Multiple FTP Server Virtual User File Removal Vulnerability BugTraq ID: 6649 Remote: Yes Date Published: Jan 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6649 Summary:
A problem has been reported in some FTP servers that may allow users to circumvent file permissions. Under some circumstances, it may be possible for users to remove files that have been placed in an FTP archive by other users. A file placed by one user may be delete by another user with insufficient permissions, though the target file may not be overwritten. This problem has been reported to occur in the instance of the virtual user feature of FTP servers being used on Solaris systems. This problem has been reported to affect both NCFTPD and ProFTPD. Exploitation of this issue may result in the destruction of data. CVS Directory Request Double Free Heap Corruption Vulnerability BugTraq ID: 6650 Remote: Yes Date Published: Jan 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6650 Summary: CVS is the concurrent versioning system. CVS is a freely available, open source software development package for the Unix, Linux, and Microsoft Windows platforms. CVS is prone to a double free vulnerability in Directory requests. Malformed Directory requests may potentially cause dynamically allocated memory to be de-allocated twice, using the free() function. An attacker may potentially take advantage of this issue to cause heap memory to be corrupted with attacker-supplied values, which may result in execution of arbitrary code in the security context of the CVS server. ModLogAn Remote Heap Corruption Vulnerability BugTraq ID: 6652 Remote: Yes Date Published: Jan 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6652 Summary: ModLogAn is a modular logfile analyzer which parses logfiles generated by several server types including HTTP and FTP. It is available for the Unix and Linux operating systems. A vulnerability has been discovered in ModLogAn. The problem occurs when attempting to decode a URL with the url_decode() function. When the url_decode() function detects a percentage character ('%') in a URL, it incorrectly presumes that the following 2 bytes will represent a hexadecimal encoded value. After this assumption is made the length counter (for the size of the decoded string) is reduced by two. If the URL contains values after the percentage character which are not hexadecimal, the URL data may be larger than the buffer allocated for the decoded string. By generating a malicious log entry containing a URL with excessive percentage characters designed to trigger to the issue, it may be possible for an attacker to corrupt heap memory. Exploiting this issue to overwrite a malloc() header may make it possible to overwrite an arbitrary word in memory when the corrupted chunk is freed. This may result in arbitrary attacker-supplied instructions being executed with the privileges of the ModLogAn process. MTink Printer Status Monitor Environment Variable Buffer Overflow Vulnerability BugTraq ID: 6656 Remote: No Date Published: Jan 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6656 Summary: mtink is a printer status monitor for Linux operating systems. It is used to monitor ink quantity, negotiate changing and cleaning of ink cartridges, etc. mtink is prone to a locally exploitable buffer overflow condition. This is due to insufficient bounds checking of the $HOME environment variable. An attacker may take advantage of this issue to corrupt sensitive regions of memory, such as stack variables, with attacker-supplied values. This may result in execution of arbitrary attacker-supplied code. mtink is reportedly installed setgid 'sys' on Mandrake Linux, so it is possible that this issue may be exploited to execute arbitrary code with elevated privileges. Other distributions may also be affected if mtink is installed or runs with elevated privileges. ESCPUtil Local Printer Name Buffer Overflow Vulnerability BugTraq ID: 6658 Remote: No Date Published: Jan 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6658 Summary: escputil is a freely available, open source print driver for the Linux operating system. It is publicly maintained. It has been reported that a buffer overflow in escputil exists. This problem is due to insufficient bounds checking on the values supplied as arguments of the -P command line parameter. It is possible for a malicious local user to corrupt sensitive regions of memory with attacker-supplied values. escputil is reportedly installed setgid 'sys' on Mandrake Linux, so it is possible that this issue may be exploited to execute arbitrary code with elevated privileges. Other distributions may also be affected if the utility is installed or runs with elevated privileges. It should also be noted that this program is included with a number of other packages for printing on Linux systems. Apache Web Server Default Script Mapping Bypass Vulnerability BugTraq ID: 6661 Remote: Yes Date Published: Jan 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6661 Summary: Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems. A vulnerability has been reported in the Apache Web browser that may result in the server bypassing existing default mappings when serving files. The vulnerability exists when making requests for files in directories with extensions. The vulnerability may cause the Web server to incorrectly parse the requested file. An attacker may be able to make a request for www.target.com/folder.php/test. The request for the file test should be served as a text file but due to some flaws in the mapping algorithm, the file 'test' will be interpreted as a PHP script. This may have unintended consequences on users and the system. This vulnerability was reported to affect Apache versions prior to 2.0.44. ZyXEL DSL Modem Default Remote Administration Password Vulnerability BugTraq ID: 6671 Remote: Yes Date Published: Jan 23 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6671 Summary: It has been reported that the administration interface on some ZyXEL devices, including the 642 and 645 series, is remotely accessible and pre-set with a default username and password. The devices, which may have been provided to users of the Sprint ADSL service, allow administrative access through FTP, HTTP and Telnet services from any address. Furthermore, a well-known default administrative username and password are preconfigured. The default administrative username is 'root' and the associated password is typically '1234'. An attacker can exploit this vulnerability by connecting to a vulnerable device and retrieve some files the hold configuration information and username and passwords. This will allow the attacker to manipulate and reconfigure affected devices. It has additionally been reported that sensitive information set in the devices by ISPs, such as user email addresses, may be obtained by remote attackers. It is important to note that other ZyXEL devices may share this default account. [ hardware ] Palm HotSync Manager Remote Denial of Service Vulnerability BugTraq ID: 6673 Remote: Yes Date Published: Jan 23 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6673 Summary: A vulnerability has been discovered in the Palm HotSync Manager. It has been reported that a remote attacker can trigger a denial of service in affected servers. The issue occurs when a user sends "OK ATDT<" to a vulnerable system. A menu will be presented saying insufficient memory is available and three options will be presented. When an option is selected the affected process will freeze or terminate. The precise technical details regarding this vulnerability are not currently known. This BID will be updated as more information becomes available. This vulnerability was reported for HotSync Manager 4.0.4. [ licence non pr�cis�e ] slocate Local Buffer Overrun Vulnerability BugTraq ID: 6676 Remote: No Date Published: Jan 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6676 Summary: Secure Locate (slocate) provides a secure way to index and quickly search for files on your system. It is available for the Linux and Unix operating systems. Typically slocate is installed with setgid 'slocate' privileges. A buffer overrun vulnerability has been discovered in slocate. The issue occurs when 1024, or more, bytes of data are supplied to both the regex ('-r') and the parse /etc/updatedb.conf ('-c') command line arguments. This issue occurs due to insufficient bounds checking on user-supplied input. A malicious local user may be able to exploit this issue to overwrite sensitive locations in memory. For instance, by overwriting the programs instruction pointer it may be possible to redirect program flow to point to attacker-supplied instructions. As slocate is typically installed with setgid privileges, any code execution accomplished by an attacker will be executed with group 'slocate' privileges. An attacker may leverage this privilege escalation to exploit the target system further. It should be noted that this issue has been reportedly verified on RedHat 7.3 and 7.2. RedHat 6.2 appears to be immune to this issue. It has not yet been verified whether other versions are also affected. - Pour poster une annonce: [EMAIL PROTECTED]
