FreeBSD System Call Signed Integer Buffer Overflow Vulnerability BugTraq ID: 5493 Remote: No Date Published: Aug 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5493 Summary:
A vulnerability has been reported for the FreeBSD system. Reportedly, a few system calls are vulnerable to signed integer buffer overflow conditions. The vulnerability is the result of system calls assuming that some arguments were given as positive integers while, in actuality, the arguments were handled as signed integers. If a negative value was supplied for the argument, the boundary checking code would fail. This results in the kernel returning a large portion of kernel memory which may contain sensitive information including passwords. An attacker may be able to use the information obtained to elevate privileges. This vulnerability has been reported to affect the accept(2), getsockname(2), and getpeername(2) system calls, and the vesa(4) FBIO_GETPALETTE ioctl(2). The associated files in the kernel source are: src/sys/i386/isa/vesa.c src/sys/kern/uipc_syscalls.c src/sys/conf/newvers.sh Welcome to the SecurityFocus.com 'week in review' newsletter issue FreeBSD has reported that all versions of FreeBSD, up to and including 4.6.1-RELEASE-p10, are vulnerable to this issue. PostgreSQL cash_words Function Buffer Overflow Vulnerability BugTraq ID: 5497 Remote: No Date Published: Aug 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5497 Summary: PostgreSQL is a freely distributed Object-Relational DBMS. A buffer overflow vulnerability has been reported for PostgreSQL. Reportedly, PostgreSQL doesn't properly handle overly long queries when selecting the cash_words() function. It is possible to cause the database server process to crash when issuing a cash_words() function as follows: psql> select cash_words('-700000000000000000000000000000'); It is believed that an attacker could potentially exploit this condition to overwrite stack variables with attacker-supplied values. It is highly possible that exploitation could result in execution of malicious attacker-supplied code as the database server process. This vulnerability has been reported for PostgreSQL versions 7.2 and earlier. nCipher PKCS#11 Symmetric Message Signature Verification Vulnerability BugTraq ID: 5498 Remote: Unknown Date Published: Aug 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5498 Summary: nCipher produces a range of hardware and software security products which support a range of cryptographic operations. A vulnerability has been reported in the nCipher cryptographic library, related to the checking of some message signatures. The RSA PKCS#11 specification allows the signing of messages with a symmetric key. Verification of these signatures is supported by the nCipher cryptographic library. However, an error in the library implementation may result in incorrect results being returned when signatures are verified. Under some conditions, the vulnerable function C_Verify may return the 'CKR_OK' message when an invalid signature is verified. The 'CKR_SIGNATURE_INVALID' message would normally be expected under this condition. As a result, products and processes which rely on this library function may make erroneous trust decisions regarding messages with invalid signatures. The consequences of exploitation will be highly dependent on the nature of the application using the vulnerable library. It is likely that exploitation will allow an attacker to inject or modify encrypted information which is normally protected by a signature. Impersonation of trusted parties may be possible. Reportedly, the vulnerable signature mechanism is used by a number of common protocols, including SSLv2, SSH and IPSEC. This issue exists in versions 1.2.0 and later of the nCipher cryptographic library. Lynx Command Line URL CRLF Injection Vulnerability BugTraq ID: 5499 Remote: Yes Date Published: Aug 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5499 Summary: Lynx is a freely distributable, text-based WWW client. It is available for use on various operating systems and platforms including Linux and Unix variant and Microsoft Windows operating environments. A CRLF injection vulnerability has been reported for Lynx that may allow an attacker to include extra HTTP headers when viewing web pages. If Lynx is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request. As CRLF is used as a delimiter between headers under the HTTP protocol, exploitation of this vulnerability will result in additional headers being included in the HTTP request. Injection of a 'Host' header may cause the request to be serviced as if made to a different domain, if the server in question supports multiple hosts. It may also be possible to inject arbitrary cookie data. It is still possible for attackers to exploit this vulnerability even if the '-realm' and '-restrictions=useragen' options are used. Reportedly, it is also possible for an attacker to contact other type of servers, including POP3 servers and MTAs (Mail Transfer Agents). This vulnerability has been reported for Lynx versions 2.8.4rel.1, 2.8.5dev.8, 2.8.3rel.1 and 2.8.2rel.1. It is not known whether other versions are affected. *** Links 0.9.6 and ELinks have also been reported as being vulnerable. Some versions of Links and ELinks URL encode space characters so an attacker needs to use tab characters, instead of spaces, to exploit the issue on these browsers. W3C Jigsaw Proxy Server Cross-Site Scripting Vulnerability BugTraq ID: 5506 Remote: Yes Date Published: Aug 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5506 Summary: The W3C Jigsaw project includes a HTTP proxy server written in Java. When the proxy server cannot successfully resolve a fully qualified domain name, an error page is served to the client. The requested URL is included in the content of this page without being adequately sanitized. Consequently, embedded script code may execute within the context of the requested URL (and it's domain). Exploitation may result in theft of cookie information or impersonation of websites associated with the domain. MySQL Null Root Password Weak Default Configuration Vulnerability BugTraq ID: 5503 Remote: Yes Date Published: Aug 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5503 Summary: MySQL is is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows. A weak default configuration problem