Cisco AS5350 Universal Gateway Portscan Denial Of Service Vulnerability BugTraq ID: 6059 Remote: Yes Date Published: Oct 28 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6059 Summary:
Cisco AS5350 Universal Gateway is a hardware gateway that is capable of providing access to any service on any port. The Cisco AS5350 Universal Gateway is reported to be prone to a denial of service condition. It is possible to cause this condition by portscanning a vulnerable device. This issue was demonstrated using the nmap portscanning utility. Exploitation of this condition will cause a "hard" lockup, requiring that the device is power-cycled before functionality is returned. This issue was reported for Cisco AS5350 devices running Cisco IOS release 12.2(11)T. Other firmware and devices may also be affected. There are conflicting reports regarding the existence of this vulnerability. One source states that this condition reportedly does not occur if there are no Access Control Lists (ACL) applied on the device and also mentions that this may be related to a known SSH bug. Other sources have indicated that the issue may be related to a configuration problem. [ hardware ] SonicWall Content Filtering Software URL Filter Bypassing Vulnerability BugTraq ID: 6063 Remote: Yes Date Published: Oct 29 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6063 Summary: SonicWall Content Filtering software is designed for use with SonicWall Appliances. A problem with the software could make it possible for a user to circumvent restrictions placed on URLs. It has been reported that the SonicWall Content Filtering software does not sufficiently check addresses when requests are made. Because of this, it would be possible for a user behind the system to reach a restricted-access site by requesting the site on the basis of IP addresses. It should be noted that this is potentially a configuration issue. The design of URL filtering software typically requires that all sites be blacklisted by default, with a whitelist of authorized sites specified. [ hardware ] Arescom NetDSL-800 Firmware Undocumented Username/Password Weakness BugTraq ID: 6064 Remote: Yes Date Published: Oct 29 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6064 Summary: The Arescom NetDSL 800 series ADSL modem/router is a stand-alone device. It is compatible with various operating systems including Windows, MacOS, Unix, and Linux. A weakness has been discovered in NetDSL-800 router firmware. It has been reported that NetDSL-800 firmware, configured by certain Internet Service Providers(ISP), contain undocumented users. Undocumented users have administrative privileges. It is possible to obtain a target devices undocumented username and password using a network sniffer and the Arescom NetDSL Remote Manager. Access to this information could grant unauthorized administrative access to remote attackers. Administrative privileges gained on target routers may allow attackers to corrupt configuration settings or cause a denial of service. It should be noted that all firmware configurations may not contain undocumented users. Firmware configured by the MSN ISP are reported to be vulnerable. It should also be noted that it has not yet been confirmed whether unique username and passwords are generated for each device. [ hardware ] GTetrinet Multiple Remote Buffer Overflow Vulnerabilities BugTraq ID: 6062 Remote: Yes Date Published: Oct 29 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6062 Summary: GTetrinet is a freely available, open source networked Tetris game client. It is available for Linux and Microsoft Windows systems. Several problems have been reported in the GTetrinet client that could result in remote exploitation. Due to several bounds checking vulnerabilities in GTetrinet, the user of a vulnerable client could allow unintended actions on the part of a malicious server. Exploitation of these vulnerabilities by a malicious server could result in a denial of service, and potentially execution of arbitrary instructions in the security context of the user. These vulnerabilities are due to numerous insecure strcat and strcpy functions in the GTetrinet code. Code executed through these vulnerabilities could result in an attacker gaining access to the vulnerable system with the privileges of the client. Apache 2 WebDAV CGI POST Request Information Disclosure Vulnerability BugTraq ID: 6065 Remote: Yes Date Published: Oct 29 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6065 Summary: WebDAV (Web-based Distributed Authoring and Versioning) is a set of HTTP extensions that allows multiple users to edit and manage files on remote web servers. An information disclosure vulnerability has been for Apache 2. The vulnerability occurs due to inadequate checks being performed on CGI scripts. This vulnerability exists only when both WebDAV and CGI are enabled for folders. An attacker can exploit this vulnerability by making a POST request to a CGI script. Due to improper interaction between WebDAV and CGI scripts, this will result in the Web server returning the contents of the CGI script to the remote attacker. Information obtained in this manner may allow an attacker to launch further, potentially destructive, attacks against a vulnerable system. Cisco ONS15454/ONS15327 Optical Transport