PADL Software nss_ldap DNS Query Response Denial of Service Vulnerability BugTraq ID: 6130 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6130 Summary:
nss_ldap is a module offered by Padl Software that allows a system to use LDAP directories as the source of information for user attributes and related data. A vulnerability has been discovered in nss_ldap related to the handling of DNS queries. It has been reported that nss_ldap fails to verify whether data returned in DNS query responses has been truncated by resolver libraries. When processing a DNS query response containing truncated data, nss_ldap will attempt to parse more data than is available. This could cause the nss_ldap process to crash. It is unlikely that this is exploitable to execute arbitrary code, however this is not confirmed. [ licence peu claire ] Simple Web Server File Disclosure Vulnerability BugTraq ID: 6145 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6145 Summary: Simple Web Server is a simple lightweight webserver available for the Linux platform. It has been reported that Simple Web Server does not properly sanitize web requests. By sending a malicious web request to the vulnerable server, containing a slash-slash sequence ('//'), it is possible for a remote attacker to disclose files, effectively bypassing any access control measures in place. Disclosure of sensitive files may aid the attacker in launching further attacks against the target system. CVSup-Mirror Insecure Temporary Files Vulnerability BugTraq ID: 6150 Remote: No Date Published: Nov 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6150 Summary: cvsup-mirror is included in the FreeBSD ports collection and is intended to be used in combination with cvsup to create easily maintainable FreeBSD mirrors. cvsup-mirror is prone to a vulnerability which may enable local attackers to corrupt critical system files. This issue is present in the 'cvsupd.sh' shell script. The source of this issue is that 'cvsupd.sh' creates temporary files in a directory which malicious local users may potentialy have access to. The vulnerable shell script creates a file entitled 'cvsupd.out' in the /var/tmp/ directory. A local attacker could create a symbolic link in /var/tmp with the same name, pointing to critical system files. Any actions performed by cvsup-mirror on 'cvsupd.out' will instead be performed on files pointed to by the symbolic link. Files that are writeable by the user running the vulnerable software may be overwritten in this manner. This may result in a denial of service if critical files are overwritten, and may potentially allow for privilege escalation. KGPG Key Generation Empty Passphrase Vulnerability BugTraq ID: 6152 Remote: Yes Date Published: Nov 11 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6152 Summary: KGPG is a KDE graphical front-end for GPG (GNU Privacy Guard). It is designed for use with the KDE Desktop Environment and GPG. It is available for Unix and Linux variant operating systems. A vulnerability has been reported for KGPG. Reportedly, KGPG generates secret keys in an unsafe manner. The vulnerability is the result of how KGPG sends command line arguments to GPG. The vulnerability occurs when keys are generated using the key generation graphical wizard. All keys generated using the wizard will have an empty passphrase. An attacker can exploit this vulnerability to obtain access to some potentially sensitive information. This vulnerability was reported for KGPG versions 0.6 to 0.8.2. KDE Network RESLISA Buffer Overflow Vulnerability BugTraq ID: 6157 Remote: Yes Date Published: Nov 11 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6157 Summary: LISa (LAN Information Server) is a service designed for Linux variant operating systems. It provides LAN browsing capabilities on Linux systems. resLISa is a restricted version of LISa and is distributed with LISa. A buffer overflow vulnerability has been reported for resLISa. The vulnerability results due to inadequate checks on the LOGNAME environment variable. An attacker can exploit this vulnerability by setting a LOGNAME environment variable with an overly long value. When the attacker invokes resLISa, it will result in the service crashing and will result in the attacker obtaining control over the execution of the vulnerable service. resLISa is typically installed as a setUID root binary. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability BugTraq ID: 6159 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6159 Summary: BIND is a server program that implements the domain name service protocol. It is used widely on the Internet. A denial of service vulnerability has been reported for ISC BIND 8. The vulnerability is due to caching of SIG RR (resource records) with invalid expiry times. An attacker who controls an authoritative name server may be able to cause vulnerable BIND 8 servers to cache invalid SIG RR elements. When the vulnerable DNS server attempts to reference the SIG RR elements it will result in the denial of service condition. It has been reported that ISC BIND 8 versions up to 8.3.3 are vulnerable to this issue. ISC BIND OPT Record Large UDP Denial of Service Vulnerability BugTraq ID: 6161 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6161 Summary: BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet, in use by most of the DNS servers. Recursive BIND 8 servers are vulnerable to a denial of service condition. Requesting a DNS lookup on a non-existant sub-domain of a valid domain may cause BIND to fail. The attacker would have to attach an OPT resource record with a large UDP payload size in order to exploit this vulnerability. The denial of service may also occur when a domain is queried and the authoritative DNS servers are unreachable. