NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 24

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Jun 23 2003 - 10:08:07 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
June 23, 2003 Vol. 2. No. 24
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and provides
guidance on appropriate actions to protect your systems.
Details on the CVA process: http://www.sans.org/newsletters/cva/#process
***********************************************************************

Table of Contents:
(1) MODERATE: Cistron RADIUS Server NAS-Port Buffer Overflow
(2) MODERATE: Snitz Forum Password Reset Vulnerability
****************************************************************

*************** Sponsored Links For This Week *************************
Privacy notice: This links redirect to non-SANS web pages.

Instantly stop DDoS attacks. Prevent worm/virus exploits.
Hands-on, online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA64
***********************************************************************
Highlighted Training Program of the Week!

SANSFire 2003: The largest security training conference in Washington
this year. Nine great tracks, plus a major exposition, plus five extra
programs: Securing Apache, Honeypots, Business Law and Security,
Securing Windows With The Gold Standard, and Reverse Engineering
Malware, plus the National Information Assurance Leadership Conference
- - focusing on new development in security standards. Late registration
fee goes into effect on June 25. Details:
http://www.sans.org/sansfire03/index.php

***********************************************************************

(1) MODERATE: Cistron RADIUS Server NAS-Port Buffer Overflow

Affected Products:
radiusd-cistron 1.6.4, 1.6.5 and 1.6.6

Description:
The Cistron RADIUS server implementation contains a buffer overflow
vulnerability in handling large NAS-Port attribute values. A NAS
(Network Access Server) is the device to which a user attempts to
authenticate, and the NAS acts as a RADIUS client. The NAS passes a
user's information (e.g. username, password) to the RADIUS server as
part of an "access-request" message and awaits an "access-accept"
response. If the NAS provides multiple physical ports for accepting user
connections, it may distinguish between ports in "access-request" and
"accounting-request" messages by setting the four-byte NAS-Port
attribute. The Cistron RADIUS implementation contains a single-byte
buffer overflow in handling NAS-Port attribute numbers above 2^31, which
can be exploited to execute arbitrary code on the RADIUS server.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: Remote compromise of Cistron RADIUS authentication servers at the
privilege level of the server process, typically root.

Deployment: Moderate.
RADIUS is a widely used protocol, and the Cistron implementation is
included in multiple Linux distributions.

Ease of Exploitation: Difficult.
This is a single byte buffer overflow that is believed difficult to
exploit. In addition, an attacker must be able to spoof the UDP request
packets such that they appear to be sourced from an IP address belonging
to a trusted NAS, and the attacker must know the secret key shared
between the NAS and the RADIUS server.

Status: Vendor confirmed. Debian and SuSE have released updated packages
to address the problem.

References:
Debian Security Advisory
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0946.html

SuSE Security Advisory
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0793.html

Debian Bug Report and Response
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063&msg=4

Cistron RADIUS Server Home Page
http://www.radius.cistron.nl/

SecurityFocus BID
http://www.securityfocus.com/bid/7892

RADIUS Protocol RFCs
http://www.faqs.org/rfcs/rfc2865.html
http://www.faqs.org/rfcs/rfc2866.html

****************************************************************

(2) MODERATE: Snitz Forum Password Reset Vulnerability

Affected Products:
Snitz Forum version 3.4.03

Description:
Snitz Forum, an open source discussion board application for web
servers, has been reported to contain multiple vulnerabilities. The most
severe problem allows a malicious user to reset arbitrary account
passwords to a string of their choosing. Snitz communities are typically
open to the public, meaning any person with malicious intent can
typically register as a user and exploit the vulnerability.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: A remote attacker can compromise arbitrary Snitz forum member
accounts, potentially including the Administrator account.

Deployment: Moderate.
According to the vendor website, the affected version of Snitz Forum
has been downloaded more than 130,000 times. The software runs on any
Windows- or Unix-based ASP-enabled web server.

Ease of Exploitation: Simple.
The attacker must register as a user and then request a forgotten
password. The attacker is then directed to a password reset page. The
reset page may be modified offline to specify an arbitrary member ID
rather than the attacker's own. The new password submitted via the
modified reset page is then assigned to the target member.

Status: The advisory indicates that the vendor has been informed, but
the vulnerabilities have not been confirmed.

References:
Posting by JeiAr
http://archives.neohapsis.com/archives/bugtraq/2003-06/0110.html

Vendor Website
http://forum.snitz.com/

SecurityFocus BID
http://www.securityfocus.com/bid/7925

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org for
permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+9utw+LUG5KFpTkYRAl0RAJ9VsO4xsZVx9y+PdfR04RzLa0tB2ACfXOk1
MJCnfprklPgacSkMfFNahsk=
=UxfI
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]