Perlbot Remote Command Execution Vulnerability BugTraq ID: 5998 Remote: Yes Date Published: Oct 18 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5998 Summary:
Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its goals are simplicity and modularity. It is available for Linux and Unix operating systems. A remote command execution vulnerability has been discovered in Perlbot v1.0 beta. Reportedly, the script does not properly sanitize the input for the '$word' variable. Additionally, this input is passed through a function which invokes the shell directly. If a user enters a command into this variable, the commands will executed on the host with the privileges of Perlbot. This issue was reported for Perlbot v1.0 beta. Perlbot Email Sending Remote Command Execution Vulnerability BugTraq ID: 5999 Remote: Yes Date Published: Oct 18 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5999 Summary: Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its goals are simplicity and modularity. It is available for Linux and Unix operating systems. A remote command execution vulnerability has been discovered in Perlbot v1.0 beta. Reportedly, the script does not properly sanitize the input for the '$recipient' variable. Additionally, this input is passed through the open() function which invokes the shell directly. If a user enters a command into this variable, the commands will executed on the host with the privileges of Perlbot. This issue was reported for Perlbot v1.0 beta. YaBB Login Cross-Site Scripting Vulnerability BugTraq ID: 6004 Remote: Yes Date Published: Oct 18 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6004 Summary: YaBB (Yet Another Bulletin Board) is freely available web forum software that is written in Perl. YaBB will run on most Unix/Linux variants, MacOS, and Microsoft Windows 9x/ME/NT/2000/XP platforms. A cross-site scripting vulnerability has been reported in the YaBB forum login script. When a user enters an erroneous username/password, the YaBB forum login script will display an error page containing the values the user entered. However, HTML tags or script code are not sanitized from the password error output. As a result, it is possible for a remote attacker to create a malicious link to the login page of a site hosting the web forum. The malicious link may contain arbitrary HTML and script code in the password field. When this link is visited by an unsuspecting web user, the attacker-supplied code will be executed in their browser in the security context of the vulnerable website. It has been demonstrated that this vulnerability may be exploited to steal cookie-based authentication credentials. Furthermore, once an attacker has hijacked a user's session with the credentials it is possible to change that user's password without needing to further authenticate. Hans Persson Molly Multiple Remote Command Execution Vulnerabilities BugTraq ID: 6007 Remote: Yes Date Published: Oct 18 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6007 Summary: Molly is a small IRC bot that is intended for use in intra-office environments. It is written in Perl and is maintained by Hans Persson. It is available for Unix and Linux variant operating systems. Several remote command execution vulnerabilities have been discovered in Molly v0.5. The script 'plugins/nslookup.pl' does not adequately sanitize the input for the '$host' variable. Additionally, this variable is passed, without any checks, through the script and invokes the shell directly. If a user enters a command into this variable, the commands will executed on the host with the privileges of Molly. Other script files that exist in the unsupported 'unusedplugins' folder are also vulnerable to similar attacks. The files are called 'sms.pl', 'pop.pl', and 'hpled.pl'. Perlbot Text Variable Remote Command Execution Vulnerability BugTraq ID: 6008 Remote: Yes Date Published: Oct 18 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6008 Summary: Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its goals are simplicity and modularity. It is available for Linux and Unix operating systems. A remote command execution vulnerability has been discovered in Perlbot v1.0 beta. Reportedly, the Plugins/Misc/SpelCheck/SpelCheck.pm script fails to properly sanitize the input for the '$text' variable. Additionally, this input is passed through a function which invokes the shell directly. If a user enters a semi-colon (;) followed by a command into this variable, attacker-supplied commands will executed on the host with the privileges of Perlbot. This issue was reported for Perlbot v1.9.2. Perlbot Filename Variable Remote Command Execution Vulnerability BugTraq ID: 6009 Remote: Yes Date Published: Oct 18 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6009 Summary: Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its goals are simplicity and modularity. It is available for Linux and Unix operating systems. A remote command execution vulnerability has been discovered in Perlbot v1.0 beta. Reportedly, the 'Plog.pl' script does not properly sanitize the input for the '$filename variable. Additionally, this input is passed through the open() function which invokes the shell directly. If a user enters a command into this variable, the commands will executed on the host with the privileges of Perlbot. This issue was reported for Perlbot v1.0 beta. IPFilter FTP Proxy Unauthorized Access Vulnerability BugTraq ID: 6010 Remote: Yes Date Published: Oct 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6010 Summary: IPFilter is a packet filtering implementation that is in wide use on a variety of Unix