has been reported in some versions of MySQL. Reportedly, the root user of the database is defined with no password, and granted login privileges from any host. Users unaware of this may fail to define a strong password for the root user. While the MySQL security documentation does suggest verifying that the root user has a password defined, an inexperienced administrator may overlook this step. Exploitation of this issue can allow a remote attacker to connect to the database with full privileges. Exploitation may result in access to sensitive information, or allow denial of service attacks through the destruction of data. This issue has been reported in the Windows binary release of MySQL. Other versions may share this default configuration, this has not however been confirmed. MySQL Bind Address Not Enabled Weak Default Configuration Vulnerability BugTraq ID: 5511 Remote: Yes Date Published: Aug 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5511 Summary: MySQL is is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows. MySQL supports the 'bind-address' configuration directive. This restricts database access to the defined address. If remote administration is not required, this variable may be set to the loopback address 127.0.0.1, preventing access from any remote system. This option is not enabled by default, possibly allowing remote access to default installations of the server. The MySQL security documentation does, however, suggest restricting remote access to the server to only required hosts. This issue has been reported in the Windows binary release of MySQL. Other versions may share this default configuration, this has not however been confirmed. MySQL Logging Not Enabled Weak Default Configuration Vulnerability BugTraq ID: 5513 Remote: Yes Date Published: Aug 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5513 Summary: MySQL is is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows. Reportedly, most logging is disabled by default in MySQL. If not explicitely enabled, an administrator may not detect malicious actions or attacks against the database. Logging of errors may, however, be enabled by default. This issue has been reported in the Windows binary release of MySQL. Other versions may share this default configuration, this has not however been confirmed. Mozilla Bonsai Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 5516 Remote: Yes Date Published: Aug 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5516 Summary: Mozilla Bonsai is a tool that allows a user to perform queries on the contents of a CVS archive. Multiple cross site scripting vulnerabilities have been reported for the Bonsai tool. An attacker may exploit this vulnerability by causing a victim user to follow a malicious link. Attacker-supplied code may execute within the context of the site hosting the vulnerable software when the malicious link is visited. This type of vulnerability may be used to steal cookies or perform other web-based attacks. It may be possible to take actions as an user of the Bonsai system. This vulnerability has been reported for Mozilla Bonsai 1.3 (including all current and CVS versions). Mozilla Bonsai Path Disclosure Vulnerability BugTraq ID: 5517 Remote: Yes Date Published: Aug 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5517 Summary: Mozilla Bonsai is a tool that allows a user to perform queries on the contents of a CVS archive. A path disclosure vulnerability has been reported in Mozilla Bonsai. This issue is reported to affect all current and CVS versions of the utility. An attacker can exploit this vulnerability by making a malformed request to Bonsai. This causes Bonsai to return an error page to the requesting user. This error page will contain the absolute path information about the requested file. Information disclosed in this manner may be used by remote attackers in intelligence gathering and may aid in further attacks against the vulnerable host. SCPOnly SSH Environment Shell Escaping Vulnerability BugTraq ID: 5526 Remote: No Date Published: Aug 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5526 Summary: scponly is a freely available, open source restricted secure copy client. It is available for Unix and Linux operating systems. A problem with scponly could make it possible for a user to gain unintended access to a system running a vulnerable version. The default installation of scponly does not place sufficient access controls on the .ssh subdirectory. Due to this oversight, it is possible for a remote user to upload files which may allow command execution. This could lead to unintended command execution, and regular shell access to a vulnerable host. The problem is in the environment file contained within the .ssh subdirectory. If this file is installed with permissions that allow user modification to the file (which is the default behavior), a user would be able to upload a new version of this file. This file could contain malicious commands, such as changing the user's shell, and would be executed by the user upon the next log-in. PostgreSQL Repeat Function Buffer Overflow Vulnerability BugTraq ID: 5527 Remote: Yes Date Published: Aug 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5527 Summary: PostgreSQL is a freely distributed Object-Relational DBMS. An overflow vulnerability has been reported in some versions of PostgreSQL. The issue lies in the handling of large integer arguments by the repeat() function, used to create a text string with a specified number of copies of the original argument. Reportedly, if this function is called with an extremely large integer argument, memory allocated on the heap will be overflowed. An attacker able to call this function may corrupt adjacent data. It may be possible to corrupt control structures used by some heap implementations and force the database process to execute arbitrary, attacker-supplied code. PostgreSQL String Pad Function Buffer Overflow Vulnerability BugTraq ID: 5528 Remote: No Date Published: Aug 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5528 Summary: PostgreSQL is a freely distributed Object-Relational DBMS. A buffer overflow vulnerability has been reported for PostgreSQL. Reportedly, PostgreSQL doesn't properly handle overly large integer arguments given to the lpad() and rpad() funtions. The functions are lpad() and rpad() found in