Platforms Multiple Vulnerabilities BugTraq ID: 6073 Remote: Yes Date Published: Oct 31 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6073 Summary: Multiple vulnerabilities have been reported in the Cisco ONS15454 Optical Transport and Cisco ONS15327 Edge Optical Transport platforms. To exploit these issues, the attacker must be able to access the affected services on TCC, TCC+ and XTC control cards. The first vulnerability will allow an attacker to connect to FTP services on TCC, TCC+ or XTC control cards with non-existent user and password credentials. The consequence is unauthorized access for malicious users who are able to access TCC, TCC+ or XTC control cards. Unauthorized FTP access will enable an attacker to upload modified configuration files or delete software images. The second vulnerability may allow attackers with access to the running image database for TCC, TCC+ or XTC control cards to gain unauthorized access to authentication credentials. Authentication credentials are stored in plaintext in the image database. If authentication credentials can be obtained, the attacker may gain administrative control of the Cisco ONS platform. The third vulnerability is due to a default, unchangeable "public" SNMP community string. This may allow for unauthorized SNMP access to TCC, TCC+ or XTC control cards. The attacker may gain access to the SNMP MIBs. At the very least, this may disclose sensitive network information to attackers. The fourth issue is a denial of service condition which occurs when an invalid CORBA Interoperable Object Reference (IOR) is requested via HTTP. Such a request will cause TCC, TCC+ or XTC control cards to reset. The fifth issue is another denial of service condition. This condition is triggered when a malformed HTTP request is made to TCC, TCC+ or XTC control cards. HTTP requests which start with any other character than a forward-slash (/) will trigger the condition and cause the control cards to reset. The sixth issue is a problem with a default username/password for TCC, TCC+ and XTC control cards. The default VxWorks OS account password cannot be changed, nor is it possible to disable the account. This may be exploited if the attacker can connect to one of the control cards via telnet. The attacker may gain administrative control of the Cisco ONS platform. ** When analysis of these issues is complete, each separate vulnerability will be given an individual Bugtraq ID. [ hardware ] LPRNG runlpr Local Privilege Escalation Vulnerability BugTraq ID: 6077 Remote: No Date Published: Oct 31 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6077 Summary: The 'runlpr' utility is distributed with lprng and is used to allow regular users to invoke the lpr process as the root user. A vulnerability has been discovered in the 'runlpr' utility, which could allow a malicious user to execute arbitrary commands with elevated privileges. An attacker can exploit this vulnerability by passing malicious commands to lpr via the commandline. This will result in arbitrary attacker-supplied commands being executed with root level privileges. Precise technical details regarding this issue are unknown at this time. This bid will updated accordingly, as more information regarding the vulnerability becomes available. LPRNG html2ps Remote Command Execution Vulnerability BugTraq ID: 6079 Remote: Yes Date Published: Oct 31 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6079 Summary: A vulnerability has been discovered in the html2ps filter which is included in the lprng print system. It has been reported that it is possible for a remote attacker to execute arbitrary commands, with the privileges of the 'lp' user. Depending on the method used to invoke the lpr daemon, it may be possible to execute commands with root privileges. Precise technical details regarding this issue are unknown at this time. This bid will updated accordingly, as more information regarding the vulnerability becomes available. Cisco ONS15454/ONS15327 Optical Transport Platforms Plaintext Credentials Vulnerability BugTraq ID: 6078 Remote: No Date Published: Oct 31 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6078 Summary: Cisco ONS15454 Optical Transport/Cisco ONS15327 Edge Optical Transport platforms are optical networking devices that allow multiple network elements to be combined on a single platform. A vulnerability has been reported in the Cisco ONS15454 Optical Transport and Cisco ONS15327 Edge Optical Transport platforms. Administrative authentication credentials are stored in plaintext in the running image database for TCC, TCC+ or XTC control cards. An attacker with access to the backup of the running image database may trivially retrieve these credentials. If authentication credentials can be obtained, the attacker may gain administrative control of the Cisco ONS platform. ** This issue was originally described in Bugtraq ID 6073 "Cisco ONS15454/ONS15327 Optical Transport Platforms Multiple Vulnerabilities" and is now being assigned an individual Bugtraq ID. [ hardware, and a few others not mentionned ] Linksys BEFSR41 Gozila.CGI Denial Of Service Vulnerability BugTraq ID: 6086 Remote: Yes Date Published: Nov 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6086 Summary: Linksys BEFSR41 is vulnerable to a denial of service