|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ22729642585496493
sans.org)Date: Thu Jan 24 2002 - 15:33:20 CST
To: Security Express (SD397643)
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 003 (02.03)
Thursday, January 24, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
Did you know?
SANS launches a new era in security conferences. The entire technical
conference at SANS' huge annual conference -- including more than 60
technical sessions and short courses -- is now FREE for all the people
who attend SANS in-depth full-day training courses. In other words, if
you come to a SANS class, you get to attend the technical conference
sessions at no cost. All ten of SANS GIAC certification tracks -- the
most highly-sought-after certifications in our field -- are offered in
Orlando beginning the first of April. For more details see
http://www.sans.org/SANS2002
----------------------------------------------------------------------
An analysis of many Windows secure deletion tools was posted to
VulnWatch this week. Basically, the findings suggest that many secure
deletion tools do not overwrite alternate data streams. Since Windows
does stick some data in alternate streams (like thumbnail names of
pictures and so on), this could expose information users thought was
securely deleted.
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0025.html
From the "it's funny unless it happens to you" department, around
Wednesday, Jan. 16, Trend Microsystems' e-mail virus scanner had
a bug in one of the definition updates that caused the scanner
to declare any e-mail with the number "1" in it spam and thus
quarantine it. Talk about an over-zealous spam catching tactic.
http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0034.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.03.021} Win - Avirt proxy HTTP header overflow
{02.03.022} Win - Avirt telnet proxy allows local access
{02.03.027} Win - BadBlue multiple vulnerabilities
{02.03.002} Linux - Update {02.01.002}: stunnel format string
vulnerability
{02.03.003} Linux - at invalid time heap overflow
{02.03.005} Linux - Conectiva MySQL logs to world-readable file
{02.03.006} Linux - Update {01.52.020}: Exim local pipe forward/command
execution
{02.03.007} Linux - enscript insecure temp file handling
{02.03.010} Linux - chinput HOME environment variable overflow
{02.03.014} Linux - Update {02.02.015}: Eterm HOME environment variable
overflow
{02.03.017} Linux - Maelstrom insecure temp file handling
{02.03.018} Linux - BOOZT administrative CGI overflow
{02.03.026} Linux - Linux leaks memory contents on ICMP TTL exceeded
messages
{02.03.009} BSD - NetBSD suid/ptrace race
{02.03.019} HPUX - Update {01.45.019}: Overflow in dtspcd via DCE SPC
library
{02.03.020} HPUX - Sendmail sends sensitive info in queue warning
{02.03.011} Other - Cisco MGC/Solaris updates
{02.03.001} Cross - Update {02.02.007}: sudo passes unclean environment
to MTA
{02.03.008} Cross - PHP-Nuke file parameter command execution
{02.03.012} Cross - Update {02.02.014}: Pi3Web large CGI URL DoS
{02.03.013} Cross - COWS CGI multiple vulnerabilities
{02.03.015} Cross - Timbuktu port connection DoS
{02.03.016} Cross - dnrd malformed DNS request vulnerability
{02.03.023} Cross - Hellbent Web server path disclosure
{02.03.024} Cross - Multiple chuid vulnerabilities
{02.03.025} Cross - uuxqt --config vulnerability
{02.03.004} Tools - HFNetChk 3.3 available
- --- Windows News -------------------------------------------------------
*** {02.03.021} Win - Avirt proxy HTTP header overflow
The Avirt Gateway and SOHO versions 4.2 have been found vulnerable
to a buffer overflow in the handling of large HTTP headers passed
through the HTTP proxy. The overflow allows a remote attacker to
execute arbitrary code.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0224.html
*** {02.03.022} Win - Avirt telnet proxy allows local access
Avirt's telnet proxy, shipped with Avirt Gateway version 4.2, has been
reported to allow a remote attacker to access the proxy system's file
system and command shell by entering a few diagnostic commands. This
can be done without authentication.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0225.html
*** {02.03.027} Win - BadBlue multiple vulnerabilities
The BadBlue file serving mechanism used in such products
as Deerfield.com's D2Gfx has been found to contain multiple
vulnerabilities, including authentication bypassing, denial of service
and execution of system commands. Full information is available at
the reference URL below.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0239.html
- --- Linux News ---------------------------------------------------------
*** {02.03.002} Linux - Update {02.01.002}: stunnel format string
vulnerability
Mandrake has released updated stunnel packages, which fix the
vulnerability discussed in {02.01.002} ("stunnel format string
vulnerability").
Updated RPMS are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0223.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0223.html
*** {02.03.003} Linux - at invalid time heap overflow
The at scheduling service has been found to contain a locally
exploitable heap overflow in the handling of malformed time command
parameters. This vulnerability allows local attackers to elevate
their privileges.
