MySQL Control Center Insecure Default File Permission Vulnerability BugTraq ID: 7041 Remote: No Date Published: Mar 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7041 Summary:
MySQL Control Center (MySQLCC) is a visual administration interface for MySQL database servers and is available for multiple platforms. A vulnerability has been discovered in MySQLCC. The problem lies in the permissions set on various files used by MySQLCC. Specifically, configuration and connection files used by the application are set world-readable. This may allow a malicious local user to obtain access to sensitive information regarding various MySQL configuration settings. Access to these files may allow an attacker to obtain information required to carry out further attacks against a target system. This issue has been addressed in MySQLCC 0.8.9. [ licence ind�termin�e ] NetScreen ScreenOS Loss of Configuration Vulnerability BugTraq ID: 7042 Remote: Yes Date Published: Mar 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7042 Summary: NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients. Under certain circumstances, the device may lose its configuration during periods of heavy load. When the configuration is lost, the device will revert to its factory configuration settings, which rejects all inbound traffic on the untrusted interface. At the same time, the device will NAT all traffic on the trusted interface to the untrusted interface. The external network will not be accessible to the internal network since the device no longer has a default route defined. This results in a denial of service to external hosts requiring access to resources behind the device and internal hosts requiring access to resources on the external network. In addition, if the default settings are considered insecure, this condition may result in an exposure. [ hardware ] Ethereal SOCKS Dissector Format String Vulnerability BugTraq ID: 7049 Remote: Yes Date Published: Mar 08 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7049 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. The Ethereal SOCKS dissector is a mechanism for decoding the SOCKS protocol. A format string vulnerability has been reported in some versions of this dissector. The vulnerability exists in the packet-socks.c source file. An attacker can exploit this vulnerability by connecting to a vulnerable SOCKS server and sending malicious format string specifiers to the SOCKS server. If Ethereal is being used as a security tool to monitor network packets, it is possible that sensitive memory may be corrupted. This has been confirmed to result in a denial of service condition. Additionally, it may be possible to cause Ethereal to execute malicious attacker-supplied code. This vulnerability affects Ethereal 0.9.9 and earlier. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability BugTraq ID: 7050 Remote: Yes Date Published: Mar 08 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7050 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. The NTLMSSP (NTLM Security Support Provider) dissector is a mechanism for evaluating packets that use the NTLM protocol. A heap corruption vulnerability has been reported for some versions of the dissector. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available. An attacker may be able to exploit this vulnerability by crafting a specially formed packet and sending it to a system using the NTLMSSP dissector or by convincing a victim user to use Ethereal to read a malformed packet trace file. Due to the nature of this vulnerability it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this may allow for the execution of arbitrary code with the privileges of the Ethereal process. This vulnerability affects Ethereal 0.9.9 and earlier. MySQL mysqld Privilege Escalation Vulnerability BugTraq ID: 7052 Remote: Yes Date Published: Mar 08 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7052 Summary: MySQL is an open source relational database project. It is available for the Microsoft Windows, Linux, and Unix operating systems. A vulnerability has been discovered for MySQL that may allow the mysqld service to start with elevated privileges. MySQL uses a series of configuration files to set the privileges of the service. The configuration files are typically stored in /etc/my.cnf, DATADIR/my.cnf and ~/.my.cnf. When executed, the mysqld service reads configuration information from /etc/my.cnf first, then DATADIR/my.cnf and finally ~/.my.cnf. An attacker can exploit this vulnerability by creating a DATADIR/my.cnf that includes the line 'user=root' under the '[mysqld]' option section. Furthermore, the ~/.my.cnf file must not exist. When the mysqld service is executed, it will run as the root user instead of the default user. This may allow an attacker to obtain elevated privileges on a compromised system. This vulnerability was reported for MySQL 3.23.55. Qpopper Remote Memory Corruption Vulnerability BugTraq ID: 7058 Remote: Yes Date Published: Mar 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7058 