condition. The denial of service condition will be triggered when the device receives a request for the script file 'Gozila.cgi' without any parameters. An attacker can exploit this vulnerability to cause the device to stop functioning. Rebooting the device is necessary to restore functionality. This vulnerability affects the Linksys BEFSR41 device with firmware older than 1.42.7. Other devices employing the same firmware are likely to be vulnerable to this issue. [ hardware ] Michael Krax log2mail Remote Buffer Overflow Vulnerability BugTraq ID: 6089 Remote: Yes Date Published: Nov 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6089 Summary: The log2mail daemon is a small utility used to watch logfiles and send mail when specified patterns are matched. It is available for Linux and Unix operating systems. Typically, the log2mail daemon is invoked, by init scripts, during the boot process and is run with root privileges. A remotely exploitable buffer overflow has been discovered in the log2mail daemon. By generating malicious log entries, it is possible for a remote attacker to cause a static buffer to be overrun, resulting in memory corruption. By exploiting this vulnerability, it may be possible to overwrite sensitive memory variables with attacker-supplied values, resulting in the execution of arbitrary code with the privileges of the daemon. This vulnerability was reported in log2mail v0.2.5. It is not yet known if this issue affects earlier versions. Multiple Vendor Access Point Embedded HTTP Server Denial of Service Vulnerability BugTraq ID: 6090 Remote: Yes Date Published: Nov 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6090 Summary: A denial of service vulnerability has been reported for HTTP servers used by multiple networking devices. The denial of service will be triggered when the embedded web server receives an HTTP request that contains an overly long header. An attacker can exploit this vulnerability to cause the device to stop functioning. Rebooting the device is necessary to restore functionality. This vulnerability was reported for Access Point devices by Linksys and D-Link. Other vendors may be affected. Although not yet confirmed, it has been speculated that this issue is a result of a buffer overflow. Iomega NAS A300U CIFS/SMB Mounts Plaintext Authentication Vulnerability BugTraq ID: 6093 Remote: Yes Date Published: Nov 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6093 Summary: Iomega NAS A300U (Network Attached Storage) is a network storage device that supports Unix variants and Microsoft Windows operating systems. Iomega NAS A300U devices provide support for drive mounts using CIFS/SMB. Iomega NAS A300U devices are reported to use LANMAN authentication for access to CIFS/SMB mounts. ANMAN authentication credentials are sent across the network in plaintext and may be intercepted by attackers with the ability to sniff network traffic. It has also been reported that this may allow session hijacking attacks to occur. Exploitation of this issue will allow attackers to gain unauthorized access to CIFS/SMB mounts. This issue was reported for Iomega NAS A300U on Unix platforms. Other platforms and Iomega devices may also be affected. Iomega NAS A300U Plaintext NAS Administration Credentials Vulnerability BugTraq ID: 6092 Remote: Yes Date Published: Nov 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6092 Summary: Iomega NAS A300U (Network Attached Storage) is a network storage device that supports Unix variants and Microsoft Windows operating systems. Iomega NAS A300U devices provide a web interface for remote administration. Iomega NAS A300U is reported to send NAS administrative interface authentication credentials in plaintext across the network. The credentials may be disclosed to attackers with the ability to intercept network traffic, which may enable them to gain unauthorized access to the NAS administrative interface. It has also been reported that the documentation for the device claims that authentication credentials will be sent encrypted. Users of the device may be led to believe that credentials are sent encrypted, creating a false sense of security. This issue was reported for Iomega NAS A300U on Unix platforms. Other platforms and Iomega devices may also be affected. Abuse Local Buffer Overflow Vulnerability BugTraq ID: 6094 Remote: No Date Published: Nov 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6094 Summary: Abuse is a popular side-scrolling video game. It is available for Linux and Unix operating systems. Buffer overflow vulnerabilities have been discovered in both the abuse.console and abuse.x11R6 files, which are installed setuid 'root' and setgid 'games' respectively. It is possible to trigger the overflow by passing an execessively long string, containing roughly 500 bytes, as a parameter to the '-net' command line argument. Exploiting this issue would allow a local attacker to overwrite sensitive memory variables, potentially resulting in the execution of arbitrary code with super user privileges. It should be noted that Abuse 2.00, packaged and distributed with the x86 architecture of Debian Linux 3.0 has been reported vulnerable. It is not yet known if other packages are affected by this [ + some PHP scripts ] - Pour poster une annonce: [EMAIL PROTECTED]