This vulnerability has been confirmed. An exploit has been published.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0010.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/0301.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0232.html
Source: Debian, SuSE, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/vendor/2002-q1/0010.html
http://archives.neohapsis.com/archives/linux/suse/2002-q1/0301.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0232.html
*** {02.03.005} Linux - Conectiva MySQL logs to world-readable file
Conectiva has released a security advisory indicating that the MySQL
package shipped with Conectiva Linux 6.0 will, by default, log all
queries (including user name/password updates) to a world-readable
file in /var/log/. This could allow a local attacker to retrieve
sensitive information.
Updated RPMs are located at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0008.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0008.html
*** {02.03.006} Linux - Update {01.52.020}: Exim local pipe
forward/command execution
Conectiva has released updated exim packages, which fix the
vulnerability discussed in {01.52.020} ("Exim local pipe
forward/command execution").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0007.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0007.html
*** {02.03.007} Linux - enscript insecure temp file handling
The enscript converter has been found to insecurely create and use
temporary files, allowing a local attacker to perform a symlink attack
against a user who invokes enscript.
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0034.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0012.html
Source: RedHat, Debian
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0034.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0012.html
*** {02.03.010} Linux - chinput HOME environment variable overflow
The chinput Chinese input server has been found to contain a buffer
overflow in the handling of the HOME environment variable, which
could allow a local attacker to execute arbitrary code with elevated
privileges.
This vulnerability has not been confirmed. An exploit has been
published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0214.html
*** {02.03.014} Linux - Update {02.02.015}: Eterm HOME environment
variable overflow
The vendor has released updated imlib packages, which fix the
vulnerability discussed in {02.02.015} ("Eterm HOME environment
variable overflow").
Download and install imlib version 1.0.5 from:
http://prdownloads.sourceforge.net/enlightenment/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0246.html
*** {02.03.017} Linux - Maelstrom insecure temp file handling
The Maelstrom application version 3.0.1 has been found to insecurely
handle temporary files. A local attacker can create a symlink to
/tmp/f, which Maelstrom will happily open and overwrite with the
permissions of the running user.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0235.html
*** {02.03.018} Linux - BOOZT administrative CGI overflow
The BOOZT administrative CGI suite has been found to contain a buffer
overflow in the handling of certain form elements. This could lead
to a remote attacker executing arbitrary code under the Web server's
privileges.
This vulnerability has been confirmed. An update is available at:
http://www.boozt.com/news.php
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0036.html
*** {02.03.026} Linux - Linux leaks memory contents on ICMP TTL
exceeded messages
The Linux 2.2.x kernel has been found to not overwrite reused memory
fragments used in making ICMP TTL exceeded messages. As a result,
whatever data the memory fragment (when unallocated) contains is sent
out onto the network. By chance, it's possible that fragments could
contain sensitive information.
This vulnerability has been confirmed. A third-party patch is
available at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0265.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0234.html
- --- BSD News -----------------------------------------------------------
*** {02.03.009} BSD - NetBSD suid/ptrace race
NetBSD has released an advisory indicating a vulnerability whereby one
application executes a setuid application. In the small window of time
before the target application executes, the calling application can
use ptrace() to modify parameters -- potentially giving local users
the chance to execute arbitrary code with the elevated privileges.
This vulnerability has been confirmed. All NetBSD branches prior to
Jan. 14, 2002, are vulnerable.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q1/0077.html
- --- HP-UX News ---------------------------------------------------------
*** {02.03.019} HPUX - Update {01.45.019}: Overflow in dtspcd via DCE
SPC library
HP has released updated patches, which fix the vulnerability discussed
in {01.45.019} ("Overflow in dtspcd via DCE SPC library").
Full patch information and instructions are available at:
http://archives.neohapsis.com/archives/hp/2002-q1/0016.html
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q1/0016.html
*** {02.03.020} HPUX - Sendmail sends sensitive info in queue warning
HP has released patches for a vulnerability in sendmail, whereby it
would send sensitive information within e-mail queue warning messages
under certain conditions.
Information on available updates is available at:
http://archives.neohapsis.com/archives/hp/2002-q1/0016.html
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q1/0016.html
- --- Other News ---------------------------------------------------------
*** {02.03.011} Other - Cisco MGC/Solaris updates
Cisco's Media Gateway Controller ships with an underlying Solaris
operating system. The version shipped by Cisco contains many actively
exploited vulnerabilities, so Cisco has released updates to patch
security problems. The SC2200, VSC3000, PGW 2200, BAMS and VSPT
products are vulnerable.
