|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 51
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Fri Dec 24 2004 - 19:04:32 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Four very newly discovered, and important Windows vulnerabilities from
a Chinese security firm. (#1, #2, #3, and #4 below). Microsoft hasn't
issued patches, so use the workarounds.
Starting next week, RISK will be delivered on Friday mornings to give
you time before the weekend to be sure you have blocked the most
critical vulnerabilities.
Training News: Win one of four Apple iPods by registering for the big
Orlando security and audit training conference by December 31.
(www.sans.org/orlando05/)
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
December 25, 2004 Vol. 3. Week 51
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of the vulnerabilities reported this week:
- ------------------------------------------------------------------------
Category # of Updates & Vulnerabilities
- ------------------------------------------------------------------------
Microsoft Windows 4 (#1, #2, #3, #4)
Other Microsoft Products 2
Third Party Windows Apps 2
Linux 2 (#8, #10)
Unix 15
Cross Platform 7 (#5, #6, #7)
Web Application 5 (#9)
Network Device 1
- ------------------------------------------------------------------------
Table of Contents:
Part I -- Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)
Widely Deployed Software
(1) HIGH: Microsoft Windows HTML Help ActiveX Control Vulnerability
(2) HIGH: Microsoft Windows USER32 Library LoadImage Buffer Overflow
(3) MODERATE: Microsoft Windows Winhlp32.exe Buffer Overflows
(4) MODERATE: Internet Explorer DHTML Edit ActiveX Control Spoofing
(5) UPDATE: Oracle Products Multiple Vulnerabilities
(6) UPDATE: IBM DB2 Multiple Vulnerabilities
Other Software
(7) MODERATE: Sybase Adaptive Server Enterprise Vulnerabilities
(8) MODERATE: MPlayer Multiple Buffer Overflow Vulnerabilities
Worm and Exploit Code
(9) Sanity Worm Exploiting phpBB Hole
(10) Webmin Brute Force Password and Code Execution
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
-- Other Microsoft Products
04.51.1 - Windows Media Player ActiveX Control Vulnerability
04.51.2 - Windows Media Player ActiveX Control File Enumeration
-- Third Party Windows Apps
04.51.3 - WinRAR File Name Remote Client-Side Buffer Overflow
04.51.4 - VB2C FRM File Remote Buffer Overflow
-- Linux
04.51.5 - Mesh Viewer Buffer Overflow
04.51.6 - YAMT ID3 Tag Sort Command Execution
-- Unix
04.51.7 - abcpp Directive Handler Buffer Overflow
04.51.8 - abcm2ps ABC File Buffer Overflow
04.51.9 - abc2ps/jcabc2ps Voice Field Buffer Overflow
04.51.10 - pgn2web Buffer Overflow
04.51.11 - abc2midi Multiple Stack Buffer Overflow Vulnerabilities
04.51.12 - greed GRX File List Buffer Overflow
04.51.13 - PCAL Calendar File getline Buffer Overflow
04.51.14 - abctab2ps ABC File Remote Buffer Overflow
04.51.15 - GNU UnRTF Font Table Conversion Buffer Overflow
04.51.16 - DXFScope Remote Client-Side Buffer Overflow
04.51.17 - Bolthole Filter Address Parsing Buffer Overflow
04.51.18 - junkie FTP Client Filename Command Execution
04.51.19 - junkie FTP Client File Corruption Vulnerability
04.51.20 - CVSTrac Unspecified Cross-Site Scripting
04.51.21 - abc2mtex Process ABC Key Field Buffer Overflow
-- Cross Platform
04.51.22 - csv2xml Buffer Overflow Vulnerability
04.51.23 - IglooFTP Server File Corruption Vulnerability
04.51.24 - xlreader Remote Client-Side Buffer Overflow
04.51.25 - Yanf HTTP Response Buffer Overflow
04.51.26 - rtf2latex2e Stack Buffer Overflow
04.51.27 - Ringtone Tools EMelody File Remote Buffer Overflow
04.51.28 - Perl Crypt::ECB Incorrect Block Encryption Weakness
-- Web Application
04.51.29 - PhpBB Multiple Admin Pages Vulnerabilities
04.51.30 - PhpBB IMG Tag HTML Injection Vulnerability
04.51.31 - Mantis Unspecified SQL Injection Vulnerability
04.51.32 - o3read HTML Parser Buffer Overflow
04.51.33 - WorkBoard Multiple Cross-Site Scripting Vulnerabilities
-- Network Device
04.51.34 - ChBg Scenario File Overflow Vulnerability
______________________________________________________________________
****************Sponsored by SANS Orlando 2005***************************
Fourteen immersion training tracks for managers, auditors, sysadmins,
security professionals and for those seeking to pass the ISC2 CISSP
exam.