systems. IPFilter includes an in-kernel FTP proxy that attempts to make access control decisions based on the state of FTP sessions. A vulnerability has been reported in this component. In versions of IPFilter prior to 3.4.29, the FTP proxy was vulnerable to a flaw that allowed for attackers to open ports on FTP servers under certain circumstances. Attackers may fool vulnerable versions of IPFilter into opening ports if a FTP server is in use that will echo text from a client back to the client. Ths may result in a violation of security policy and subsequent compromise if the attacker can exploit services listening on vulnerable ports. Multiple Vendor IPSec Implementation Denial of Service Vulnerabilities BugTraq ID: 6011 Remote: Yes Date Published: Oct 19 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6011 Summary: IPSec is a set of extensions to IP that provides encryption and authentication. A vulnerability in several implementations of IPSec related to handling of malformed ESP packets has been reported. On many systems, the conditions may be exploited to cause kernel panics. According to the report, many implementations lack adequate sanity checks on the header fields of ESP packets. By "spoofing" short ESP packets with high sequence numbers, it is allegedly possible to cause invalid memory accesses that will often result in a total system crash. Implementations based on KAME and FreeSWAN are vulnerable. D-Link DWL-900AP+ TFTP Server Arbitrary File Retrieval Vulnerability BugTraq ID: 6015 Remote: Yes Date Published: Oct 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6015 Summary: The DWL-900AP+ is a wireless access point distributed by D-Link. A problem with DWL-900AP+ systems could make it possible for remote users to gain access to sensitive information. The DWL-900AP+ offers an undocumented feature. By default, DWL-900AP+ systems come with a TFTP server enabled by default. The TFTP server included in DWL-900AP+ firmware may reveal sensitive information. An attacker logging into the TFTP server may be able to request various binary data files from the router. This could lead to the disclosure of sensitive information. An attacker exploiting this issue could log into the TFTP server to download the config.img, which contains sensitive information such as the WEP keys, admin password to the HTTP interface, and network configuration data. The attacker could also gain access to files eeprom.dat, mac.dat, wtune.dat, rom.img, normal.img. [ hardware ] KMMail E-Mail HTML Injection Vulnerability BugTraq ID: 6013 Remote: Yes Date Published: Oct 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6013 Summary: kmMail is an open source web based e-mail client. kmMail does not sufficiently sanitize HTML and script code from the body of e-mail messages. As a result, an attacker may send a malicious message to a user of kmMail that includes arbitrary HTML and script code. If a user of the webmail system views the malicious message, then the attacker-supplied code will execute in their web browser in the security context of the webmail system. This may allow an attacker to steal cookie-based authentication credentials from users of the webmail system. Other attacks are also possible. This is a variant of the issue described in Bugtraq ID 5173. YPServ Remote Network Information Leakage Vulnerability BugTraq ID: 6016 Remote: Yes Date Published: Oct 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6016 Summary: The ypserv daemon is a component of the Network Information Service (NIS), and is available for Linux and Unix operating systems. A remotely exploitable information leakage vulnerablity has been discovered in the ypserv daemon. Versions prior to 2.5 are affected. The 'lib/yp_db.c' file fails to verify whether a request map exists before allocating memory for needed space, resulting in memory leakage. It has been reported that by passing a malicious reqest for a non-existing map to the ypserv daemon, a remote attacker could potentially access information from an old domainname and mapname. Information obtained through exploiting this issue may aid an attacker in launching further attacks against the target network. It should be noted that this issue may be similar to the issue described in bid 5914. Fragrouter Trojan Horse Vulnerability BugTraq ID: 6022 Remote: Yes Date Published: Oct 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6022 Summary: fragrouter is a freely available, open source intrusion detection evasion tool. It is available for the Unix and Linux operating systems. It has been announced that the server hosting fragrouter, www.anzen.com, was compromised recently. It has been reported that the intruder made modifications to the source code of fragrouter to include trojan horse code. Downloads of the fragrouter source code from www.anzen.com between October 18, 2002 and October 19, 2002 likely contain the trojan code. Reports say that the trojan will run once upon compilation of fragrouter. Once the trojan is executed, it attempts to connect to host 210.224.164.100 on port 6667. Although unconfirmed, it has been reported that the service listening on port 6667 of host 210.224.164.100 has been disabled. It is not known whether, or what other sites are affected in addition to www.anzen.com. The maintainers of fragrouter have stated that the fragrouter source code has not been maintained since release 1.6, a period of approximately 3 years, and that release 1.7 is bogus. The MD5 hash of the bogus release is 8329c34704287a1fb1e5d6f1ba81f456. The posting of the trojaned version of fragrouter was additionally announced on the cisco-nsp and