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability BugTraq ID: 6160 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6160 Summary: BIND is a server program that implements the domain name service protocol. It is widely used on the Internet. It has been reported that DNS servers, running BIND with recursive DNS functionality enabled, are prone to a buffer overflow condition. This issue is triggered when the vulnerable DNS server is constructing DNS responses for cached information. An attacker-controlled authoritative DNS server may cause BIND to cache information into an internal database, when recursion is enabled. Cached information is accessed when a DNS client request is received. A vulnerability exists when creating a DNS response containing, SIG resource records (RR), which may lead to the buffer overflow condition. By causing the vulnerable DNS server to cache information, and sending a malicious client request, it may be possible for a remote attacker to cause a buffer to be overrun. Exploitation of this issue could result in the execution of arbitrary attacker-supplied code with the privileges of the vulnerable BIND daemon. It should be noted that recursive DNS functionality is enabled by default. Light HTTPD GET Request Buffer Overflow Vulnerability BugTraq ID: 6162 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6162 Summary: Light httpd is a small HTTP server, derived from ghttpd. It is available for a large variety of platforms, including Linux, BSD, Solaris, and Microsoft Windows operating systems. A vulnerability has been discovered in Light httpd, when processing GET requests. Passing an excessively long GET request to a vulnerable server, containing roughly 1024 or more bytes of data, will trigger a buffer overflow. This will typically result in sensitive memory being overwritten with attacker-supplied values. Exploitation of this issue will result in the execution of arbitrary commands with the privileges of the target web server. As Light httpd drops privileges, commands will be executed with the privileges of the 'nobody' user. TinyHTTPD Directory Traversal Vulnerability BugTraq ID: 6158 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6158 Summary: It has been reported that TinyHTTPD fails to properly sanitize web requests. By sending a malicious web request to the vulnerable server, using directory traversal sequences, it is possible for a remote attacker to access sensitive resources located outside of the web root. An attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory. Disclosure of sensitive system files may aid the attacker in launching further attacks against the target system. MasqMail Buffer Overflow Vulnerability BugTraq ID: 6164 Remote: No Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6164 Summary: MasqMail is a MTA (mail transport agent) designed for systems without a permanent Internet connection. A buffer overflow vulnerability has been reported for MasqMail. The vulnerability may be exploited by an attacker to execute arbitrary commands with root privileges. Although not yet confirmed, it is speculated that the vulnerability may be triggered through malicious entries in a user-supplied configuration file. Precise technical details regarding the cause of this issue are not yet known. This BID will be updated as further information becomes available. Traceroute-nanog Local Buffer Overflow Vulnerability BugTraq ID: 6166 Remote: No Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6166 Summary: Traceroute is a tool that is used to track packets in a TCP/IP network to determine the path of network connections. Traceroute-nanog fails to drop root privileges after obtaining a RAW socket. Because of this, it is possible for a local attacker to gain root privileges by triggering a buffer overflow. Exploiting this issue may allow a local attacker to overwrite sensitive memory with malicious values, thereby redirecting typical program flow to execute attacker-supplied commands with elevated privileges. Precise technical details regarding the cause of this issue are not yet known. This BID will be updated as more information becomes available. W3Mail File Disclosure Vulnerability BugTraq ID: 6170 Remote: Yes Date Published: Nov 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6170 Summary: W3Mail is a full featured open source web mail application implemented as a collection of Perl scripts that runs on Linux and Unix systems. It includes support for fetching mail from POP3 servers, MIME attachments, and for sending outgoing mail. To fix the vulnerability described as BID 5314, the email attachments directory was moved out of the webroot tree. To view attachments, the script "viewAttachment.cgi" accepts the parameter "file". The value of this parameter is passed to the open() function as the filename argument without being sanitized. Attackers may cause any file on the filesystem to open by specifying its relative path using directory traversal characters. As a result, attackers may retrieve any file and download its contents if it is readable by the webserver process. It should be noted that a valid session ID is required to exploit this vulnerability. TCPDump / LIBPCap Trojan Horse Vulnerability BugTraq ID: 6171 Remote: Yes Date Published: Nov 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6171 Summary: tcpdump is a freely available , open source tool for analyzing network traffic. libpcap provides network packet sniffing libraries used by many popular network intrusion detection systems. Both tools are available for the Unix and Linux operating systems. It has been announced that the server hosting tcpdump and libpcap, www.tcpdump.org, was compromised recently. It has been reported that the intruder made modifications to the source code of tcpdump and libpcap to include trojan horse code. Downloads of the source code of tcpdump and libpcap from www.tcpdump.org, and numerous mirrors, likely contain the trojan code. Reports say that the trojan will run once upon compilation of tcpdump or libpcap. Once the trojan is executed, it attempts to connect to host 212.146.0.34 on port 1963. The trojan horse modifications can be found in the configure script and the 'gencode.c' source file. The 'gencode.c' modification affects only libpcap. Reportedly, 'gencode.c' is modified to force libpcap to ignore packets to and from the backdoor program. This is an attempt to hide the back door program's traffic. The MD5 sums of the trojaned versions are reported to be: MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz The MD5 sums of the non-trojaned versions are: MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz The non-trojaned versions of these tools are available at the following locations: http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz Additionally, the trojan displays similarity to those found in irssi, fragroute, fragrouter, BitchX, OpenSSH, and Sendmail. [ + some PHP ] - Pour poster une annonce: [EMAIL PROTECTED]