The best teachers in security, in Florida, when it is cold in the north
and Europe. Plan to bring the family along for a weekend at Disney
World.
Conference and registration details: http://www.sans.org/orlando05
************************** SPONSORED LINKS ******************************
Privacy notice: Sponsored links redirect to non-SANS web pages.
#1 Industry experts and regulatory organizations define best practices
for managing log data - FREE whitepaper:
http://www.sans.org/info.php?id=692
*************************************************************************
PART I Critical Vulnerabilities
Part I is compiled by the security team at TippingPoint
(www.tippingpoint.com) as a by-product of that company's continuous
effort to ensure that its intrusion prevention products effectively
block exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/
************************
Widely Deployed Software
************************
(1) HIGH: Microsoft Windows HTML Help ActiveX Control Vulnerability
Affected:
Internet Explorer version 6.0
Windows XP SP2
Description: This vulnerability in the HTML Help ActiveX Control can be
used to completely compromise a Windows client. An attacker can exploit
the flaw by constructing a malicious webpage or an HTML email. Browsing
the webpage or opening the email is sufficient for the client compromise
i.e. no further user interaction is required. The problem occurs because
it is possible to inject JavaScript code in the HTML Help ActiveX
control's parameters. By forcing the control to open a local file, it
is then possible to execute the JavaScript code in the context of the
"Local Computer" zone. Technical details and a proof-of-concept exploit
have been publicly posted. The PoC exploit, when run on Windows XP SP2,
creates "Microsoft Office.hta" file in the "Documents and Settings\All
Users\Start Menu\Programs\Startup" directory.
Status: Microsoft not confirmed, no patches available. A workaround is
to disable "Active Scripting" in Internet Explorer.
Council Site Actions: Due to holidays and the late-breaking nature of
the issues, we were unable to solicit any council site responses.
References:
Posting by Paul
http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
PoC Exploit
(Warning: Clicking the following link will launch the PoC Exploit)
http://freehost07.websamba.com/greyhats/sp2rc.htm
SecurityFocus BID
Not yet available.
***********************************************************************
(2) HIGH: Microsoft Windows USER32 Library LoadImage Buffer Overflow
Affected:
Windows NT/2000/XP SP0 and SP1/2003
Description: USER32 library contains Windows API functions for user
interface handling. The "LoadImage" function is responsible for handling
files such as icons, cursors, animated cursors and bitmaps. The
"LoadImage" function reportedly contains a heap-based buffer overflow
that can be triggered by a specially crafted icon, cursor or a bitmap
file. The problem occurs because the declared image size is not checked
prior to opening the image. The flaw may be able to be exploited to
execute arbitrary code on the client. To exploit the flaw, an attacker
can take any of the following actions:
(a) Create a webpage containing a malicious .ico, .bmp, .ani or .cur
file, and entice an attacker to visit his webpage.
(b) Send an HTML email containing the malicious .ico, .bmp, .ani or .cur
file.
(c) Create a shared folder containing the malicious .ico, .bmp, .ani or
.cur file, and entice a user to browse his shared folder.
The technical details and exploit code have been publicly posted.
Status: Microsoft not confirmed, no patches available. XP SP2 is reportedly not vulnerable.
Council Site Actions: Due to holidays and the late-breaking nature of
the issues, we were unable to solicit any council site responses.