Summary: Qpopper is a POP3 mail server available for Linux and Unix based systems. A vulnerability has been discovered when calling the 'mdef' command. The issue presents itself due to the incorrect assumption of the Qvsnprintf() function. The function is meant to be a replacement for the C function vsnprintf() but, unlike the latter function, Qvsnprintf() fails to NULL terminate buffers. A memory corruption vulnerability has been discovered in Qpopper when processing a malicious 'mdef' command, as a result of the lack of NULL termination by Qvsnprintf(). The vulnerability specifically occurs in the pop_msg() function when filling the 'message' buffer with a user-supplied macro name. The pop_msg() function incorrectly assumes that the 'message' buffer will be null terminated after being filled via the Qvsnprintf() function. A CRLF sequence and null terminator (CRLF+N) is later appended to the data which may overwrite memory at a location adjacent to the buffer. By exploiting this to overwrite the LSB of a saved frame pointer, it is possible to influence the program in such a way that attacker-supplied instructions can be executed. This vulnerability affects Qpopper versions 4.0.4 and earlier. It should be noted that the exploitability of this issue is highly dependant on the memory layout, which will likely be influenced by compiler optimization. SMC Router Backup Tool Plaintext Password Weakness BugTraq ID: 7059 Remote: No Date Published: Mar 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7059 Summary: SMC SMC7004VWBR is a wireless Cable/DSL broadband router with integrated wireless access point and SPI firewall. It has been reported that the SMC router backup tool stores router administration credentials in plaintext format. The router administration password is stored in the file 'backup_config.exe'. Furthermore, the password is prefixed by the word 'root' making it easily identifiable by an attacker. This weakness may result in unauthorised users disclosing sensitive router configuration information from the router backup file. This vulnerability has been reported to affect SMC SMC7004VWBR devices, however other products may also be affected. [ hardware ] Man Program Unsafe Return Value Command Execution Vulnerability BugTraq ID: 7066 Remote: No Date Published: Mar 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7066 Summary: Man is a freely available, open source manual page program. It is available mainly for Linux operating systems, though it can be used on other UNIX operating system variants. A problem with the program may make it possible to launch local attacks on users through malicious man pages. It has been reported that the man program does not properly handle some types of input. When a man page is processed that could pose a potential security risk, the program reacts in a way that may open a window of opportunity for an attacker to execute arbitrary commands. The problem is in the value returned by the man program when a potentially dangerous man page is processed. The man program returns the string 'unsafe' which is in turn passed to a system() call. If a program located in the user's path was named 'unsafe' the program would be executed with the privileges of the man program user. Multitech RouteFinder Remote Memory Corruption Vulnerability BugTraq ID: 7067 Remote: Yes Date Published: Mar 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7067 Summary: A vulnerability has been discovered in Multitech RouteFinder 550 VPN firmware release 4.63 and earlier. The problem occurs due to insufficient bounds checking of data supplied in HTTP GET requests. Specifically, it is possible to trigger the condition by sending a GET /OPTIONS request to a vulnerable device, containing at least 10001 bytes of data. Passing excessive data to the device may make it possible for a remote attacker to corrupt memory. Successful exploitation of this bug may result in a denial of service, causing the device to crash. A manual restart would be required to restore functionality. Although it has not been confirmed, it may also be possible for an attacker to exploit this issue to execute arbitrary commands. [ hardware ] HP J6038A JetDirect 310x Print Server For Fast Ethernet Unspecified Vulnerabilities BugTraq ID: 7070 Remote: Yes Date Published: Mar 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7070 Summary: The HP JetDirect 310x is a series of network print servers. Unspecified vulnerabilities have been reported by HP in J6038A JetDirect 310x Print Servers running version Q.24.06 firmware. Unauthorized access to print servers may result from successful exploitation. A potential for denial of service attacks has also been reported by the vendor. HP has released a firmware upgrade in response. This BID will be updated if further technical details become available. [ hardware ] [ c'est de plus en plus difficile, avec bug-traq, de d�terminer le caract�re libre ou non d'un logiciel. ] - Pour poster une annonce: [EMAIL PROTECTED]