the file, src/backend/utils/adt/oracle_compat.c, and serve to pad an existing text string with another up to a given length. This vulnerability only affects data bases that were created using special international encodings. For example, databases that were created using a 'UNICODE' encoding are vulnerable to this issue. It is possible to cause the database server process to crash when issuing the lpad() or rpad() function as follows: my_db=# select lpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy'); my_db=# select rpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy'); This will cause PostgreSQL to improperly allocate space on the system stack. Thus, it is believed that an attacker could potentially exploit this condition to overwrite stack variables with malicious attacker-supplied values. It is highly possible that exploitation could result in execution of malicious attacker-supplied code as the database server process. Reportedly, databases created with EUC_JP, EUC_CN, EUC_KR, EUC_TW, UNICODE, or MULE_INTERNAL encodings are vulnerable to this issue. Linux Kernel 2.4.18 Security Issues BugTraq ID: 5539 Remote: Unknown Date Published: Aug 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5539 Summary: Red Hat has issued an advisory reporting the correction of several vulnerabilities in version 2.4.18 of the Linux kernel. Some of the security issues are related to the following device drivers: stradis rio500 se401 usbvideo apm Furhermore, vulnerabilities reportedly exist in components of the procfs virtual filesystem that may cause kernel memory to be exposed. It should be assumed that at the very least, local attackers may exploit these vulnerabilities to elevate privileges. SecurityFocus is currently completing analysis of the reported vulnerabilities and will issue individual alerts for each. Apache Tomcat 4.1 JSP Request Cross Site Scripting Vulnerability BugTraq ID: 5542 Remote: Yes Date Published: Aug 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5542 Summary: Jakarta Tomcat is a Java Servlet and JSP server produced by the Apache Software Foundation. Tomcat is available for Microsoft Windows, Linux, and other Unix based operating systems. A cross site scripting vulnerability has been reported in some versions of Tomcat. Reportedly, if a HTTP request is made for a JSP, malicious script code embedded in the URI may be included in a page generated by Tomcat. An attacker may generate a link to a vulnerable site, and include arbitrary malicious script code. If a user is enticed into following this link, the supplied code will be returned by the server, and execute within the context of the vulnerable site. Exploitation may result in the disclosure of sensitive cookie data, or the ability to take actions as an authenticated user of the vulnerable site. The consequences of exploitation will be highly dependant on the details of the vulnerable site. This may be related to the issues discussed in BID 2982. This has not, however, been confirmed. Multiple Vendor IPv4-IPv6 Transition Address Spoofing Vulnerability BugTraq ID: 5545 Remote: Yes Date Published: Aug 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5545 Summary: IPv6 is a protocol designed to replace IPv4. IPv6 allows for the encapsulation of IPv4 addresses, in order to facilitate transition between the two standards, and allow the usage of IPv4 legacy applications under IPv6 networking. Additionally, many systems are expected to support both IPv4 and IPv6 traffic, in order to allow a transition period between the two standards. Malicious parties may be able to abuse this feature in order to spoof IPv4 addresses. Under some circumstances, IPv4 addresses may be extracted from IPv6 traffic and passed to applications. These applications will not be able to distinguish between legitimate IPv4 traffic and that embedded in IPv6 traffic. If trust decisions are made based on this information, an attacker may be able to bypass some security measures. For example, certain applications may restrict access to a limited range of IPv4 addresses, only allow access from the loopback address 127.0.0.1, or perform reverse lookup checks on IPv4 addresses. The details and consequences of exploitation will be highly dependant on the specifics of deployed applications. It may be possible to gain unauthorized access to systems, or to generate malicious network traffic through the usage of the loopback address or broadcast addresses. D-Link Remote Administration Arbitrary DHCP Address Release Vulnerability BugTraq ID: 5544 Remote: Yes Date Published: Aug 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5544 Summary: The DI-804 is a hardware gateway and firewall solution distributed and maintained by D-Link. A problem with the DI-804 could make it possible for a remote user to deny service to legitimate users of the device. It has been reported that a problem with the remote administration interface could allow for the release of DHCP allocated addresses. When remote administration is enabled, insufficient access control is allegedly placed on the /release.html page. This page is used to manipulate DHCP allocated addresses, and could be used to revoke leases on assigned addresses. This problem makes it possible for a remote user to access the DHCP address release page, and release arbitrary DHCP assigned addresses. It should be noted that this vulnerability is only capable of being exploited when the web administration interface is enabled. D-Link Remote Administration Information Leakage Vulnerability BugTraq ID: 5553 Remote: Yes Date Published: Aug 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5553 Summary: The DI-804 is a hardware gateway and firewall solution distributed and maintained by D-Link. A problem with the DI-804 could make it possible for a remote user to gain sensitive information about the device. It has been reported that a problem with the remote administration interface could allow users to gain sensitive information. It is possible to access to the Device information and Device status pages. These pages contain information such as the WAN IP, netmask, name server information, DHCP log, and MAC address to IP address mappings. This could allow an attacker to gain sensitive information, and result in an organized attack on network resources. - Pour poster une annonce: [EMAIL PROTECTED]