Update information is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0218.html
Source: Cisco
http://archives.neohapsis.com/archives/bugtraq/2002-01/0218.html
- --- Cross-Platform News ------------------------------------------------
*** {02.03.001} Cross - Update {02.02.007}: sudo passes unclean
environment to MTA
Immunix and OpenBSD have released updated sudo packages, which fix
the vulnerability discussed in {02.02.007} ("sudo passes unclean
environment to MTA").
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2002-q1/0012.html
Updated OpenBSD information:
http://archives.neohapsis.com/archives/openbsd/2002-01/1584.html
Source: Immunix, OpenBSD
http://archives.neohapsis.com/archives/linux/immunix/2002-q1/0012.html
http://archives.neohapsis.com/archives/openbsd/2002-01/1584.html
*** {02.03.008} Cross - PHP-Nuke file parameter command execution
The PHP-Nuke CGI portal suite has been found to contain a vulnerability
whereby a remote attacker specifies a remote PHP file in the 'file'
parameter passed to PHP-Nuke that will be fetched and executed on the
target server. This allows remote attackers to run arbitrary PHP code
on the server under the Web server's privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0210.html
*** {02.03.012} Cross - Update {02.02.014}: Pi3Web large CGI URL DoS
The vendor has released an updated patch, which fixes the vulnerability
discussed in {02.02.014} ("Pi3Web large CGI URL DoS").
It is available at:
http://sourceforge.net/tracker/index.php?func=detail&aid=505583&group_id
=17753&atid=317753
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0242.html
*** {02.03.013} Cross - COWS CGI multiple vulnerabilities
The COWS CGI shopping cart suite has been found to contain multiple
vulnerabilities, including cross-site scripting, exposure of the
administrative password and potential downloading of credit-card
order data.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0222.html
*** {02.03.015} Cross - Timbuktu port connection DoS
The Timbuktu remote control software version 6.0.1 has been reported
vulnerable to a remote connection denial of service attack, whereby
an attacker can cause the Timbuktu to stop accepting new incoming
connections by opening many TCP connections to the listening ports.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0243.html
*** {02.03.016} Cross - dnrd malformed DNS request vulnerability
The dnrd DNS daemon version 2.10 has been found to crash when it
receives a particular malformed DNS request. At this point, the
vulnerability seems limited to a denial of service attack; however,
it may be possible to execute arbitrary code.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0250.html
*** {02.03.023} Cross - Hellbent Web server path disclosure
Under certain conditions, the hellbent Java HTTP server prior to
version 0.11 has been found to disclose full path information for
requested files.
This vulnerability has been confirmed, and version 0.11 has been
released to fix the problem. It is available at:
http://hogs.rit.edu/~joet/code/hellbent_v011.zip
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0228.html
*** {02.03.024} Cross - Multiple chuid vulnerabilities
The chuid PHP helper application prior to version 1.3 has been found to
contain two vulnerabilities: users can change the uid of files outside
the designated upload directory; and the application allows root-owned
files to be changed. This could allow the system to be compromised.
These vulnerabilities have been confirmed. An update is available at:
http://srparish.net/scripts/chuid-1.3.tar.gz
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0272.html
*** {02.03.025} Cross - uuxqt --config vulnerability
The uuxqt application from the Taylor uucp package has been found
to not strip out the --config long option before passing control to
uux. This allows a local attacker to execute arbitrary commands under
uucp privileges.
RedHat has confirmed this vulnerability and released updated RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0030.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0030.html
- --- Tool Announcements News --------------------------------------------
*** {02.03.004} Tools - HFNetChk 3.3 available
Microsoft has released HFNetChk version 3.3, which includes many
new features. For those of you who are unfamiliar with HFNetChk,
it is a tool to remotely scan your servers for missing hot fixes.
HFNetChk can be downloaded from:
http://www.microsoft.com/downloads/release.asp?releaseid=31154
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0032.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8UHYW+LUG5KFpTkYRAqwlAJ9B4PGeCh6bMlbQV8JrO7IKnDkTQgCgiI5h
ZaJib1o1pnzIkZuCYPvsaa8=
=qlt4
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Did you know?
SANS launches a new era in security conferences. The entire technical
conference at SANS' huge annual conference -- including more than 60
technical sessions and short courses -- is now FREE for all the people
who attend SANS in-depth full-day training courses. In other words, if
you come to a SANS class, you get to attend the technical conference
sessions at no cost. All ten of SANS GIAC certification tracks -- the
most highly-sought-after certifications in our field -- are offered in
Orlando beginning the first of April. For more details see
http://www.sans.org/SANS2002
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]