References:
Posting by flashsky fangxing
http://www.securityfocus.com/archive/1/385342/2004-12-21/2004-12-27/0
Exploit Code
http://www.xfocus.net/flashsky/icoExp/index.html
LoadImage Function Reference
http://msdn.microsoft.com/library/en-us/winui/winui/windowsuserinterface/resources/introductiontoresources/resourcereference/resourcefunctions/loadimage.asp
SecurityFocus BID
Not yet available.
***********************************************************************
(3) MODERATE: Microsoft Windows Winhlp32.exe Buffer Overflows
Affected:
Windows NT/2000/XP/2003
Description: Winhlp32.exe application is responsible for handling
Windows Help (".hlp") files. This application reportedly contains a
heap-based buffer overflow and integer overflow vulnerability. A
specially crafted ".hlp" file may exploit these flaws to execute
arbitrary code on the client system with the privileges of the logged-on
user. Note that Windows prompts a user before downloading and opening a
".hlp" file. Hence, to exploit the flaw via a hyperlink or frame
pointing to the malicious .hlp file will require user interaction.
However, it may also be possible to invoke Winhlp32.exe via the HTML
Help ActiveX Control, and exploit the flaw without any user interaction
(not confirmed). The technical details and proof-of-concept exploits
have been publicly posted.
Status: Microsoft not confirmed, no patches available. Users should not
open .hlp files downloaded from untrusted sources.
Council Site Actions: Due to holidays and the late-breaking nature of
the issues, we were unable to solicit any council site responses.
References:
Posting by flashsky fangxing
http://www.securityfocus.com/archive/1/385332/2004-12-21/2004-12-27/0
PoC Exploits
http://www.xfocus.net/flashsky/icoExp/search.hlp
http://www.xfocus.net/flashsky/icoExp/search1.hlp
SecurityFocus BID
Not yet available.
*************************************************************************
(4) MODERATE: Internet Explorer DHTML Edit ActiveX Control Spoofing
Affected:
Internet Explorer version 6.0 and possibly prior
Description: This Internet Explorer (IE) vulnerability allows an
attacker to trick a victim into visiting a malicious site. The attack
occurs when a victim clicks a link supplied by the attacker in an email
or on a webpage, which according to IE's address bar points to a trusted
site. However, the attacker can manipulate all the contents of the
trusted site's webpage. Hence, any information entered by the user on
such a page can be stolen by the attacker (phishing attacks). The
problem occurs due to a flaw in IE's DHTML Edit ActiveX control. The
control's "execScript" function does not sufficiently validate a
window's domain prior to executing a script. The attacker can leverage
the flaw in the execScript function to re-write the contents of a
trusted site's webpage. Note that the attacker can also spoof the
content for secure sites by exploiting this vulnerability as IE shows a
"Lock" icon on the bottom right-hand corner on a spoofed webpage.
Status: Microsoft not confirmed, no updates available. An option is to
disable ActiveX controls. However, that may downgrade the users' web
browsing experience. The users should be advised to type the web
addresses of sensitive sites such as banks etc. and not to open links
to secure sites embedded in another page or an email.
Council Site Actions: All council sites are awaiting confirmation from
the vendor and a patch. They plan to patch during the regular system
update process. One site commented that they consider IE
vulnerabilities a level 4 on a scale from 1 to 5 for servers and a level
5 on a workstation. Thus, this is not a priority to patch for them.
Another site is still investigating replacing IE with Firefox as a long
term strategy move.
References:
Posting by Paul
http://freehost07.websamba.com/greyhats/abusiveparent-discussion.htm
PoC Code
http://freehost07.websamba.com/greyhats/abusiveparent.htm
http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/
DHTML ActiveX Control
http://msdn.microsoft.com/archive/en-us/dnaredcom/html/edcomdownload.asp
http://msdn.microsoft.com/archive/en-us/dnaredcom/html/edcomfaq.asp
Secunia Advisory
http://secunia.com/advisories/13482/
SecurityFocus BIDs
Not available yet.
