NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2002

From: Network Computing and The SANS Institute (sans+ZZ82324806569617399sans.org)
Date: Thu Mar 14 2002 - 15:47:58 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: Security Express (SD397643)
Re: Your personalized newsletter

                   -- Security Alert Consensus --
                          Number 010 (02.10)
                      Thursday, March 14, 2002
                          Created for you by
              Network Computing and the SANS Institute
                         Powered by Neohapsis

----------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.

----------------------------------------------------------------------

This issue is sponsored by AT&T
Network performance is crucial for business performance. To help ensure
the continuity and availability of your data, processes, and
mission-critical applications, count on AT&T. We protect your physical
and intellectual assets for optimum reliability, predictable performance
and a higher Return on Communications.
http://ad.doubleclick.net/clk;4000977;7017363;f?http://www.att.com/business/return/

----------------------------------------------------------------------

We have two large vulnerabilities to report this week. First is an
off-by-one vulnerability in OpenSSH versions between 2.0 and 3.1. If
you're running OpenSSH, be sure to upgrade. More information is
available under item {02.10.001}.

Second is a vulnerability in the zlib/libz library decompression
routines. The problem is that the zlib/libz library is used in *many*
applications, including SSH clients/servers, PPP clients/servers, GPG
and mail readers -- essentially anything that uses the standard LZW
compression. Be sure to keep an eye on your vendor lists for updates;
odds are everyone will have to update something. More information is
available under item {02.10.014}.

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{02.10.005} Win - Update {02.06.011}: Multiple vendor SNMP problems
{02.10.008} Win - Norton AntiVirus 2002 scanning bypass
{02.10.009} Win - MS02-014: Windows shell buffer overflow
{02.10.010} Win - JavaScript.nu Xerver file browsing and DoS
{02.10.017} Win - IMail Web interface session ID leakage
{02.10.002} Linux - Update {02.08.035}: mod_ssl session serializing
            overflow
{02.10.003} Linux - Update {02.08.034}: PHP file upload vulnerabilities
{02.10.019} SCO - dlvr_audit local buffer overflow
{02.10.022} SCO - Update {01.15.006}: IPFilter fragmented packet bypass
            vulnerability
{02.10.013} NApps - Sun/Cobalt admin MultiFileUpload.php vulnerability
{02.10.001} Cross - OpenSSH channels off-by-one vulnerability
{02.10.004} Cross - Update {02.09.008}: Multiple vendor RADIUS
            vulnerabilities
{02.10.006} Cross - PureTLS SSL security vulnerability
{02.10.007} Cross - mod_frontpage fpexec overflow
{02.10.011} Cross - efingerd reverse host name lookup overflow
{02.10.012} Cross - mtr MTR_OPTIONS environment variable overflow
{02.10.014} Cross - zlib double free decompression bug
{02.10.015} Cross - xtell multiple vulnerabilities
{02.10.016} Cross - GNU fileutils recursive symlink attack
{02.10.018} Cross - Ecartis/Listar multiple overflows and privilege
            drop problem
{02.10.020} Cross - SMStools format string vulnerabilities
{02.10.021} Cross - phpimglist CGI directory browsing

- --- Windows News -------------------------------------------------------

*** {02.10.005} Win - Update {02.06.011}: Multiple vendor SNMP problems

Microsoft released patches for Windows 2000, which fix the
vulnerability discussed in {02.06.011} ("Multiple vendor SNMP
problems").

More information is available at:
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0054.html

*** {02.10.008} Win - Norton AntiVirus 2002 scanning bypass

A recently released advisory indicates multiple methods by which a
malicious e-mail can bypass the virus checking functions of Norton
AntiVirus version 2002. For more information, see the reference
URL below.

Confirming these vulnerabilities, the vendor basically stated that
client/desktop antivirus protection will catch the viruses that bypass
the e-mail scanner.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0065.html
http://archives.neohapsis.com/archives/bugtraq/2002-03/0085.html

*** {02.10.009} Win - MS02-014: Windows shell buffer overflow

Microsoft released MS02-014 ("Windows shell buffer overflow"). The
Windows shell program contains a buffer overflow that, under certain
conditions, could allow a malicious Web site to execute arbitrary
code on the user's system.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-014.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0056.html

*** {02.10.010} Win - JavaScript.nu Xerver file browsing and DoS

JavaScript.nu's Xerver version 2.10 reportedly allows a remote attacker
to browse the local file system by submitting a particularly formed
URL request. The advisory also indicates a denial of service to the
administrative service, which causes it to crash.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0091.html

*** {02.10.017} Win - IMail Web interface session ID leakage

IMail version 7.05 could possibly allow a malicious e-mail to leak a
viewer's session ID to a remote Web site by embedding an image into
the e-mail and logging the referrer given by the user's Web browser
when it fetches the image.

This vulnerability is not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0061.html

- --- Linux News ---------------------------------------------------------

*** {02.10.002} Linux - Update {02.08.035}: mod_ssl session serializing
overflow

Mandrake and RedHat released updated mod_ssl packages, which fix the
vulnerability discussed in {02.08.035} ("mod_ssl session serializing
overflow").

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0089.html

Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0099.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0058.html

Source: Mandrake, Debian, RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-03/0089.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0099.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0058.html

*** {02.10.003} Linux - Update {02.08.034}: PHP file upload
vulnerabilities

Conectiva released updated PHP packages, which fix the vulnerabilities
discussed in {02.08.034} ("PHP file upload vulnerabilities").

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0021.html

Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0021.html

- --- SCO News -----------------------------------------------------------

*** {02.10.019} SCO - dlvr_audit local buffer overflow

Caldera/SCO released an advisory indicating the dlvr_audit binary
contains a buffer overflow that would allow a local attacker to gain
root privileges.

