|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Feb 08 2001 - 15:50:06 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 083 (00.59)
Thursday, February 8, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
----------------------------------------------------------------------
This week lead to a lot (seven, to be exact) of Web servers that were
found to be vulnerable to a reverse directory traversal attack. This is
a classic Web server vulnerability: Someone can use URLs with '..' in
them to gain access to files that are not necessarily meant for public
consumption. Otherwise, there weren't an overwhelming number of
security problems reported this week; perhaps everyone is still busy
patching their BIND servers from last week's large bugs. We know we
definitely welcome the chance to rest and catch up!
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.06.004} Win - MS01-007: Network DDE Agent request vulnerability
{01.06.005} Win - MS01-006: Invalid RDP data vulnerability
{01.06.006} Win - AOLServer reverse directory traversal vulnerability
{01.06.007} Win - BiblioWeb Server reverse directory traversal and DoS
vulnerabilities
{01.06.008} Win - Picserver reverse directory traversal vulnerability
{01.06.009} Win - SEDUM HTTP Server reverse directory traversal
vulnerability
{01.06.011} Win - HSWeb server directory browsing full path disclosure
{01.06.018} Win - GoAhead Web server reverse directory traversal
vulnerability
{01.06.019} Win - Malicious applet network resource exhaustion
{01.06.012} Linux - Update {00.56.004}: RESOLV_HOST_CONF/HOSTALIASES
glibc vulnerability
{01.06.016} Linux - Update {01.05.012}: kdesu password sniffing
vulnerability
{01.06.021} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps
{01.06.015} BSD - Update {00.57.026}: tinyproxy httperr() buffer
overflow
{01.06.017} Sol - ximp40 library buffer overflow vulnerability
{01.06.002} AIX - Syslogd one-byte buffer overflow
{01.06.003} AIX - Improper permissions on
/usr/sbin/cluster/.restore_routes
{01.06.020} NApps - Cisco CSS/Arrowpoint command line interface
vulnerabilities
{01.06.001} Cross - Update {01.05.001}: Multiple Bind buffer overflows
(TSIG/infoleak)
{01.06.010} Cross - Free Java Web Server reverse directory traversal
vulnerability
{01.06.013} Cross - IBM NetCommerce/Net.Data macro SQL tampering
{01.06.014} Cross - SSH 1.2.2X AFS/Kerberos patch buffer overflow
{01.06.022} Cross - gnuserv/xemacs remote buffer overflow/code execution
{01.06.023} Cross - XMail CTRLServer multiple buffer overflows
{01.06.024} Cross - man -l format string vulnerability
{01.06.025} Cross - cups httpGets() DoS
- --- Windows News -------------------------------------------------------
*** {01.06.004} Win - MS01-007: Network DDE Agent request vulnerability
Microsoft has released MS01-007 ("Network DDE Agent request
vulnerability"). The associated vulnerability allows an attacker who
has access to the local system console (thus limiting this attack to
workstation-oriented machines) to use the Network DDE Agent to execute
code under local system privileges. The vendor has confirmed this
vulnerability.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-007.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0033.html
*** {01.06.005} Win - MS01-006: Invalid RDP data vulnerability
Microsoft has released MS01-006 ("Invalid RDP data vulnerability"). In
the related vulnerability, a particular sequence of packets sent to
Windows 2000 Terminal Service will cause the server to crash. Note that
the remote attacker does not require valid authentication to exploit
this vulnerability. The vendor has confirmed this vulnerability.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-006.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0032.html
*** {01.06.006} Win - AOLServer reverse directory traversal
vulnerability
AOLServer version 3.2 has been found to be vulnerable to reverse
directory traversal attacks, whereby an attacker uses '..' notation in
a request URL to access files outside the Web document root. This
vulnerability has not been confirmed. No patches have been made
available.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0059.html
*** {01.06.007} Win - BiblioWeb Server reverse directory traversal and
DoS vulnerabilities
BiblioWeb Server version 2.0 has been found to be vulnerable to a
reverse directory traversal attack, whereby an attacker uses '..'