***********************************************************************
(5) UPDATE: Oracle Products Multiple Vulnerabilities
NGSSoftware has released complete technical details for the
vulnerabilities in a number of Oracle products that include - Oracle9i
Database Server, Oracle8i Database Server, Oracle Database 10g, Oracle
Enterprise Manager Grid Control 10g, Oracle Enterprise Manager Database
Control 10g, Oracle Application Server 10g, Oracle9i Application Server,
Oracle Collaboration Suite and Oracle E-Business Suite 11i.
Oracle's security alert #68 released on August 31, 2004 contains the
patches. Oracle administrators, who have not yet patched their systems,
should apply the patches as soon as possible.
References:
NGSSoftware Postings
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0060.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0059.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0058.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0057.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0056.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0055.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0054.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0053.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0052.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0051.html
RISK Newsletter Posting on September 6, 2004
http://www.sans.org/newsletters/risk/vol3_35.php (Item #1)
**********************************************************************
(6) UPDATE: IBM DB2 Multiple Vulnerabilities
NGSSoftware has released complete technical details for the
vulnerabilities in IBM DB2 version 8.1 Fixpak 6 and prior, and IBM DB2
version 7.x Fixpak 11 and prior. The DB2 administrators, who have not
yet upgraded their databases, should apply the patches as soon as
possible.
References:
NGSSoftware Postings
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0061.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q4/0062.html
RISK Newsletter Posting on September 6, 2004
http://www.sans.org/newsletters/risk/vol3_35.php (Item #3)
****************
Other Software
****************
(7) MODERATE: Sybase Adaptive Server Enterprise Vulnerabilities
Affected: Sybase Adaptive Server Enterprise versions 12.5.2 and prior
Description: Sybase Adaptive Server Enterprise contains three
vulnerabilities. The discoverers of the flaw have rated these
vulnerabilities as "High Risk". Other advisories with a similar rating
from the discoverers have included overflows that require minimal user
privileges or flaws that can be exploited by remote unauthenticated
attackers. Hence, although the RISK rating for this item is currently
"MODERATE" due to lack of any more information, the Sybase
administrators should apply the patches on a priority basis. The
technical details regarding the flaws are scheduled to be disclosed
after 3 months.
Status: Vendor confirmed, upgrade to version 12.5.3.
Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary.
References:
NGSSoftware Advisory
http://archives.neohapsis.com/archives/bugtraq/2004-12/0315.html
Product Homepage
http://www.sybase.com/products/informationmanagement/adaptiveserverenterprise
SecurityFocus BIDs
http://www.securityfocus.com/bid/12080
*******************************************************************
(8) MODERATE: MPlayer Multiple Buffer Overflow Vulnerabilities
Affected:
MPlayer version 1.0pre5 and prior
Description: MPlayer, a Linux movie player, contains multiple buffer
overflow vulnerabilities. The flaws can be triggered by crafting
malicious movie files. An attacker can exploit these flaws, by enticing
a client to visit a webpage or click a link in an email, to execute
arbitrary code on the client system. The technical details required to
leverage the flaws have been posted.
Status: Vendor has confirmed the flaws reported by iDefense and found
another 2 flaws during the code review. All these flaws have been fixed
in the new version 1.0pre5try2.
Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary.
References:
iDefense Advisories
http://www.idefense.com/application/poi/display?id=166&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=167&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=168&type=vulnerabilities
MPlayer Homepage
http://www.mplayerhq.hu/
SecurityFocus BID
Not yet available.
*******************
Worms and Exploits
*******************
(9) Sanity Worm Exploiting phpBB Hole
Description: This worm attacks websites using the phpBB bulletin board
software by exploiting recently reported command execution vulnerability
in the bulletin board's "viewtopic" script. Upon a successful attack,
the worm defaces the website and overwrites the files with the following
extensions-.asp, .php. .htm. .jsp, .phtm and .shtm. The worm code has
been publicly posted and hence can be potentially modified. Sites using
phpBB should immediately upgrade to version 2.0.11.
Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary.
References:
Worm Code
http://www.k-otik.com/exploits/20041222.sanityworm.pl.php
Symantec Advisory
http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html
RISK Newsletter Posting on November 25, 2004
http://www.sans.org/newsletters/risk/display.php?v=3&i=47#other1
*******************************************************************
(10) Webmin Brute Force Password and Code Execution
Description: Webmin provides a web interface to perform system
administration for UNIX systems. The program is available for many
flavors of Unix and Linux OS. A script, that can reportedly perform
brute force password guessing for administrator account, has been
publicly posted. A workaround is to select the 'Enable password
timeouts' in Webmin configuration.