Updated binaries are located at:
ftp://ftp.caldera.com/pub/openserver5/oss645a

Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0015.html

*** {02.10.022} SCO - Update {01.15.006}: IPFilter fragmented packet
bypass vulnerability

Caldera/SCO released updated ipfilter binaries, which fix the
vulnerability discussed in {01.15.006} ("IPFilter fragmented packet
bypass vulnerability").

Updated SCO binaries are located at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.9/

Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0016.html

- --- Network Appliances News --------------------------------------------

*** {02.10.013} NApps - Sun/Cobalt admin MultiFileUpload.php
vulnerability

The Sun/Cobalt XTR administrative interface does not require
authentication for the MultiFileUpload*.php scripts located in the
/uifc/ directory. The scripts allow a remote attacker to upload
temporary files owned by any user (which could possibly result in a
denial of service attack by consuming disk space). The scripts also
don't properly handle temporary files, thereby allowing local attackers
to perform a symlink attack and overwrite arbitrary files on the
system with the contents they upload. This would lead to root access.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0081.html

- --- Cross-Platform News ------------------------------------------------

*** {02.10.001} Cross - OpenSSH channels off-by-one vulnerability

OpenSSH prior to version 3.1 contains a vulnerability in the handling
of SSH channels, which could allow either a local attacker to execute
arbitrary code with root access or a malicious SSH server to execute
arbitrary code on the client under the client user's privileges.

OpenSSH version 3.1 fixes this vulnerability. The latest source code
is available at:
http://www.openssh.org/

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0011.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1570.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0020.html

Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0101.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0057.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0087.html

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html

NetBSD -current and -1.5 have been updated as of March 7.

*** {02.10.004} Cross - Update {02.09.008}: Multiple vendor RADIUS
vulnerabilities

Conectiva and IBM released updates, which fix the vulnerabilities
discussed in {02.09.008} ("Multiple vendor RADIUS vulnerabilities").

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0019.html

IBM has released APARS IY17630 and IY20943.

Source: Conectiva, IBM
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0019.html
http://archives.neohapsis.com/archives/aix/2002-q1/0007.html

*** {02.10.006} Cross - PureTLS SSL security vulnerability

The authors of PureTLS SSL library stated that versions prior
to version 0.9b2 contain a security vulnerability. Details were
intentionally withheld.

Update your version at:
http://www.rtfm.com/puretls

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0056.html

*** {02.10.007} Cross - mod_frontpage fpexec overflow

Mandrake released an advisory indicating the fpexec application
included with mod_frontpage prior to version 1.6.1 contains a remotely
exploitable buffer overflow that lets an attacker run arbitrary code
with root privileges.

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0076.html

Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-03/0076.html

*** {02.10.011} Cross - efingerd reverse host name lookup overflow

Efingerd versions 1.6.1 and prior contain a buffer overflow in the
handling of long reverse DNS host names. This could allow a remote
attacker to execute arbitrary code on the system under 'nobody'
privileges.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html

*** {02.10.012} Cross - mtr MTR_OPTIONS environment variable overflow

mtr versions 0.46 and prior contain a buffer overflow in the handling
of the MTR_OPTIONS environment variable. This could allow a local
attacker to execute arbitrary code that has access to an opened
RAW network socket, thereby allowing the attacker to sniff network
traffic and spoof packets. Note that this is only a problem if mtr
is setuid root, which is default on some installations/distros (but
not recommended).

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0048.html

*** {02.10.014} Cross - zlib double free decompression bug

zlib library prior to version 1.1.4 contains a bug that could allow
a particularly malformed set of compressed data to execute arbitrary
code. All programs that use zlib are vulnerable. Programs could
include SSH, GPG and VNC.

Updated source is available at:
http://www.zlib.org

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0014.html

Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0107.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1636.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0062.html

Source: EnGarde, RedHat, SuSE, Debian, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0111.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0014.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0107.html
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1636.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0062.html

*** {02.10.015} Cross - xtell multiple vulnerabilities

Debian released an advisory indicating multiple vulnerabilities in
the xtell client/server application. These include numerous buffer
overflows, directory traversal and symlink attacks.

Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0059.html

Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0059.html

*** {02.10.016} Cross - GNU fileutils recursive symlink attack

Versions 4.1 and prior of the GNU fileutils package (which contains
applications like rm, cp, etc.) do directory manipulations insecurely
when the recursive option is used. This could allow a local attacker
to trick another user into perform file operations against unintended
files.

This vulnerability is confirmed. A patch is available at:
http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0096.html

*** {02.10.018} Cross - Ecartis/Listar multiple overflows and privilege
drop problem

A posted report indicates the Ecartis/Listar version 1.0.0 prior to
snapshot 20020125 does not properly drop setuid privileges before
attempting dangerous operations. There are also many buffer overflows,
which could allow local attackers to elevate their privileges.

The advisory indicates vendor confirmation and the release of an
update:
http://marc.10east.com/?l=listar-announce&m=101452659032650&w=2

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0063.html

*** {02.10.020} Cross - SMStools format string vulnerabilities

SMStools version 1.4.7 contains exploitable format string
vulnerabilities, which allow an attacker to execute arbitrary code
under the smsd daemon's privileges.

The vendor confirmed the problem and released version 1.4.8.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0103.html

*** {02.10.021} Cross - phpimglist CGI directory browsing

The phpimglist CGI allows a remote attacker to browse directories
outside the Web root by using '..' notation in the 'cwd' URL parameter.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0113.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE8kRM0+LUG5KFpTkYRAjdBAJ44k7Q9Bv8+qJ3W9J/CEV3oO00XGgCeJLx5
Sq7sR6NtaeThSFyRPZvEjgU=
=yHKW
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

----------------------------------------------------------------------

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]