Voiture balais. Eric S. Raymond Fetchmail Heap Corruption Vulnerability BugTraq ID: 6390 Remote: Yes Date Published: Dec 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6390 Summary:
Fetchmail is a freely available, open source mail retrieval utility. It is maintained by Eric S. Raymond. A remotely exploitable heap overflow vulnerability has been reported for Fetchmail 6.1.3 and earlier. The vulnerability occurs when Fetchmail performs a reply-hack action. The action is performed so that all addresses in email headers are searched for local email addresses. Next Fetchmail will allocate enough space for the case that all addresses are local addresses. Due to a calculation flaw, Fetchmail does not allocate enough space for memory buffers. An attacker can exploit this vulnerability by composing an email with specially crafted header lines and sending it to the vulnerable system. When Fetchmail attempts to parse the headers, it will allocate insufficient space and will result in Fetchmail corrupting heap memory with attacker-supplied values. An attacker may exploit this condition to overwrite arbitrary words in memory. This may allow for the execution of arbitrary code. This vulnerability has been reported for Fetchmail 6.1.3 and earlier. Multiple Vendor SSH2 Implementation Vulnerabilities BugTraq ID: 6397 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6397 Summary: Several vulnerabilities have been reported for multiple products that use the SSH2 implementation for secure communications. The vulnerabilities have been reported to affect KEXINIT (key exchange initialization) phases of SSH communications. It should be noted that key exchange and initialization are performed prior to any sort of authentication. An attacker may exploit these vulnerabilities to perform denial of service attacks against vulnerable systems and possibly to execute malicious, attacker-supplied code. Further information about these vulnerabilities are currently unknown. Where possible, separate BugTraq IDs will be assigned for individual vulnerabilities when more details are available. Multiple Vendor XML Parser Denial Of Service Vulnerability BugTraq ID: 6398 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6398 Summary: A denial of service vulnerability occurs in the XML parser, either Crimson or Xerces, used by several vendors. An attacker can exploit this vulnerability by sending a specially crafted message to the SOAP (Simple Object Access Protocol) interface used by the vulnerable software. Specifically, malformed XML data can be inserted in the DTD (Document Type Definition) section of an XML document. When the XML parser receives this message, it will consume all available CPU resources. This will cause the system to become unresponsive to further requests for service thereby resulting in a denial of service condition. This vulnerability has been previously described in BIDs 6363 and 6378 for Macromedia JRun and BEA Systems WebLogic. PFinger Syslog Format String Vulnerability BugTraq ID: 6403 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6403 Summary: PFinger is an open-source finger daemon. It is available for Linux and Unix variants. PFinger is prone to a format string vulnerability. This problem is due to incorrect use of the 'syslog()' function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. This issue can be exploited via a malformed response to a DNS lookup when a host levies a finger request to the vulnerable server. The vulnerability exists in the 'log()' function in the 'log.c' source file. Successful exploitation of this issue may allow the attacker to execute arbitrary instructions with the privileges of the daemon, which normally runs as 'nobody'. It has been suggested that this issue may not be exploitable with many available DNS resolvers, since the '%' character is not allowed in responses. zkfingerd SysLog Format String Vulnerability BugTraq ID: 6402 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6402 Summary: zkfingerd is a small fingerd replacement server. It is available for Unix and Linux operating systems. zkfingerd is prone to a format string vulnerability. This problem is due to incorrect use of the 'syslog()' function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. The vulnerability exists in the 'putlog()' function in the 'log.c' source file. Successful exploitation of this issue may allow the attacker to execute arbitrary instructions, possibly, with elevated privileges. This vulnerability was reported for zkfingerd 0.9.1 and earlier. zkfingerd say() Format String Vulnerability BugTraq ID: 6404 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6404 Summary: zkfingerd is a small fingerd replacement server. It is available for Unix and Linux operating systems. zkfingerd is prone to a format string vulnerability. This problem exists in the 'say()' function. The function does not perform sufficient checks when displaying user-supplied input. It is possible to corrupt memory by passing format strings through the vulnerable function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. Successful exploitation of this issue may allow the attacker to execute arbitrary instructions, possibly, with elevated privileges. This vulnerability was reported for zkfingerd 0.9.1 and earlier. Multiple Vendor SSH2 Implementation Incorrect Field Length Vulnerabilities BugTraq ID: 6405 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6405 Summary: A vulnerability with incorrect lengths of fields in SSH packets have been reported for multiple products that use the SSH2 for secure communications. These vulnerabilities have been reported to affect initialization, key exchange, and negotiation phases of SSH communications. It should be noted that key exchange and initialization are performed prior to any sort of authentication. An attacker may exploit these vulnerabilities to perform denial of service attacks against vulnerable systems and possibly to execute malicious, attacker-supplied code. Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397. Multiple Vendor SSH2 Implementation Buffer Overflow Vulnerabilities BugTraq ID: 6407 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6407 Summary: Multiple vendor SSH2 implementations are reported to be prone to buffer overflows. These buffer overflows are alleged to be exploitable prior to authentication. These conditions were discovered during tests of the initialization, key exchange, and negotiation phases (KEX, KEXINIT) of a SSH2 transaction between client and server. These issues are known to affect various client and server implementations of the protocol. It is possible to exploit these conditions to cause memory to be corrupted with attacker-supplied data. In some cases, the resulting memory corruption can be leveraged by an attacker to cause malicious code to be executed. Successful exploitation will enable remote attackers to cause execution of code in the security context of the specific server and client implementations. Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397. Multiple Vendor SSH2 Implementation Empty Elements / Multiple Separator Vulnerabilities BugTraq ID: 6408 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6408 Summary: A vulnerability has been reported for multiple SSH2 vendors. The vulnerability is a result of SSH2 packets containing empty elements/multiple separators. The vulnerability has been reported to affect initialization, key exchange, and negotiation phases of SSH communications. It should be noted that key exchange and initialization are performed prior to any sort of authentication. An attacker may exploit these vulnerabilities to perform denial of service attacks against vulnerable systems and possibly to execute malicious, attacker-supplied code. Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397. Multiple Vendor SSH2 Implementation Null Character Handling Vulnerabilities BugTraq ID: 6410 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6410 Summary: Multiple vendor SSH2 implementations are reported to be prone to issues related to the handling of null characters in strings. It is reported that malformed data containing null characters may potentially cause conflicts between delimiter-based and length-based strings. These issues may be used to cause unpredictable behavior to occur, such as a denial of service or memory corruption. It is reportedly possible to trigger these conditions prior to authentication. These conditions were discovered during tests of the initialization, key exchange, and negotiation phases (KEX, KEXINIT) of a SSH2 transaction between client and server. These issues are known to affect various client and server implementations of the protocol. Further details about this vulnerability are currently unknown. This BID will be updated as more information becomes available. This vulnerability was originally described in BugTraq ID 6397. Multiple Vendor Archiving Software Tar Hostile Destination Path Vulnerability BugTraq ID: 6412 Remote: Yes Date Published: Dec 17 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6412 Summary: Multiple archiving utilities are prone to a security vulnerability when unpacking .tar archives. The problem is in the handling of pathnames. By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. An attacker may take advantage of this vulnerability to cause malicious files to be placed anywhere on a target filesystem. Exploitation will vary depending on each vulnerable implementation but generally entails including dot-dot-slash (../) directory traversal sequences followed by a hostile attacker-supplied destination path. Some implementations may not give the user any indication that files will be extracted to an unexpected location. Linux Kernel 2.2 mmap() Local Denial of Service Vulnerability BugTraq ID: 6420 Remote: No Date Published: Dec 17 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6420 Summary: A denial of service vulnerability has been discovered in the Linux 2.2 kernel. It has been reported that it is possible for an unprivileged user to cause the kernel to stop responding due to a bug in the implementation of mmap(). When a process requests a map of memory which is invalid, a pointer to the buffer is returned. Although the pointer is returned, the mapped page is un-readable by the requesting process. A failure occurs in the kernel when another process attempts to read data at the location of that pointer through a mmap() of that process memory space (/proc/pid/mem). The kernel does not prevent read attempts on this invalid memory and as a result the system hangs. This may be due to a deadlock condition. It should be noted that this issue does not affect the 2.4 kernel tree. This is because support for mmap() in the /proc/pid/mem implementation has been dropped. CPIO Tar Hostile Destination Path Vulnerability BugTraq ID: 6415 Remote: Yes Date Published: Dec 17 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6415 Summary: cpio is a utility to copy files in and out of cpio and .tar archives. It is maintained by GNU and is available for various Unix and Linux platforms. cpio is prone to a security vulnerability when unpacking .tar archives. The problem is in the handling of pathnames. By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. An attacker may take advantage of this vulnerability to cause malicious files to be placed anywhere on a target filesystem. An attacker may exploit this condition by specifying a relative extraction path in a malicious .tar that points to sensitive or criticals files, such as system binaries. The cpio utility will not warn the user that the extraction path may be hostile or may overwrite files unexpectedly. However, it is possible for users to inspect the contents of the archive to ensure that files will not be extracted to an unexpected location. This vulnerability was originally described in BID 6412 "Multiple Vendor Archiving Software Tar Hostile Destination Path Vulnerability" and is now being assigned an individual Bugtraq ID. - Pour poster une annonce: [EMAIL PROTECTED]