Council Site Actions: Due to holidays and the late-breaking nature of
the issues we were unable to solicit any council site responses.
References:
Posting by amit sides
http://www.securityfocus.com/archive/1/385249/2004-12-19/2004-12-25/0
Posting by Jamie Cameron
http://www.securityfocus.com/archive/1/385364/2004-12-21/2004-12-27/0
Webmin Homepage
http://www.webmin.com
********************************************************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 51, 2004
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3965 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________
04.51.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Windows Media Player ActiveX Control Vulnerability
Description: Windows Media Player ActiveX control may be abused by a
web page to change attributes of media files allowing malicious users
to execute script code in the Local Zone. Windows Media Player version
9 is affected.
Ref: http://www.4rman.com/security.htm
______________________________________________________________________
04.51.2 CVE: Not Available
Platform: Other Microsoft Products
Title: Windows Media Player ActiveX Control File Enumeration
Description: The Windows Media Player ActiveX control is reported to
be vulnerable to a local file-system enumeration weakness when
accessed by a malicious web page. The "getItemInfoByAtom()" control
method allows the site to know whether a requested resource exists on
the vulnerable host. Windows Media Player 9 is reported to be
vulnerable.
Ref: http://www.4rman.com/security.htm
______________________________________________________________________
04.51.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: WinRAR File Name Remote Client-Side Buffer Overflow
Description: RARLAB WinRAR is a compression utility. WinRAR is
vulnerable to a buffer overflow issue when processing specially
crafted file names. WinRAR versions 3.41 and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/bid/12002
______________________________________________________________________
04.51.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: VB2C FRM File Remote Buffer Overflow
Description: VB2C is an application that converts Visual Basic files
to C/GTK. It has been reported to be vulnerable to a buffer overflow
condition due to insufficient boundary checks while processing a
crafted FRM file. VB2C version 0.02 is reported to be vulnerable.
Ref: http://securesoftware.list.cr.yp.to/archive/0/30
______________________________________________________________________
04.51.5 CVE: CAN-2004-1283
Platform: Linux
Title: Mesh Viewer Buffer Overflow
Description: Mesh Viewer is an application designed to display 3-D
images in an X-Windows environment. It is reported to be vulnerable to
a buffer overflow issue due to improper boundary checks of
user-supplied input. Mesh viewer version 0.2.2 is reported to be
vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/meshviewer.txt
______________________________________________________________________
04.51.6 CVE: Not Available
Platform: Linux
Title: YAMT ID3 Tag Sort Command Execution
Description: YAMT (Yet Another MP3 Tool) is an MP3 organizer utility.
It is reported to be vulnerable to a command execution issue due to
improper sanitization of input to the "id3tag_sort()" function in
"id3tag.c" script. YAMT version 0.5 is reported to be vulnerable.
Ref: http://securesoftware.list.cr.yp.to/archive/0/40
______________________________________________________________________
04.51.7 CVE: Not Available
Platform: Unix
Title: abcpp Directive Handler Buffer Overflow
Description: abcpp is a preprocessor for ABC music notation files.
Insufficient boundary checking of ABC directives while copying into a
finite buffer in the "handle_directive()" function of the "abcpp.c"
file exposes a buffer overflow issue. abcpp version 1.3.0 is
affected.
