneous or malformed data to xinetd which may cause the service to crash. This results xinetd failing to respond to legitimate requests for service. The signal pipe was introduced in version 2.3.4 of Xinetd. Earlier versions are not prone to this issue. - Pour poster une annonce: [EMAIL PROTECTED]