notation in a request URL to access documents outside the Web document
root. The server also contains a buffer overflow, which causes the
service to crash when a long URL is received. These vulnerabilities are
unconfirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0075.html
*** {01.06.008} Win - Picserver reverse directory traversal
vulnerability
Picserver Web server has been found vulnerable to a reverse directory
traversal attack, whereby a remote attacker can use '..' notation in a
request URL to access files outside the Web document root. This
vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0073.html
*** {01.06.009} Win - SEDUM HTTP Server reverse directory traversal
vulnerability
SEDUM HTTP Server version 2.0 is vulnerable to a reverse directory
traversal attack, whereby an attack uses '..' notation in a request URL
to access files outside the Web document root. This vulnerability has
not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0064.html
*** {01.06.011} Win - HSWeb server directory browsing full path
disclosure
The HSWeb version 2.0 Web server has been found to display full
directory paths when directory browsing is enabled. The disclosed
information may aid an attacker in other attacks. This vulnerability
has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0052.html
*** {01.06.018} Win - GoAhead Web server reverse directory traversal
vulnerability
Versions 2.1 and prior of the GoAhead Web server have been found
vulnerable to a reverse directory traversal attack. This vulnerability
allows an attacker using '..' notation in a request URL to access files
outside the Web document root. It is also possible to execute
commandline commands. This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0022.html
*** {01.06.019} Win - Malicious applet network resource exhaustion
A report has surfaced indicating the possibility of a malicious Java
applet, referenced in a Web page or HTML-based e-mail, which causes a
denial of service against a user's system by opening a large amount of
UDP network sockets. This vulnerability has not been confirmed, but it
comes from a noted researcher.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0060.html
- --- Linux News ---------------------------------------------------------
*** {01.06.012} Linux - Update {00.56.004}:
RESOLV_HOST_CONF/HOSTALIASES glibc vulnerability
Conectiva has released updated glibc packages to fix the vulnerability
discussed in {00.56.004} ("RESOLV_HOST_CONF/HOSTALIASES glibc
vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0010.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0010.html
*** {01.06.016} Linux - Update {01.05.012}: kdesu password sniffing
vulnerability
Mandrake has released updated kde packages to fix the vulnerability
discussed in {01.05.012} ("kdesu password sniffing vulnerability").
Update RPMs are listed at:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0043.html
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0043.html
*** {01.06.021} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps
Due to a packaging problem, Immunix has released new glibc updates to
fix the vulnerability discussed in {00.56.034} ("glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0053.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0053.html
- --- BSD News -----------------------------------------------------------
*** {01.06.015} BSD - Update {00.57.026}: tinyproxy httperr() buffer
overflow
FreeBSD has released an updated tinyproxy port to fix the vulnerability
discussed in {00.57.026} ("tinyproxy httperr() buffer overflow").
The ports collection as of January 22, 2001 contains the updated
version. Individual packages available for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0540.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0540.html
- --- Solaris News -------------------------------------------------------
*** {01.06.017} Sol - ximp40 library buffer overflow vulnerability
The ximp40 library contains a buffer overflow that can be used in
conjunction with various suid/sgid applications by local attackers to
gain root privileges. Solaris 2.6, 7 and 8 are reported vulnerable. This
vulnerability has been confirmed by Sun, and the company is in the
process of producing patches.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0517.html
- --- AIX News -----------------------------------------------------------
*** {01.06.002} AIX - Syslogd one-byte buffer overflow
IBM has released APAR IY15146 for AIX. This fixes a one-byte buffer
overflow in syslogd. Exploitation of this vulnerability has not been
confirmed.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q1/0007.html
*** {01.06.003} AIX - Improper permissions on
/usr/sbin/cluster/.restore_routes
IBM has released APAR IY15235 to fix a vulnerability in the
cl_swap_IP_address event script shipped with the cluster manager. The
script sets improper file permissions on
/usr/sbin/cluster/.restore_routes, which could allow a local user to
tamper with the file.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q1/0007.html
- --- Network Appliances News --------------------------------------------
*** {01.06.020} NApps - Cisco CSS/Arrowpoint command line interface
vulnerabilities
Cisco has released an advisory detailing two problems in its Content
Services Switch (aka Arrowpoint). Users with command line access could
cause the switch to reboot; users can also view file names and request
the contents of files on the device.
This vulnerability has been confirmed by Cisco, and the company has
released partial updates in WebNS revisions 4.01(12s) and 3.10(71s).