Ref: http://securesoftware.list.cr.yp.to/archive/0/52
______________________________________________________________________
04.51.8 CVE: CAN-2004-1258
Platform: Unix
Title: abcm2ps ABC File Buffer Overflow
Description: Jef Moine abcm2ps is a tool that converts ABC files to
music sheets in PostScript format. abcm2ps is vulnerable to a buffer
overflow issue. abcm2ps version 3.7.20 is known to be vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/abcm2ps.txt
______________________________________________________________________
04.51.9 CVE: CAN-2004-1278
Platform: Unix
Title: abc2ps/jcabc2ps Voice Field Buffer Overflow
Description: abc2ps and jcabc2ps are utilities that convert music
notation files into PostScript format. It is reported that abc2ps and
jcabc2ps are vulnerable to a buffer overflow issue. abc2ps version 1.2
and John Chambers jcabc2ps version 20040902 are known to be
vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/jcabc2ps.txt
______________________________________________________________________
04.51.10 CVE: CAN-2004-1290
Platform: Unix
Title: pgn2web Buffer Overflow
Description: pgn2web is an open-source application designed to convert
PGN (Portable Game Notation) files to web pages. pgn2web is
susceptible to a buffer overflow vulnerability due to improper
boundary checks of the"process_moves()" function in the "pgn2web.c"
file. pgn2web version 0.3 is reported to be vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/pgn2web.txt
______________________________________________________________________
04.51.11 CVE: CAN-2004-1256
Platform: Unix
Title: abc2midi Multiple Stack Buffer Overflow Vulnerabilities
Description: abc2midi is a tool used to convert ABC files into MIDI
files. abc2midi is vulnerable to two buffer overflow issues. abcMIDI
version 2004-12-04 is known to be vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/abc2midi.txt
______________________________________________________________________
04.51.12 CVE: CAN-2004-1273, CAN-2004-1274
Platform: Unix
Title: greed GRX File List Buffer Overflow
Description: greed (Get and Resume Elite Edition) is an FTP/HTTP file
transfer application. It is reported to be vulnerable to a buffer
overflow issue due to improper sanitization of GRX file lists. greed
GRX version 0.81p is reported to be vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/greed.txt
______________________________________________________________________
04.51.13 CVE: CAN-2004-1289
Platform: Unix
Title: PCAL Calendar File getline Buffer Overflow
Description: PCAL is a PostScript calendar generation utility. PCAL is
prone to a buffer overflow vulnerability caused by an issue that
exists in the "getline()" function in the "pcalutil.c" file. PCAL
version 4.7.1 is known to be vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/pcal.txt
______________________________________________________________________
04.51.14 CVE: CAN-2004-1260
Platform: Unix
Title: abctab2ps ABC File Remote Buffer Overflow
Description: abctab2ps is a music and tablature typesetting program.
It is vulnerable to a remote buffer overflow issue due to insufficient
boundary checks in the "trim_title()" function of the "parse.cpp"
file. abctab2ps version 1.6.3 is reported to be vulnerable.
Ref: http://securesoftware.list.cr.yp.to/archive/0/32
______________________________________________________________________
04.51.15 CVE: Not Available
Platform: Unix
Title: GNU UnRTF Font Table Conversion Buffer Overflow
Description: GNU UnRTF is a program converting RTF documents into
other formats such as HTML, LaTeX, and PostScript. It is reported to
be vulnerable to a buffer overflow condition while converting certain
crafted files. This is due to insufficient boundary checks while
copying user-supplied data. Attackers could leverage this to execute
arbitrary code on the vulnerable system. UnRTF version 0.19.3 is
reported to be vulnerable.
Ref: http://securesoftware.list.cr.yp.to/archive/0/53
______________________________________________________________________
04.51.16 CVE: Not Available
Platform: Unix
Title: DXFScope Remote Client-Side Buffer Overflow
Description: DXFScope is a Unix utility designed to render DXF
formatted image files. It is reported to be vulnerable to a remote
buffer overflow due to improper sanitization of user-supplied input in
the "dxfin()" function of the "d.c" file.
Ref: http://securesoftware.list.cr.yp.to/archive/0/11
______________________________________________________________________
04.51.17 CVE: Not Available
Platform: Unix
Title: Bolthole Filter Address Parsing Buffer Overflow
Description: Bolthole Filter is an email filter. Insufficient boundary
checks in the "save_embedded_address()" function of the "filter.c"
file exposes a buffer overflow issue in the application. Bolthole
Filter version 2.6.1 is affected.
