FreeBSD System Call f_count Integer Overflow Vulnerability BugTraq ID: 6524 Remote: No Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6524 Summary:
A vulnerability has been reported in the FreeBSD system. Reportedly, the fpathconf and lseek system calls are affected by vulnerabilities that may lead to a kernel integer overflow condition. The FreeBSD kernel has an internal reference counter maintained for each file. This counter is incremented whenever additional references to it are created (for example, by using the dup() system call). The counter is then decremented for every close() call. System calls that involve files will issue fhold() and fdrop() calls to increment and decrement this counter. Reportedly, the fpathconf and lseek system calls do not issue a fdrop() call. This issue can be exploited by a local attacker by invoking repeatedly these system calls to eventually overflow the file reference counter. An attacker who exploits this vulnerability may cause the system to panic or to obtain root privileges on the vulnerable system. This vulnerability has been reported to affect RELENG_4 earlier than 20021111 and all FreeBSD RELEASE versions. Longshine Wireless Access Point Devices Information Disclosure Vulnerability BugTraq ID: 6533 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6533 Summary: Longshine provides several products for networking including external wireless LAN access points. An information disclosure vulnerability has been reported for the Longshine LCS-883R-AC-B WLAN access point. The Longshine LCS-883R-AC-B device will allow tftp connections without any authentication. An attacker can exploit this vulnerability to connect via tftp to the access point and download the configuration file. Obtainable files from the tftp service include config.img, mac.dat, and rom.img. The configuration file contains sensitive information including the administrator password and WEP keys. An attacker who has access to this information may be able to modify existing settings and intercept traffic from the access point. ** The D-Link DI-614+ product, reportedly based on the Longshine device, appears to be vulnerable to this issue. [ hardware ] Multiple Vendor Network Device Driver Frame Padding Information Disclosure Vulnerability BugTraq ID: 6535 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6535 Summary: Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers. Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers do not do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across ethernet segments. As the ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked. An attacker can exploit this vulnerability by sending a simple ICMP packet to a vulnerable machine. A response to such a query will involve a packet that has been padded to a sufficient length. It may be that the information that is padded is of a sensitive nature. An attacker may use the information obtained in this manner to launch other attacks against a vulnerable system. This vulnerability has been reported to affect the atp.c, axnet_cs.c, xirc2ps_cs.c and the rtl8139.c network device drivers for Linux variant systems. Older NetApp systems using the 'Gigabit Ethernet Controller I' are vulnerable to this issue. Cisco has stated that the IOS 12.1 and 12.2 trains are not affected. IPFilter TCP ACK/Bad Checksum Packet Denial Of Service Vulnerability BugTraq ID: 6534 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6534 Summary: IPFilter is a packet filtering implementation that is in wide use on a variety of Unix systems. IPFilter is prone to a denial of service when handling specially crafted packets. Normally when IPFilter handles a TCP ACK packet (without a previous SYN packet to initiate the session), it will mark the session as "TCPS_ESTABLISHED" in the state table. The system will respond with a RST packet and IPFilter will set the timeout for the session in the state table to one minute. However, when IPFilter handles this type of TCP ACK packet with a bad checksum, it will add an "ESTABLISHED" session to its state table, which will time out in 120 hours. If numerous packets of this nature are sent, this may cause a denial of service as the state table will be filled with these sessions. This issue is known to occur when "keep state" rules are used without "flags S". The vendor advises users against employing this configuration. It is possible to trigger this condition with other packet sequences. HTTP Fetcher Library Multiple Buffer Overflow Vulnerabilities BugTraq ID: 6531 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6531 Summary: HTTP Fetcher is a small library used for downloading files via HTTP using the GET method. It is available for various platforms including the Linux and Unix operating systems. Multiple buffer overflows have been discovered in HTTP Fetcher. The vulnerabilities occur in the http_fetch() function which is used to gather various HTTP header information. These buffer overflow occurs due to insufficient bounds checking of user-supplied parameters. It is possible to trigger these conditions by supplying excessive data as the 'host', 'referer', or 'userAgent' parameters. By exploiting one of these issues to overrun 'requestBuf', it may be possible for a remote attacker to overwrite sensitive memory. Successful exploitation of one of these vulnerabilities may allow an attacker to seize control of an application linked to the library. By overwriting the function's instruction pointer it may be possible to execute arbitrary commands. The exploitability of this issue may be an issue only if the client application were accessible remotely through a proxy server. For instance, a server which allowed a client to make GET requests from other servers. GeneWeb File Disclosure Vulnerability BugTraq ID: 6549 Remote: Yes Date Published: Jan 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6549 Summary: GeneWeb is Web based genealogy software. It is available for a variety of platforms including Linux variant operating systems. A file disclosure vulnerability has been reported for GeneWeb. Reportedly, GeneWeb does not adequately sanitize some input. An attacker can exploit this vulnerability to craft a specially formed URL that can cause geneweb to disclose the contents of arbitrary files on the vulnerable system. Although unconfirmed, it is likely