linux-kernel mailing lists. Additionally, the trojan displays similarity to those found in irssi, fragroute, BitchX, OpenSSH, and Sendmail. Multiple Firewall Vendor Packet Flood State Table Filling Vulnerability BugTraq ID: 6023 Remote: Yes Date Published: Oct 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6023 Summary: A vulnerability has been discovered in multiple firewall systems that could make denial of service attacks possible. It has been reported that many firewalls do not properly handle certain types of input. Firewall systems that maintain state could be attacked and forced into a situation where all service is denied. This condition would occur as a result of certain types of traffic floods. It has been reported that this vulnerability may be exploited through various attack methods. One method that can be used is a TCP Syn flood. By launching a TCP Syn flood, especially one using multiple spoofed source IP addresses, an attacker could fill the state table of a vulnerable firewall. Another method is to use UDP packets with numerous spoofed source addresses. By sending large amounts of UDP packets to a vulnerable firewall, an attacker could fill the state table to the point that further entries could not be made. The final method identified for this type of attack is one called the "Crikey CRC Flood". An attacker sending transport-layer (layer 4 of the OSI model) packets such as TCP or UDP with invalid checksums could fill the firewall state table. The use of these types of attacks require a fundamental flaw in firewall design, or configuration. The flaw requires that the firewall state table be designed, or at least configured, to eliminate firewall state table entries at a slower speed than they are added. A comprehensive listing of affected products is not available at this time. Updates will be made if more information about affected vendors and products becomes available. Multiple Vendor kadmind Remote Buffer Overflow Vulnerability BugTraq ID: 6024 Remote: Yes Date Published: Oct 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6024 Summary: The kadmind daemon is a server for allowing remote administrative access to Kerberos databases. A vulnerability has been discovered in the kadmind daemon. It has been reported that kadmind is vulnerable to a remotely exploitable buffer overflow. This issue is due to insufficient bounds checking in the kadm_ser_in() function. The function fails to verify the size of 'authent.length' before copying data, of 'authent.length' size, into 'authent.dat', resulting in a buffer being overrun. An attacker can exploit this issue by making a request that will overflow the buffer on the system stack. This could potentially allow an attacker to overwrite sensitive locations in memory, such as a return address, resulting in the execution of arbitrary code with the privileges of the kadmind process. Mod_SSL Wildcard DNS Cross Site Scripting Vulnerability BugTraq ID: 6029 Remote: Yes Date Published: Oct 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6029 Summary: Mod_SSL is an implementation of SSL (Secure Socket Layer) for the Apache webserver. The Apache HTTP Server is a popular open-source HTTP server for multiple platforms, including Windows and Unix. A cross site scripting vulnerability has been discovered in mod_ssl. It has been reported that Apache v1.x, when using the mod_ssl module will return an unescaped server name in response to HTTP requests on SSL ports. When Apache must construct a self-referencing URL, it will behave in one of two manners, depending on the value of the 'UseCanonicalName' option. With the option enabled, Apache will use the ServerName and Port values to form a canonical name. With this option turned off, Apache will attempt to use the hostname and port supplied by the client. It should be noted that the existance of this vulnerability is limited to configurations with both the 'UseCanonicalName' option turned off and wildcard DNS enabled. If all of these circumstances are met, an attacker may be able to exploit this issue via a malicious link containing arbitrary HTML and script code as part of the hostname. When the malicious link is clicked by an unsuspecting user, the attacker-supplied HTML and script code will be executed by their web client. This will occur because the server will echo back the malicious hostname supplied in the client's request, without sufficiently escaping HTML and script code. An attacker may exploit this vulnerability by enticing a victim user to follow a malicious link. Attacker-supplied HTML and script code may be executed on a web client visiting the malicious link in the context of the webserver. Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user. Virgil CGI Scanner Remote Command Execution Vulnerability BugTraq ID: 6031 Remote: Yes Date Published: Oct 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6031 Summary: Virgil CGI Scanner is a remote vulnerability auditing tool written in the Bash Scripting language. It is available for the Linux and Unix operating systems. A vulnerability has been discovered in Virgil CGI Scanner. It has been reported that the Virgil CGI Scanner fails to sufficiently sanitize user-supplied input in the $TARGET and $ZIELPORT variables. The software passes these variables as part of a command line argument, potentially allowing characters to be passed, which could cause arbitrary commands to be executed. By exploiting this issue, a remote attacker may be able to cause arbitrary commands to be executed on the system, with the privileges of the webserver process. - Pour poster une annonce: [EMAIL PROTECTED]