Ref: http://securesoftware.list.cr.yp.to/archive/0/19
______________________________________________________________________
04.51.18 CVE: CAN-2004-1280
Platform: Unix
Title: junkie FTP Client Filename Command Execution
Description: junkie is an FTP client. junkie is vulnerable to a remote
command execution issue when reading file names containing Unix shell
delimiter characters. junkie version 0.3.1 is known to be vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/junkie.txt
______________________________________________________________________
04.51.19 CVE: Not Available
Platform: Unix
Title: junkie FTP Client File Corruption Vulnerability
Description: The junkie FTP client is reported to be vulnerable to a
file corruption condition. This is exposed when the client fails to
sanitize server-supplied filenames during downloads. Malicious servers
could thereby compromise systems with the vulnerable client if
sensitive system files can be overwritten. junkie FTP Client version
0.3.1 is reported to be vulnerable.
Ref: http://securesoftware.list.cr.yp.to/archive/0/27
______________________________________________________________________
04.51.20 CVE: CAN-2004-1146
Platform: Unix
Title: CVSTrac Unspecified Cross-Site Scripting
Description: CVSTrac is a web-based bug and patch-set tracking system
for CVS. CVSTrac is vulnerable to an unspecified cross-site scripting
vulnerability. CVSTrac versions prior to 1.1.5 are reported to be
vulnerable.
Ref: http://www.securityfocus.com/advisories/7653
______________________________________________________________________
04.51.21 CVE: CAN-2004-1257
Platform: Unix
Title: abc2mtex Process ABC Key Field Buffer Overflow
Description: abc2mtex is a tool for converting ABC music notation
files into MTEX format. abc2mtex is vulnerable to a buffer overflow
issue when converting files. abc2mtex version 1.6.1 is known to be
vulnerable.
Ref: http://tigger.uic.edu/~jlongs2/holes/abc2mtex.txt
______________________________________________________________________
04.51.22 CVE: Not Available
Platform: Cross Platform
Title: csv2xml Buffer Overflow Vulnerability
Description: The csv2xml tool is designed to convert CSV (Comma
Separated Value) input into XML (eXtensible Markup Language) output.
It is reported to be vulnerable to a buffer overflow condition due to
insufficient boundary checks while processing user-supplied data via
crafted files. Attackers could leverage this to execute arbitrary code
on the vulnerable system. csv2xml version 0.5.2 is reported to be
vulnerable.
Ref: http://securesoftware.list.cr.yp.to/archive/0/39
______________________________________________________________________
04.51.23 CVE: Not Available
Platform: Cross Platform
Title: IglooFTP Server File Corruption Vulnerability
Description: IglooFTP is an FTP client. IglooFTP does not properly
sanitize server-supplied filenames during downloads, potentially
allowing for files to be created or overwritten on the client
machine.
Ref: http://securesoftware.list.cr.yp.to/archive/0/50
______________________________________________________________________
04.51.24 CVE: Not Available
Platform: Cross Platform
Title: xlreader Remote Client-Side Buffer Overflow
Description: xlreader is a utility designed to read and convert Excel
documents. Insufficient sanitization of malformed Excel documents in
the "book_format_sql()" function exposes a buffer overflow issue.
xlreader version 0.9 is affected.
Ref: http://www.securityfocus.com/bid/11970
______________________________________________________________________
04.51.25 CVE: Not Available
Platform: Cross Platform
Title: Yanf HTTP Response Buffer Overflow
Description: Yanf (Yet Another News Fetcher) is a client utility for
retrieving news from Web sites. Insufficient sanitization of data
received from the server in the "get()" function of the "get.c" file
exposes a buffer overflow condition. Yanf version 0.4 is affected.
Ref: http://www.securityfocus.com/bid/11964/info/
______________________________________________________________________
04.51.26 CVE: Not Available
Platform: Cross Platform
Title: rtf2latex2e Stack Buffer Overflow
Description: rtf2latex2e is an application designed to convert RTF
formatted files to LaTeX. Insufficient sanitization of the "buf"
variable in the "ReadFontTbl()" function of the "reader.c" file
exposes a buffer overflow issue. rtf2latex2e version 1.0 fc2 is
affected.