that an attacker can construct a URL consisting of dot-dot-slash (../) character sequences to obtain access to files outside of the document root. It should be noted that only files accessible by the geneweb server will be disclosed to the attacker. Exploitation of this vulnerability may lead to disclosure of sensitive information that may be useful in mounting further attacks on the host system. This vulnerability affects GeneWeb versions 4.0.8 and earlier. cgihtml Signed Integer Content-Length Memory Corruption Vulnerability BugTraq ID: 6551 Remote: Yes Date Published: Jan 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6551 Summary: cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows. A vulnerability has been discovered in cgihtml which may result in memory corruption. The problem occurs when reading a user-supplied Content-Length value for POST data. An attacker is able to create a situation where memory may be overwritten by passing a negative length as the Content-Length value in a POST request. By passing excessive POST data it is possible for the attacker to overrun the allocated buffer, effectively overwriting heap memory. This may cause the affected program to crash. Although not yet confirmed, it may be possible to exploit this vulnerability to execute arbitrary code. Placing a malicious malloc header in heap memory may potentially allow an attacker to overwrite a GOT address to point to shellcode. cgihtml Denial Of Service Vulnerability BugTraq ID: 6555 Remote: Yes Date Published: Jan 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6555 Summary: cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows. A vulnerability has been discovered in cgihtml when processing Multipart HTTP headers. It has been reported that, when processing a multipart header, cgihtml fails to sufficiently verify the sanity of the header structure. This may result in an affected application reading invalid values supplied 38 bytes within a malicious header. If this situation were to occur it may be possible for the attacker to cause the application to crash. Although it has not yet been confirmed, it is speculated that cgihtml contains other vulnerabilities similar to this issue. CGIHTML Form Data File Corruption Vulnerability BugTraq ID: 6550 Remote: Yes Date Published: Jan 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6550 Summary: cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows. When handling uploaded form-data, cgihtml creates a temporary file to store this data in /tmp or another user-specified directory. The software uses the client supplied filename when creating the temporary file. If the attacker supplies a malicious filename, such as one pre-pended with dot-dot-slash (../) directory traversal sequences, it may be possible to corrupt files outside of the specified temporary directory. The cause of this issue trust in user-supplied input. The routines use a client-supplied filenames when creating temporary file. The routines then do not sufficiently validate that the filename does not contain directory traversal sequences or has a name that may conflict with existing system files. For this attack to be successful, the targetted files must be writeable by a server process that utilizes the vulnerable cgihtml routines. CGIHTML Insecure Form-Data Temporary File Vulnerability BugTraq ID: 6552 Remote: No Date Published: Jan 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6552 Summary: cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows. When handling uploaded form-data, cgihtml creates a temporary file to store this data in /tmp or another user-specified directory. A client supplied filename is used when the temporary file is created. This presents a security vulnerability since the name of the temporary file can be anticipated by the attacker. A local attacker may take advantage of this condition to create a symbolic link in place of the temporary file, which points to another file on the system which is writeable by a server process which utilizes the vulnerable routines. The vulnerable routines will follow any symbolic links provided in place of a temporary file. The attacker may then submit a malicious form-data upload, using the attacker-supplied filename, and cause local files to be corrupted. If custom data can be written to files, it is possible to gain elevated privileges. TANne Session Manager SysLog Format String Vulnerability BugTraq ID: 6553 Remote: Yes Date Published: Jan 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6553 Summary: TANne is a freely available, open source session management package. It is available for Unix and Linux operating systems. A problem with TANne may make it possible to execute arbitrary code. Due to programming error, it may be possible to exploit a format string vulnerability. A logging function in the TANne program contains insecure syslog() calls. This could result in the execution of attacker-supplied code. The problem is the in two syslog() calls in the netzio.c source file. When the program is invoked using the vulnerable function, it may be possible to exploit a format string vulnerability through the generation of a malicious log event which contains attacker-supplied format strings. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with the privileges of the TANne user. Efficient Networks DSL Router Denial Of Service Vulnerability BugTraq ID: 6573 Remote: Yes Date Published: Jan 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6573 Summary: A denial of service vulnerability has been reported for the Efficient Networks 5861 line of DSL routers. The vulnerability can be triggered when the router is configured to block incoming TCP SYN flags and is subsequently portscanned. An attacker can exploit this vulnerability by portscanning a vulnerable DSL router on its WAN interface. When this occurs the device will reportedly lock up and then restart after a period of time. Repeated portscans may allow an attacker to cause the vulnerable device from responding indefinitely resulting in a complete denial of service condition. This vulnerability was reported to affect the Efficient Networks 5861 DSL Router. It is likely that other DSL router products are similarly affected. [ hardware ] + probl�mes avec scripts PHP (notamment IMP) - Pour poster une annonce: [EMAIL PROTECTED]