Full updates are forthcoming. Upgrade information is available at:
http://archives.neohapsis.com/archives/cisco/2001-q1/0002.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q1/0002.html
- --- Cross-Platform News ------------------------------------------------
*** {01.06.001} Cross - Update {01.05.001}: Multiple Bind buffer
overflows (TSIG/infoleak)
Multiple vendors have released updated BIND/named packages to fix the
vulnerability discussed in {01.05.001} ("Multiple Bind buffer overflows
(TSIG/infoleak)").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q1/0532.html
FreeBSD has updated 4.2-STABLE and 3.5-STABLE as of January 30, 2001:
http://archives.neohapsis.com/archives/freebsd/2001-01/0499.html
OpenBSD patches for 2.7 and 2.8 are listed at:
http://archives.neohapsis.com/archives/openbsd/2001-02/0191.html
Updated AIX APARs are listed at:
http://archives.neohapsis.com/archives/aix/2001-q1/0006.html
Source: SuSE, FreeBSD, OpenBSD, IBM
http://archives.neohapsis.com/archives/linux/suse/2001-q1/0532.html
http://archives.neohapsis.com/archives/freebsd/2001-01/0499.html
http://archives.neohapsis.com/archives/openbsd/2001-02/0191.html
http://archives.neohapsis.com/archives/aix/2001-q1/0006.html
*** {01.06.010} Cross - Free Java Web Server reverse directory
traversal vulnerability
The Free Java Web Server version 1.0 (not to be confused with Sun's Java
Web Server) has been found to be vulnerable to a reverse directory
traversal vulnerability. This vulnerability allows an attacker to use
'..' notation in a request URL to access files outside the Web document
root. This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0061.html
*** {01.06.013} Cross - IBM NetCommerce/Net.Data macro SQL tampering
IBM's NetCommerce/Net.Data package has been found to allow remote
attackers to tamper with SQL queries. This could allow them to query
data from various tables of the supporting backend database. This
vulnerability has been confirmed by a third party, but not by the
vendor.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0072.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0102.html
*** {01.06.014} Cross - SSH 1.2.2X AFS/Kerberos patch buffer overflow
A remotely exploitable buffer overflow was found in the AFS/Kerberos v4
patches for ssh 1.2.2x (by SSH Communications) sources. This
vulnerability has been confirmed by the patch author; updated
AFS/Kerberos patches for the 1.2.2x source by SSH Communications will
not be made available. Instead, you should upgrade to ossh or openssh,
both of which contain the fixes.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0511.html
*** {01.06.022} Cross - gnuserv/xemacs remote buffer overflow/code
execution
Gnuserve (bundled with xemacs) prior to version 3.12 is vulnerable to
a remotely exploitable buffer overflow as well as an authentication
weakness, both of which allow a remote attacker to run arbitrary
code/commands under the uid of the user running gnuserve. The vendor
has confirmed this vulnerability and fixed the problem in version
gnuserve 3.12 (bundled with xemacs version 21.1.14).
The updated version can be downloaded from:
http://www.xemacs.org/Releases/21.1.14.html
Mandrake has also released updated RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0044.html
Source: Mandrake, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0044.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0030.html
*** {01.06.023} Cross - XMail CTRLServer multiple buffer overflows
The CTRLServer service included with the XMail package (versions 0.66
and prior) contains multiple buffer overflows that would allow a remote
attacker to execute arbitrary code on the system. Exploitation requires
valid login information. This vulnerability has not been confirmed.
However, an exploit has been published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0047.html
*** {01.06.024} Cross - man -l format string vulnerability
A format string buffer overflow was found in the -l command line switch
of man. Some distributions (such as SuSE and Debian) ship man suid man,
which allows a local attacker to gain man privileges and then overwrite
the man binary with a trojan version. SuSE has confirmed this
vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0082.html
*** {01.06.025} Cross - cups httpGets() DoS
Cups prior to version 1.1.5 contains a denial of service in the
httpGets() function that allows a remote attacker to cause the service
to become unavailable by submitting a large request. Mandrake has
confirmed this vulnerability.
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0046.html
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0046.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6gxIm+LUG5KFpTkYRArmqAJ9/1GanAdZ6gpmornFr0tsUBWtwewCgmBQd
tHFTxiqYFKwFN62Qkyogt0w=
=1X17
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
----------------------------------------------------------------------
If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at
(http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at
http://www.sans.org/sansurl, where you can enter the SD number located
near your name at the top of the newsletter. When you submit this form,
an e-mail containing a URL will be sent to you at the e-mail address on
record. With this URL you can make changes to your account (edit the
content of your Consensus mailing, for example) without endangering the
security of your personal URL. If you'd like to change your e-mail
address or other information, or unsubscribe to this newsletter, please
visit your new URL as described above. If you have any problems or
questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved.
Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).
Powered by Neohapsis Inc., a Chicago-based security assessment and
integration services consulting group. infoneohapsis.com |
http://www.neohapsis.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]