Ref: http://securesoftware.list.cr.yp.to/archive/0/14
______________________________________________________________________
04.51.27 CVE: Not Available
Platform: Cross Platform
Title: Ringtone Tools EMelody File Remote Buffer Overflow
Description: Ringtone Tools is an application that creates custom
ringtones and graphical logos for mobile phones. It is reported to be
vulnerable to a remote buffer overflow condition due to insufficient
boundary checks while copying user-supplied data via a malicious
eMelody file. Ringtone Tools version 2.22 is reported to be
vulnerable.
Ref: http://securesoftware.list.cr.yp.to/archive/0/29
______________________________________________________________________
04.51.28 CVE: Not Available
Platform: Cross Platform
Title: Perl Crypt::ECB Incorrect Block Encryption Weakness
Description: The Perl module Crypt::ECB (Electronic Code Book) is an
implementation of the Electronic Code Book mode of encryption and
decryption. The module fails to properly validate user-supplied input
data. This weakness may potentially result in incorrect encryption and
decryption of input data.
The Perl model Crypt::ECB 1.1 and ECB 1.1-2 are vulnerable.
Ref: http://secunia.com/advisories/13566/
______________________________________________________________________
04.51.29 CVE: Not Available
Platform: Web Application
Title: PhpBB Multiple Admin Pages Vulnerabilities
Description: PhpBB is a web forum application. The vendor has reported
multiple issues in the 2.0.7 version of the application that could be
used to gain administrator rights or manipulate bulletin board data.
Ref: http://www.securityfocus.com/bid/12013/info/
______________________________________________________________________
04.51.30 CVE: Not Available
Platform: Web Application
Title: PhpBB IMG Tag HTML Injection Vulnerability
Description: PhpBB is a web-based bulletin board. It is reportedly
vulnerable to an HTML injection issue due to insufficient sanitization
of the "IMG" image tags. An attacker could leverage this to insert
malicious HTML content into the board. PhpBB version 2.0.7 is reported
to be vulnerable.
Ref: http://www.phpbb.com/support/documents.php?mode=changelog
______________________________________________________________________
04.51.31 CVE: Not Available
Platform: Web Application
Title: Mantis Unspecified SQL Injection Vulnerability
Description: Mantis is a Web based bug tracking system implemented in
PHP. It is reported to be vulnerable to sql injection issue, due to
improper sanitization of user-supplied input. Mantis version 0.18.2 is
reported to be vulnerable.
Ref: http://www.mantisbt.org/
______________________________________________________________________
04.51.32 CVE: Not Available
Platform: Web Application
Title: o3read HTML Parser Buffer Overflow
Description: o3read is a file conversion utility. Insufficient
boundary checks in the "parse_thml()" function of the "o3read.c" file
exposes a buffer overflow issue. o3read version 0.3 is affected.
Ref: http://securesoftware.list.cr.yp.to/archive/0/42
______________________________________________________________________
04.51.33 CVE: Not Available
Platform: Web Application
Title: WorkBoard Multiple Cross-Site Scripting Vulnerabilities
Description: WorkBoard is a Web based project management application
implemented in PHP. It is reported to be vulnerable to multiple
cross-site scripting issues, due to improper sanitization of
"project_id" and "task_id" parameters of the "modules.php" script.
WorkBoard version 1.2 is knwown to be vulnerable.
Ref: http://lostmon.blogspot.com/2004/12/workboard-input-validation-er
ror-in.html
______________________________________________________________________
04.51.34 CVE: Not Available
Platform: Network Device
Title: ChBg Scenario File Overflow Vulnerability
Description: ChBg is a desktop background manager. It is reported to
be vulnerable to a remote buffer overflow issue, due to improper
boundary checks of user-supplied input data. ChBg 1.5 is reported to
be vulnerable to the issue.
Ref: http://www.securityfocus.com/bid/11957
______________________________________________________________________
(c) 2004. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.
==end==
Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit
http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBzLFQ+LUG5KFpTkYRAtQ7AJ9T/4G98UtlFXCt08CLBtkLdEu8swCdHmYO
FW71SDEkM3qf89eAOTEw6UI=
=7VTJ
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]